Why the fate of the metaverse could hang on its security

This article is part of a VB special issue. Read the full series here: The metaverse – How close are we?

Cyberattacks old and new will inevitably find their way into the metaverse, highlighting a requirement for immersive virtual worlds to provide strong security from their inception.

Securing the metaverse will present new challenges in comparison to existing digital platforms, however, according to cybersecurity executives and researchers. Monitoring the metaverse and detecting attacks on these new platforms will “be more complex” than on current platforms, according to Vasu Jakkal, corporate vice president of security, compliance, and identity at Microsoft. The tech giant is a leading proponent of the metaverse and has begun developing immersive virtual platforms for both enterprises and consumers.

“With the metaverse, you’re going to have an explosion of devices. You’re going to have an explosion of infrastructure. You’re going to have an explosion of apps and data,” Jakkal told VentureBeat. “And so it’s just increased your attack surface by an order of magnitude.”

If metaverse platforms fall short on security and privacy, they are almost certain to experience a false start — or worse — as the issues quickly turn into a major barrier to adoption, experts said. On the other hand, metaverse platforms that do focus on enabling security and privacy upfront could find greater traction as a result.

“It has a lot to do with brand and with trust,” said Caroline Wong, former senior manager for security at Zynga and now chief strategy officer at cyber firm Cobalt. “If a consumer has a choice of Platform A — which they believe to be secure and private and doing all the right things — and Platform B, which they think will probably lead to getting hacked if they join, then the choice is clear.”

While the coming virtual world will no doubt enable “beautiful experiences” for users, acknowledging and addressing the cybersecurity challenge will be essential for the metaverse to succeed, Jakkal said.

“My wish list would be, let’s not think of security as an afterthought. Security needs to be designed into the metaverse [from the start],” she said. “We have one chance of getting this right.”

Metaverse knowns and unknowns

It’s not yet apparent exactly what the attack surface will look like in the metaverse. But there’s still a lot we can know about the potential security risks of the coming virtual world, experts told VentureBeat. Existing issues around web, application, and identity security are expected to crop up quickly on metaverse platforms — as attackers seize opportunities for fraud, theft, and disruption.

Meanwhile, malicious cyber activity that’s only possible in an immersive virtual setting — such as invisible eavesdropping and manipulating users into actual physical harm — have been pinpointed by researchers as possible threats in the metaverse as well.

Kavya Pearlman, formerly the information security director for Linden Lab and its Second Life online virtual world, said that “extended reality” platforms such as the forthcoming metaverse are a different story when it comes to cybersecurity. Pearlman has been working to raise awareness about the issue as the founder and CEO of the Extended Reality Safety Initiative (XRSI), a nonprofit focused on privacy, security, and safety in virtual worlds.

“You can use [this technology] for the greatest good. But you can also use it to really hurt humanity,” Pearlman said.

For 2D digital platforms, she said, “The attack surface has remained limited to nodes, networks, and servers.” But with the metaverse, “The attack surface is now our brain.”

Securing virtual worlds

Platforms such as Second Life and virtual reality (VR) headsets have existed for years, while online games such as Fortnite and Roblox have turned into major virtual universes of their own. But for the metaverse, 2021 served as a turning point. Tech industry giants including Microsoft, Nvidia, and of course, Facebook — which changed its name to Meta — threw their weight behind the concept as well in 2021. Suddenly, the idea that an immersive virtual experience really could be the successor to the internet has become more than just a sci-fi notion.

The visions for the metaverse do vary, and it’s not yet clear how interoperable the different virtual universes might be with each other. But even with the unknowns, the time to start grappling with the cybersecurity implications of the metaverse is now, a number of experts told VentureBeat. And this effort should begin with the risks that can already be anticipated.

Josh Yavor, formerly the head of corporate security at Facebook’s Oculus virtual reality business, said the most basic thing to realize about security for the metaverse is that it must start with addressing the existing problems of the current digital landscape.

“None of those problems go away,” said Yavor, currently chief information security officer at cyber firm Tessian. “There are new problems, perhaps. But we don’t escape the current or past problems just by going into the metaverse. Those problems come with us, so we have to solve for them.”

With a potential for supporting all manner of economic activity, opportunistic attackers are sure to follow the money into the metaverse. It will no doubt attract threat actors ranging from standard fraudsters, to cryptocurrency and virtual goods thieves, to financially motivated ransomware operators, cybersecurity experts say.

