The threat landscape is evolving as metaverse technology emerges, says Rick McElroy, Principal Cybersecurity Strategist at VMware, a cloud computing company.
The metaverse is under debate as potential users weigh up its risk versus reward. Since its inception, the 3D virtual world has garnered much curiosity, with McKinsey confirming that more than $120 billion was invested in building out metaverse technology and infrastructure in the first five months of 2022. Discussions of extraordinary use cases that could scale up, from teaching virtualised university lectures to performing surgeries for patients in other countries – plus the potential cost saving and accessibility benefits – have received a lot of attention. But while it is still early days before we see widespread adoption of the metaverse, the security community is already flagging warnings of the emerging security risks.
Opportunistic adversaries will capitalise on the growing attack surface that the metaverse paves via social media, streaming services and online gaming, and benefit from the mistakes made in the technology’s development. Instances of deepfake attacks in the current version of our digital world are already mounting, whereby advances in artificial intelligence are used to digitally alter and mimic a person’s voice or appearance with ill intent. 66pc of respondents in our Global Incident Response Threat Report saw malicious deepfakes used as part of an attack last year (up 13pc), with the majority (58pc) witnessing deepfake attacks taking the form of video. However, more worrying is the fact that new platforms are increasingly being targeted, including third-party meeting applications (31pc) and business collaboration tools (27pc). Could we soon see a similar cadence of scams inside of the metaverse virtual reality?
Assuming the metaverse takes off in a big way, organisations will need to become considered in how they deliver this nascent technology. Exploring how tools and authentication techniques can be used and integrated will be essential for those seeking to safeguard and shepherd the virtual world.
Transferable cybercrime
It is becoming more apparent that existing types of cybercrime could spread to the metaverse. What a lot of adopters do not realise is that new metaverse technology is being built upon old technology, like Linux servers, in which security is not intrinsically built and vulnerabilities are deep rooted. Europol Innovation Lab has warned that cyberattacks, like misuse of stolen identity to commit fraud and even abuse other users (or avatars), could be replicated in the metaverse. In the context of virtual reality authentication, sophisticated eye tracking, face tracking and motion haptics could be used to record a user’s interactions with the device – how will we be able to tell the friend or colleague we’re interacting with is really who they say they are? Eventually, the platform could become a magnet for ransomware and money laundering, with cryptocurrencies in active use and more platform-specific currencies expected to materialise.
Continuing to rely on passwords as the primary form of authentication in the virtual world would be a recipe for these breaches to breed. Organisations involved in its build out or use will need to show thoughtfulness towards the controls in place to identify users and deploy watertight authentication.
Zero trust in the virtual world
One-time authentication simply would not work in the metaverse; it needs to be viewed as a lived space, not as a single-use service. Instead, a system of continued authentication leveraging different factors, such as biometrics, and closely monitoring user behaviour will be critical to alleviating some security concerns while providing a seamless experience in the metaverse. The same principles of zero trust security we’ve become accustomed to in the ‘real world’, namely the belief that implicit trust is always a vulnerability and we must always verify devices and users, need to be replicated in the metaverse. Indeed, it is a delicate balancing act as continual authentication may be deemed invasive by some, constantly collecting user data to qualify that users are who they claim to be. But with the tonnes of data that will be collected to produce a personalised and realistic user experience in the metaverse, there is an urgent need for the security of the authentication process to be improved. Continuous digital authentication of a device, and the identity of the human using the device, provides that additional layer of security to the logging-in process and helps to detect anomalies in the form of mimicry.
Beyond the security challenges in the technology itself, safety in the metaverse must also encompass the safety of individuals in that space. Any nefarious activities humans can do in this world, can be recreated by them in the metaverse. Whether regulation is decentralised or enforced by the government, action must be taken. Otherwise, we may end up with fragmented versions of the metaverse, each existing within its own walled garden of regulation and security policies.
But before new cyber security strategies can be developed, existing defences for technologies vital to the metaverse, such as 5G, IoT, blockchain and artificial intelligence, need to be fortified. Only then can we ensure a solid foundation for this new virtual realm.
Bolstering our metaverse hygiene
While the metaverse remains on the fringes of how we use the internet currently, there is optimism that it will introduce new ways of interacting and whole new virtual worlds to live in. With the potential to transform our lives, however, comes a new and attractive opportunity for threat actors. Existing vulnerabilities, inherited by building this new frontier on legacy technology, could be exploited in the professional and personal spheres in order to profit or cause harm to others. To tackle the cyber risk, a harmonious network of continuous digital authentication, zero trust and thoughtful means of data collection will need to be adopted as the standard operating procedures.
