- Employee awareness
- 7 min read
In the summer of 2021, Facebook CEO Mark Zuckerberg detailed a new focus for his social networking company; a $162 billion future that imagined human socialisation, business, leisure, and events in a virtual Metaverse.
Zuckerberg’s passion for a new virtual landscape was underpinned with the changing of his company name from Facebook to Meta. It seemed, and indeed appears, as though the Metaverse is here to stay for the foreseeable future. Zuckerberg himself seems to believe the full-scale adoption of the Metaverse will only take 5 to 10 years.
However, with a new networking platform that facilitates conversations and transactions between trusted individuals and strangers, comes fresh new attack vectors and security challenges. This digital ecosystem will sprout new privacy issues, data breaches and security risks as threat actors look to exploit security gaps because of poor device and platform integration.
Today, we will be exploring the cybersecurity and awareness issues we may see in the Metaverse, as well as some cases that have already transpired.
But, before we get to that, let’s look at what the Metaverse is.
The word ‘Metaverse’ comes from a classic sci-fi novel called ‘Snow Crash’ from author Neal Stephenson. In the novel, a virtual world has become a haven for humanity in the face of a decaying society. Stephenson’s work not only went on to influence cult films such as ‘The Matrix’ and ‘Lawnmower Man’ but also real life. Is this a foreboding omen for actual society?
The key difference between fictional Metaverses and what we will experience is quantity. Whilst many of these fictional tales feature one dominant Metaverse, we will see many competing Metaverses. Most of the Metaverses that we already know of exist in the gaming world (Second Life, Fortnite, Sandbox) but we will start to see actual platforms that reflect society as opposed to gamified experiences. Zuckerberg’s Meta will have a fight to put up.
Nevertheless, the Metaverse in a true sense is a simulated environment in a virtual reality (VR) space. In this simulated world, users are represented by avatars (digital characters) and can take part in events that may have otherwise taken place in the real world, such as meetings, concerts, lessons, and get-togethers.
There are also Metaverses and simulated worlds that incorporate aspects of Web 3.0 such as blockchain technology, cryptocurrencies and NFTs (nonfungible tokens).
In truth, the move to the Metaverse is a natural progression of the pandemic fallout. As more businesses ditched physical locations in favour of remote working, we started to see reduced costs and an increase in efficiency for business operations. Training, day-to-day operations and strategic meetings can now all take place in virtual environments without the need for physical brick and mortar locations.
However, with the sale and purchase of products and services moving to the virtual space, the Metaverse now becomes a massive target for cybercriminals, attacks, and schemes – all of which will have ramifications in the real world.
As more human activity and events move to the Metaverse, we will see new attack vectors and security challenges, many of which will not have response protocols in place to deal with. Now, virtual experiences are geared for entertainment purposes. As this shifts and changes, the cybersecurity stakes are raised significantly.
If you are in a Metaverse meeting with your colleagues, instead of looking at your colleagues, you will be looking at digital avatars of them. When you make a real-world gesture or facial expression, your avatar will relay that movement in the virtual world.1
Data Privacy Manager reveals that Metaverse companies will collect identification and tracking data from virtual headsets. If this personal data is breached or not safe guarded properly, Metaverse users become prone to impersonation attacks.
But how can you verify that the person sat across from you in the virtual world, is the real person they say they are? Could an attacker not impersonate one of your colleagues to obtain sensitive information and cause financial havoc? Could a competing company find a backdoor route into your virtual meetings and gain the upper hand?
One week after the release of Meta’s Horizon Worlds, a user logged a complaint of being groped online. The user stated that as soon as she logged into the world, she was surrounded by avatars that leered at her digital presence, made derogatory remarks, and even snapped lewd images of the digital avatar. The user said: “Sexual harassment is no joke on regular internet but being in VR adds another layer that makes the event more intense.” There has already been a response to this cybersecurity issue, but we will detail this further down this piece.
When you have a meeting in the real world, you can account for everyone in the room and secure all confidential information. When you move meetings to the Metaverse, you open the possibility of man-in-the-room attacks. This is when an invisible user or avatar eavesdrops in meetings. Whilst we have not seen many of these attacks in the Metaverse so far, malicious cybercriminals are slowly figuring out how to remain undetectable in Metaverse meetings. If successful, we will see a massive influx of spying sessions, espionage and man-in-the-room eavesdropping.
A lot of financial technology, commerce and banking is slowly moving to the Metaverse as well. Not only can you buy virtual real estate, clothes, and valuables in the Metaverse using cryptocurrencies, but you may also hold virtual sessions regarding physical transactions. There is no reason to believe that attackers could not find their way into these meetings and maliciously steal property or money.
If a cybercriminal can gain access to your virtual avatar and your Metaverse account, they effectively become that person in the digital world.
In fact, it is estimated that in a 20-minute virtual reality session, a data packet of over 2 million data points regarding a user’s body language and behaviour is generated (Source). This data includes head and hand movements, facial expressions and even behaviours that reveal physical and mental conditions. The devices that collect this data are connected to the Metaverse and will therefore be used to validate transactions.
As you can see, the Metaverse includes the collection of personal and sensitive data at an extremely high volume. If a cybercriminal can steal this data, they can become the virtual you. It is the ultimate version of identity theft. And, on top of that, you can use that account to spy on other protected accounts and trick even more professionals using a trusted virtual avatar.