And just like on the internet of today, social engineering aimed at acquiring sensitive information will be a certainty in the metaverse. So will impersonation attempts — which could be taken to a new level through assuming fraudulent avatars in virtual worlds. If someone acquires the credentials for your metaverse account and then assumes your avatar, that person could potentially “become you” in the metaverse in a way they never could on the internet, experts said.

Focus on identity security

All of which means that providing strong identity security should be a top concern for metaverse builders, said Frank Dickson, program vice president for security and trust at research firm IDC. Robust and continuous identity authentication will be critical — especially for enabling transactions in the metaverse. But this might be complicated by the immersive nature of the platforms, Dickson said. Typical forms of multifactor authentication (MFA) won’t necessarily be a good fit.

“It will need to be more than just MFA. If you’re in the metaverse, you’re not going to want to stop, pull out your phone, and punch in a six-digit code,” he said. “So we’re going to need to make that authentication as invisible and seamless as possible — but without sacrificing security.”

The fact that the metaverse will be built on a distributed computing technology, blockchain, does bring some inherent security advantages in this regard. The blockchain has increasingly been seen as an identity security solution because it can offer decentralized stores of identity data. Blockchain is far more resistant to cyberattacks than centralized infrastructure, said Tom Sego, founder and CEO at cyber firm BlastWave.

But what blockchain can’t address, of course, is the human element that’s at the heart of threats such as social engineering, he noted.

Attacks seeking to exploit exposed web services are expected to be another major issue that carries over into metaverse platforms. Current techniques used in zero-day attacks such as cross-site scripting, SQL injection, and web shells will be just as big of an issue with virtual applications, Sego said.

Looking ahead, one of the largest metaverse security risks might involve compromised machine identities and API transactions, according to Kevin Bocek, vice president of security strategy at Venafi, which specializes in this area. But first, all manner of “old-fashioned crime” including fraud, scams, and even robberies can be expected, Bocek said.

“I don’t know what muggings in the metaverse look like—but muggings will probably happen,” he said. “We’re humans, and the threats that are likely to arise first are the ones that deal with us.”

Perennial threats

Along with malicious attacks, metaverse builders will also have to grapple with other types of threats that tend to be perennial issues on digital platforms. For instance, how to protect younger users from adult content.

“Early on, what drove the internet was pornography. Guess what’s probably going to show up in the metaverse?” IDC’s Dickson said. “If pornography is your thing, great. But let’s make sure that our young children don’t have access to that in the metaverse.”

Meanwhile, if the history of social media can teach us anything, it’s that harassment will be another concern that must be addressed for users to feel safe in the metaverse. And the problem could be complicated by factors in the virtual environment itself.

In a virtual world, the ability to “get somebody out of your face” is hampered, Yavor said. “You have no sense of bodily autonomy, and there’s no way to put your arm out and literally keep them at arm’s length. How do we solve for that?”

The issue, like many others, is “one of the real-world problems that must be sufficiently solved in the metaverse for it to be something that’s an acceptable experience for people,” he said.

Thus, while some threats to users in the metaverse won’t be new, many will come with added complexities and the potential for amplified impact in certain cases.

Physical safety risks

Researchers say a number of novel security risks in the metaverse environment can be anticipated as well, some with a potential for real-world, physical consequences.

The arrival of immersive virtual environments changes things a lot for attackers, victims, and defenders, according to researchers. In the metaverse, “a cyberattack isn’t necessarily malicious code,” XRSI’s Pearlman said. “It could be an exploit that disables your safety boundary.”

Ibrahim Baggili, a professor of computer science at the University of New Haven, and a board member at XRSI, is among the researchers who have spent years investigating the potential risks of extended reality platforms for users. In a nutshell, what he and his collaborators have found is that “the security and privacy risks are huge,” Baggili said in an email.

“Right now, we look at screens. With the metaverse, the screens are so close to our eyes that it makes us feel that we are inside of it,” he said. “If we can control the world someone is in, then we can essentially control the person inside of it.”

One potential form of attack, identified by Baggili and other University of New Haven researchers, is what they call the “human joystick” attack. Studied using VR systems, the researchers found that it’s possible to “control immersed users and move them to a location in physical space without their knowledge,” according to their 2019 paper on the subject.

