Cyber security in the metaverse (Part 3): lack of moderation, hardware vulnerabilities and virtual spying

In previous editions of The Insider, we have put the metaverse under the microscope and analysed how the new and innovative web 3.0 initiative is changing the cybersecurity industry forever. And, as the metaverse has continued to exponentially grow and be adopted, we are seeing more cyber vulnerabilities pop up. 

In today’s article, we will be breaking down more metaverse cybersecurity vulnerabilities that you and your employees need to be aware of, especially considering the veracity with which companies are subscribing to the metaverse model.  

The metaverse is quickly becoming the next must-have concept within enterprises to improve engagement and UX for employees, customers, and partners. And, while the metaverse is not here just yet, that does not mean companies cannot consider the security challenges it will bring. 

The metaverse begins to take shape! 

Whilst the initial idea of the metaverse posited one in which online users log into an entirely digital world, the true metaverse happens to be one that is rooted both in the physical and digital world.  

We have the metaverse that depends on a virtual reality simulated through a VR headset, taking over the user's field of vision to provide an immersive experience. And now we have augmented reality being used in conjunction with VR to provide virtual overlays on top of real world items/people.  

In this instance, users retain a physical view of their surroundings but have augmented graphics or interfaces interacting with real world … this brings with it some new attack vectors and cyber vulnerabilities.  

New metaverse cybersecurity challenges 

• Security Moderation: At this moment in time, not one metaverse provider has implemented help or support access for the metaverse platform. If you were operating on an established platform, say a social network, there are protocols and security measures put in place to keep your account and your presence safe on the platform. The metaverse, although a massively booming industry, has yet to truly take security and privacy seriously as it forges ahead with buy-in tactics for both the public and the corporate world. Security, therefore, becomes a secondary or tertiary focus, which has a domino effect on the cybersecurity of the metaverse.   

• Identity issues remain: Metaverse users' identities can still be spoofed, their accounts can still be hacked, and their virtual avatars can still be co-opted by nefarious characters to gain access to virtual locations that should otherwise be locked to them. It is still difficult to be 100% certain or truly verify the real world identity of someone you are talking to in the metaverse. at their feet with recent advice pointing to 2FA measures and phishing training as the best way to prevent metaverse identities from being spoofed. 

• Hardware vulnerabilities: A common security aspect of the metaverse that gets overlooked is hardware vulnerabilities. This is a massive new potential attack surface for cyber attackers and cannot be an afterthought. VR and AR headsets are heavy-duty machines with a lot of software and memory. They are ripe targets for malicious hackers who can target an individual with location spoofing and device manipulation. Both these cyberattacks can cause financial and security damage. Therefore, it becomes paramount that advice is given on keeping hardware up to date and regularly refreshed. 

• Still waiting for official regulations: In our last deep dive into the metaverse, we mentioned that the platform remains a ‘wild west’ web 3.0 adventure. Laws and regulations were needed and needed fast. Unfortunately, official metaverse providers clearly do not feel the same way. At publication, no official metaverse regulations have been presented nor adopted platform wide. This is particularly worrying considering the enormous amount of data collection happening in the metaverse for a truly personalised immersive experience. Metaverse users typically have no knowledge of the level of data they are providing. And, unlike GDPR and other regulations, which have regional requirements, virtual experiences still have no borders. Ensuring privacy and security falls to the platform user rather than the platform creators. 

• Authentication: Whilst identity spoofing is an issue, authentication in professional environments is just as important. How do you prove the person you are engaging with is who they claim to be? For instance, over the last few years we have seen the birth and explosion of telemedicine as physical surgeries and health centres hit capacity and wait times increase. When you arrange a telemedicine appointment with an online doctor, how does a patient truly know that the person they are interacting with is a medical professional? What measures have been put in place to make sure only a qualified and credentialed individual is allowed to position themselves as a doctor online? The answer? Not much! Again, authentication protocols must be drawn up by the service provider and not the platform supplied themselves … further highlighting the wild west nature of the metaverse.  

• Privacy issues remain: VR environments do not have extensive privacy regulations … yet. Given the platform's invasive data collection and analysis and the fact that a lot of data is being constantly shared, regulations will need to come sooner rather than later. Now, however, the protection or sharing of user data is completely at the discretion of the platform owner. The user, therefore, must be savvy and diligent with the information they upload to the metaverse and the data they choose to share on the platform.  

• Privileged accounts and hacking: There have also been reports of cybercriminals using the visage of privileged accounts, such as server moderators, admins, or customer support profiles, to compromise entire servers and bring cyber harm to multiple users at one time. Again, the metaverse itself is still growing and absent of regulations or official support in place for this type of attack. So, once again, the onus falls on the user to stay safe and keep their login credentials as safe and secure as possible.  

• Access point compromise: Because the entry into the VR metaverse is typically through a headset, the compromise of the headset endpoint could result in complete takeover of that user's avatar.

• Virtual Spying: Avatars can change appearance, meaning that meetings, personal chats, and other interactions are subject to spying and intrusion without the affected parties' knowledge. There are even some reports of nefarious individuals using an invisible skin or backend vulnerability to simply sit-in confidential metaverse meetings and scrape valuable and confidential information straight from unaware employees operating on the virtual platform.

• Data integrity: Data integrity is always an issue in the early days of any new platform. And because the metaverse incorporates AR and VR software, third-party data is used to create overlays and augmented graphics. If any of this third-party data has been compromised or hijacked by nefarious individuals, you could have a major security issue on your hands. For example, if a location app being used in a headset has been hijacked with incorrect location data, it could result in major repercussions for the user. 

• Physical safety and security: Metaverse users typically move around in the real world with an AR overlay, making physical security and safety a concern. This is one aspect of this virtual platform that is extremely easy to overlook. If users get too immersed in the virtual world, they could bring harm to themselves or those around them without even realising. Here, both metaverse platform providers and the users must take responsibility. Metaverse providers need to build in overlays/reminders for users about their physical surroundings with periodical checks to ensure they remain safe when operating a VR headset or AR goggles. And users need to understand that their physical safety is down to them! 

What cybersecurity measures are being adopted for the metaverse? 

The zero trust model - ‘never trust, always verify’ - requires strict identity checks and is therefore quickly becoming the go-to cybersecurity model for metaverse users. Because it uses ongoing and consistent authentication and verification to ensure bad actors are kept out or severely limited, the zero trust model is a highly effective way to ensure identities are verified and confidential information can only be accessed by those with the clearance for them. With the colossal amounts of data set to be hosted in the metaverse, zero trust is the most effective way to reduce or erase the theft of sensitive information. 

AI will also play a critical role in safeguarding the metaverse in multiple ways. For example, AI-driven cybersecurity tools can analyse user behaviour patterns across a network to find users that are behaving suspiciously or operating in environments they do not have permission for.  

Metaverse cybersecurity might sound like a problem for the platform providers themselves, but your company’s IT team needs to be aware of emerging threats and the current lawlessness of the platform, if you choose to operate on the platform in anyway.  

A data breach in the metaverse is just as harmful as a data breach by traditional means! 

So, before you invest in the metaverse, make sure you are keeping up with the latest metaverse security news and are always on the hunt for new security measures. This is a young and growing platform; we are all still learning how to be safe in the metaverse, even the platform providers! 

If you would like more information about how The Security Company can help deliver security awareness training for remote workers or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.