A major problem with every single social media network is the presence of bots. Most of the time, these bots are not harmful as they are often just used to boost follower counts. However, when automated bots are used in the Metaverse to impersonate legitimate users, you could see massive bot-backed attacks taking down whole virtual spaces and creating artificial digital traffic.
A mad new cyberattack we may see because of the Metaverse is spoofing entire worlds. Imagine, you have entered a virtual world through a link you believe to be trustworthy. Instead, the attack has manoeuvred you into an environment they can manipulate and play with. They could trick you into injuring yourself with malicious changes to your virtual world which influence the way you move in the real world.
Researchers from the University of New Haven in Connecticut revealed that there are no features in place to stop an attacker from changing what you see in VR. In a controlled test, university researchers were able to successfully alter visual content and therefore the VR experience. There were no encryption settings in place nor were there any virtual boundaries to keep out hackers.
Cybersecurity experts want everyone to realise that with Metaverse hardware, your body and your brain also become attack surfaces for cybercriminals. Louis Rosenberg, a Metaverse expert, says “the potential to alter our sense of reality, distorting how we interpret our direct daily experiences” will lead to massive security issues.
One of the biggest appeals of the Metaverse is the facilities for anonymity. NFTs, the blockchain, cryptocurrencies and the Metaverse itself validate transactions discreetly and as anonymously as possible. As a result, it is much harder to spot and be aware of fraudsters, ransomware attacks, fake identities, or cyber thieves. How are you supposed to verify who someone is if that person is trying to stay as anonymous as possible?
In October 2021, Facebook/Meta whistleblower Frances Haugen told UK MPs that Mark Zuckerberg and Meta have “unilateral control over 3 billion people.” Her revelations came at the cusp of Zuckerberg’s Meta/Metaverse announcement and posed a profoundly critical concern: can a company that has access to half of the world’s population, and a record of putting profits before consumers, be trusted to respect user privacy in a digital world?
Mark Zuckerberg has said that “interoperability, open standards, privacy, and safety need to be built into the Metaverse from day one.” However, since his Metaverse will be using the same building blocks as Facebook, we will see the same privacy issues being transferred over. Can we truly trust Mark Zuckerberg and Meta?
A suggested solution for cybersecurity in the Metaverse is biometrics. When you are working with VR and AR (Augmented Reality) platforms, you can build a biometric lock into the hardware. For example, future virtual reality headsets could include iris readers or even fingerprint readers on the hand controls.
However, this creates another obstacle with permission needed from online users for biometrics, which could then also be at risk of being breached themselves. In fact, we could see future attacks targeting a data silo of biometric data to spoof Metaverse avatars or even facilitate large data scrapes.
In response to the virtual assault mentioned above in Horizon Worlds, Meta has introduced a mandatory distance formula to keep digital avatars apart. This ‘personal boundary’ option is default and purports to protect users in virtual worlds from other leering users. The boundary option generates a bubble around your avatar which prevents other online users from entering it. You can turn this option off when you are in trusted locations, but it is on by default.
As mentioned, sensitive data becomes vulnerable in the Metaverse as cybercriminals target digital identities and commercial transactions. The blockchain, a decentralised network where data is not stored in one specific location but encrypted through a cloud service, is the current security solution for Metaverse data silos.
However, recent blockchain attacks and breaches have led to more discussion on the strength of data security in the Metaverse.
Currently, the Metaverse is a free and lawless virtual world. Governments need to act and place regulations and rules on the Metaverse to ensure that users are protected. Much like other platforms, government needs to draw up regulation on virtual theft, cyberstalking, harassment and more.
If governments are too slow with regulation, then the organisations providing the Metaverse need systems and policies to protect every user on the Metaverse. Once these guidelines and rules have been established, we will have a better foundation to build preparation and awareness of cyberattacks in the Metaverse.
No matter how far and wide the cybersecurity issues in the Metaverse, cyber education is essential to the safety of your data and your peers. By making your employees your first line of defence against security issues, you give them the power to control the narrative.
You will need to support them with cybersecurity hardware and software, but if you can implement the right mentality in your workforce, you will keep all users safe in both the real and virtual world.
It is tough to predict how organisations will protect against cyberattacks in the Metaverse because we do not yet know how or what form these cyberattacks will take.
Not only will the Metaverse have to tackle the same cybersecurity threats faced by Web 2.0 services, new attack vectors and inventive cybersecurity schemes will inevitably be popping up. Many of these Metaverse attack vectors are yet to be invented so we need to keep our ears on the ground and our finger on the pulse.
And whilst we will have to learn to spot and react to a whole host of new attack vectors, the biggest change because of the Metaverse is the expansion of attack surfaces. As the Metaverse is dependent on AR and VR devices and the connection between them, we will see cyberattacks geared towards these new apps and data silos.
We do not exactly know the state of security in the Metaverse as the platform is still too young to present any data. However, we can safely say that with a whole new universe coming into the fray, a whole new universe of cybersecurity attacks and solutions will come with it and at the heart of it all, we need to encourage and build smart cybersecurity behaviours in every individual.
Building cybersecurity awareness, especially in relation to new and emerging threats, is the backbone of TSC’s offering. No matter the attack service or platform, TSC’s service will ensure your employees are aware and knowledgeable of the threats they will come across.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51