In the event of a malicious attack of this type, the “chances of physical harm are heightened,” Baggili told VentureBeat.

Likewise, a related threat identified by the researchers is the “chaperone attack,” which involves modifying the boundaries of a user’s virtual environment. This could also be used to physically harm a user, the researchers have said.

“The whole point of these immersive experiences is that they completely take over what you can see and what you can hear,” said Cobalt’s Wong, who has followed the work of XRSI and security researchers in the XR space. “If that is being controlled by someone, then there’s absolutely the possibility that they could trick you into falling down an actual set of stairs, walking out of an actual door, or walking into an actual fireplace.”

Additional potential threats identified by the University of New Haven researchers include an “overlay attack” (which displays undesired content onto a user’s view) and a “disorientation attack” (for confusing/disorienting a user).

Spying in the metaverse

A different breed of attack, also with potentially serious consequences, involves invisible eavesdropping — or what the university’s researchers have dubbed the “man in the room attack.” In a VR application, the researchers found they were able to listen in on other users inside a virtual room without their knowledge or consent. An attacker “can be there invisibly watching your every move but also hearing you,” Baggili said.

And if researchers are looking at the potential for spying in the metaverse, you can bet that state-sponsored threat actors are, too.

All of these attacks are only possible through exploiting vulnerabilities, of course. But in each case, the researchers reported finding that they could do it.

“The types of attacks we illustrated in our research are just so that we can showcase, as proof of concept, that these issues are real,” Baggili said. But looking ahead, he believes there’s a need for more study to determine how to develop these platforms “responsibly” from a security and safety perspective.

Other researchers have focused on security issues with augmented reality (AR) technologies, which are also expected to play a key role in the metaverse. At the University of Washington, researchers Franziska Roesner and Tadayoshi Kohno wrote in a 2021 paper that forthcoming AR technologies “may explicitly interface with the body and brain, with sophisticated body-sensing and brain-machine interface technologies.”

“The immersive nature of AR may create new opportunities for adversarial applications to influence a person’s thoughts, memories, and even physiology,” the researchers wrote. “While we have begun to explore the relationship between AR technologies, neuroscience, security, and privacy, much more work needs to be done to both understand the risks and to mitigate them.”

Alerts in the metaverse

There are other fundamental things to get right to secure the metaverse as well. One is a need for careful consideration about the design of the user interface. Many of the security and privacy measures that are relied upon in current digital environments “do not exist in a metaverse,” Tessian’s Yavor said. “In fact, the point of the metaverse is to make them not exist.”

The web browser is one example. If your browser thinks a site you just clicked on might be malicious, it’ll warn you. But there’s no equivalent to that in VR.

This raises a key question, Yavor said: In the metaverse, “how do you provide people the necessary context around the security decisions that they need to make?”

And further: When is it even safe to interrupt a user who’s physically in motion to let them know they need to make a critical decision for their security? “If you suddenly get a pop-up while you’re playing Beat Saber in VR, that can throw you off balance and actually cause physical harm,” Yavor said.

These are unanswered questions right now —and the technical aspects of information security are probably easier by comparison, he said. During his time at Oculus, “the much harder part was, how do we protect people without becoming too much of a custodian or an overbearing parent?”

The bottom line: Every metaverse builder will need to strike a balance between implementing security measures on behalf of users and empowering users to make risk-informed decisions on their own. “Again, the technical part isn’t hard,” Yavor said. “The design and the user experience is the incredibly difficult part.”

Meta’s take

In the late October presentation that unveiled Meta and the company’s vision for the metaverse, CEO Mark Zuckerberg didn’t directly mention potential cybersecurity issues. But he did discuss the related issues of privacy and safety, which he said will be crucial to address as part of building the metaverse responsibly. Meta is “designing for safety and privacy and inclusion, even before the products exist,” Zuckerberg said — later calling these “fundamental building blocks” for metaverse platforms.

“Everyone who’s building for the metaverse should be focused on building responsibly from the beginning,” he said. “This is one of the lessons I’ve internalized from the last five years — it’s that you really want to emphasize these principles from the start.”

In response to questions on how it’s approaching security, privacy, and safety in the metaverse, Meta provided a statement saying that the need to address issues are a main reason the company has begun discussing the metaverse years before its full realization.

