The Metaverse and Cyber Security: What's the Catch?

What is the Metaverse?

The metaverse can be defined as a virtual environment in which people connect, interact and shop. This convergence of the digital and physical world stems from the Greek meta, meaning beyond or after, and verse, short for universe.

There are two main forms of the metaverse, virtual reality and augmented reality.

Virtual reality provides an artificial reality via a VR headset. It takes over the user's field of vision to provide an immersive experience. Other forms of immersive experiences include audio and positional tracking of the body to enable movement of body parts, such as the hands, to interact with the virtual environment.

Augmented reality (AR) is less immersive than VR. It adds virtual overlays on top of the real world via a lens of some type. Users still have a normal view of their surroundings. AR examples include a smartphone using the Waze app or a wearable such as Microsoft's HoloLens. The host can see a user's location and can guess their intentions.

Common Cyber Security Metaverse Challenges

Here are some of the common security challenges that exist in these two metaverse universes:

  • Privacy. No metaverse regulations exist, and the need for data collection for a truly personalized immersive experience requires privacy invasion. Users typically have no knowledge of the level of data they are providing. In a study by UC Berkley 1, researchers demonstrated how a VR game could collect in just a few mins “over 25 personal data atttributes” such as hight, wingspand, age, gender, physical fittness, room size, geolocation, language, ethnicity, etc. Unlike GDPR and other regulations, which have regional sovereignty requirements, virtual experiences have no borders, and therefore, ensuring privacy is at the mercy of the platform owner and the property owners.

  • Identity. Metaverse users' identities can be spoofed, their accounts can get hacked and their avatars can be taken over. A common challenge is the identity of the person metaverse users are dealing with is always questionable.

  • Client vulnerabilities. VR and AR headsets are heavy-duty machines with a lot of software and memory. They are also ripe targets for malicious and inadvertent hacks. Additionally, location spoofing and device manipulation enable perpetrators to take over users' identities and cause havoc after entering the metaverse.

  • User-to-user communications. Because the metaverse experience is all about facilitating user-to-user communications, trust and commerce are how these relationships are built. One bad actor can cause tremendous damage. The need for moderation at scale is critical and must be addressed.

  • Data accuracy. Location, merchandise quality, reviews, user information and third-party trusted data are anchored around accuracy. Ensuring accuracy can be difficult.

  • Moderation challenges. No help or support access exists in most of the metaverses. Nonfungible token theft, for example, can leave a user without support.

Unique VR and AR security challenges

  • Reliance. Since the owner of a metaverse product or platform owns this, all the product's/platform's users are completely reliant on the metaverse owner. For instance, early adopter enterprises that chose to use Second Life had to rely on that platform completely for security, identity protection, privacy and even financial transactions.

  • Responsibility. The property a user buys or rents in a VR environment creates many security and privacy challenges that need resolution. Who is allowed into or blocked from the property? Does the property owner have the right to decide who can and cannot enter? What happens inside these properties? Could financial or illegal transactions occur inside?

  • Authentication. Knowing an entity is who they say they are is challenging. How do you prove the person you are engaging with is who they claim to be? Take telemedicine, for example. How does a patient know the person they interact with is a medical professional? How can a property owner qualify the credentials of a doctor before allowing them to practice?

  • Accountability. If fraud, harassment or other forms of abuse occur, is the owner of the VR environment accountable?

VR security challenges

  • Privileged accounts and hacking. The takeover of customer support or admin accounts could result in major compromise of a VR environment, which, if undetected, could harm many users.

  • No regulations exist for VR environments yet. Given the metaverse VR platform owner's invasive data collection and analysis and the fact that a lot of data is being constantly shared by users unknown to the VR user, regulations will come but down the line. Now, however, the protection or sharing of this data is completely at the discretion of the platform owner.

  • Access point compromise. Because the entry into the VR metaverse is typically through a headset, the compromise of the headset endpoint could result in complete takeover of that user's avatar.

  • Spying. Avatars can change appearance, meaning that meetings, personal chats and other interactions are subject to spying and intrusion without the affected parties' knowledge.

  • Data integrity. AR involves overlaying third-party data, so any compromise in the integrity of data could present a major challenge. If a location app that has been overlaid onto a headset uses flawed location data, for example, it could result in incorrect directions given to the user.

  • Physical security. Users typically move around in the real world with an AR overlay, making physical security a concern. If users get too immersed in the virtual world, they could bring harm to themselves or those around them.

Conclusion

There’s a lot of disagreement about what the metaverse means for the future of our lives. But one thing is clear: the metaverse is new and largely unregulated by what we could consider normal laws and the cyber threats in today’s world will probably continue to exist in the age of the Metaverse. But we are certain that new threats will arise. As mentioned before, the Metaverse works by connecting many technologies, which increases data sharing like never before. That’s enough to say that there will be a massive increase in attack surface.

Another handicap is the necessity of having wearable hardware to experience the Metaverse. With this hardware, it can be much easier to capture sensitive data. Violations can escalate as wearables become available on the second-hand market.

It’s clear these concerns add up to a tall order, however, the first company to tackle such issues will reap the competitive benefits as a first-mover advantage, including huge financial, reputational and strategic rewards.

1.       Nair, Vivek & Garrido, Gonzalo & Song, Dawn. (2022). Exploring the Unprecedented Privacy Risks of the Metaverse. 2207.13176.pdf (arxiv.org)