“We’re discussing it now to help ensure that any terms of use, privacy controls, or safety features are appropriate to the new technologies and effective in keeping people safe,” a Meta spokesperson said in the statement, which had previously been shared with other media outlets. “This won’t be the job of any one company alone. It will require collaboration across industry and with experts, governments, and regulators to get it right.”

Microsoft’s take

In early November, Microsoft CEO Satya Nadella revealed the company’s aspirations to develop an “entirely new platform layer, which is the metaverse.” Microsoft’s vision for the metaverse involves leveraging many  of the company’s technologies—from its Azure cloud, to its collaboration solutions such as Teams, to its Mesh virtual environment.

Likewise, Microsoft’s metaverse offerings will also leverage all of the company’s existing security technologies—from cloud security capabilities to threat protection to identity and access management, Jakkal said. “I think all those foundational core blocks are going to be important for the metaverse,” she said.

Establishing trust in the security, privacy, and safety of metaverse platforms should be a top priority for all virtual world builders, Jakkal said.

“And it has to be very thoughtful, very comprehensive, and from the get-go. To me, trust is going to be a bigger part of the metaverse than anything else,” she said. “Because if you don’t get that right, then we are going to have so many challenges down the line—and no one’s going to use the metaverse. I would not feel safe using the metaverse if [it lacked] the principles of trust.”

Given the scope of the challenge, securing the metaverse will indeed require many stakeholders to work together collaboratively—particularly across the cybersecurity industry, Jakkal said. “We need to bring the security community into the metaverse,” she said.

Work is underway

Some industry firms are already preparing to help make the metaverse work securely. IT services and consulting firm Accenture has already begun development of key security functionality for metaverse platforms, said senior managing director David Treat. For instance, the company is developing a mechanism to enable two avatars to securely exchange “tokens,” which could be either identity credentials or units of value, without taking a headset off, he said.

“We invest heavily into R&D to make sure that we know how to make these things work for our clients,” said Treat, who oversees Accenture’s tech incubation group, which includes its blockchain and extended reality businesses.

This is one of the ways that the use of blockchain technology as an underpinning for the metaverse will be so powerful. As the metaverse evolves from disparate communities into an interoperable virtual world, blockchain will help to enable new, digitally native identity constructs, Treat said.

“We’ll have to redesign authentication in a fully digital world,” he said. For example, if people are meeting socially, you may or may not choose to reveal who you really are. Blockchain will help make it possible to securely share, or withhold, identifying information about yourself, Treat said.

New understanding

Ultimately, securing the metaverse will not only present new issues, but also new complications to old issues. The metaverse will involve the creation of massive quantities of data that would need to be monitored to detect attacks and proactively protect users, according to Pearlman.

“It’s a very complex thing to tackle,” said Pearlman, whose past work has also included advising Facebook about third-party security risk. “We’re definitely going to need a new understanding for how to tackle these cyberattacks in the metaverse.”

But unquestionably, it will need to be done, according to experts.

“In order for us to actually have secure experiences in the metaverse, we have to be able to figure out some way to establish trust in the content, in the safety of the platform, and in the people that we’re interacting with,” Yavor said. “If we’re creating sufficiently convincing virtual reality, we need to provide the same types of outcomes for security and privacy that exist in real life.”

There’s reason to be hopeful, though, Wong said. That’s in part because the industry has at least a few years to address these issues before the metaverse is ready for prime time, she said.

With the metaverse, “there is absolutely the potential to create new economies, and to connect people in beautiful and meaningful ways,” Wong said. “Part of doing that successfully, I believe, will be addressing security and privacy issues.”

Jakkal agreed. “I’m hopeful that the metaverse brings these beautiful experiences for our businesses and for our people,” she said. “But to do good, we need to be safe.”

---

Read more from this VB Special Report:

• The metaverse: Where we are and where we’re headed
• Why the metaverse must be open but regulated
• How the metaverse will let you simulate everything
• 7 ways the metaverse will change the enterprise
• Identity and authentication in the metaverse
• Understanding the 7 layers of the metaverse
• Can this triple-A game usher in the promise of the metaverse? (sponsored by Star Atlas)
• How the metaverse could transform upskilling in the enterprise
• Why the fate of the metaverse could hang on its security
• Gaming will lead us to the metaverse
• The potential environmental harms of the growing metaverse