When companies and users decide to adapt technologies in the next metaverse, they will also be exposed to a new class of security risks and vulnerabilities.
As virtual worlds and augmented reality platforms become what their creators call the “metaverse,” users and enterprises will face entirely new categories of security risks and pitfalls.
The concept of a 3D virtual environment in which users can interact and socialize has been around for some time, but the metaverse came into the spotlight last fall when Facebook rebranded itself as Meta and made a big bet on bringing the technology to both consumers and businesses; other tech companies have followed suit.
But experts predict that as the Metaverse develops, security flaws that haven’t even been considered by most will become common risks.
Kavya Pearlman, managing director of the XR Security Initiative (XRSI), told our sister site SearchSecurity that, at first, many of the risks facing developers and enterprises will be the same ones faced by many current Web sites and applications.
“You can still exploit existing CVEs,” Pearlman noted. “All of that is going to come up because most of these things run on the same protocol.”
This, Pearlman explained, will mean that bugs like Log4Shell will remain a threat to platforms in the metaverse. Developers and administrators will have to take the same security precautions and countermeasures.
Stephanie Benoit-Kurtz, senior lecturer in the School of Information Systems and Technology at the University of Phoenix, said the addition of the extra hardware needed for VR and augmented reality platforms in the metaverse will also increase the exposure of corporate networks and an attacker’s ability to covertly extract data from virtual meetings and presentations.
Meta CEO and CEO Mark Zuckerberg shows off his metaverse avatar during the company’s Connect 2021 event last fall.
“From virtual reality headsets, to other types of devices that augment experiences, the infrastructure needed to support this new environment is exponentially more extensive than what exists today,” said Benoit-Kurtz.
“The challenge with each endpoint is that bad actors will look for ways to exploit those endpoints, either to take over identities on the network or block access through denial-of-service attacks,” he said.
People using immersive technologies – such as virtual reality viewers – can become disoriented in the real-world environment and cause themselves injury. They may even become accustomed to performing actions that have no consequences in the metaverse, such as jumping from a second story or walking into traffic, potentially rendering them insensitive to real-world risks.
However, as the technology advances and develops, different problems are likely to arise. In particular, attacks could move from the realm of data to actual physical dangers.
Pearlman’s XRSI has produced proof-of-concept research showing how an attacker could manipulate a VR platform to reset the physical limits of the hardware. For example, a user could be pushed into the path of furniture or down a flight of stairs.
This could be even more dangerous when augmented reality enters the picture, and users could be misdirected into a street or led into a dangerous physical situation, such as a robbery or mugging.
Even less pleasant is a hypothetical attack that could literally leave its victims with their stomachs churning. “We know that in VR people could experience motion sickness,” Pearlman indicated. “A creator could intentionally embed something that, when clicked, would make you dizzy.”
Other attacks could be even more sinister and damaging, said Christopher Boyd, senior threat researcher at Malwarebytes.
“A few years ago, one of the main avenues of exploitation in virtual spaces was paid advertising. With plans to insert regular ad networks with dynamic in-game ad spaces, it’s reasonable to expect compromises and fake ads,” Boyd said.
“Malicious individuals could have replaced regular ads with strobe images designed to trigger epileptic seizures, along the lines of similar attacks on epilepsy foundations on social networks and forums in general,” he said.
The most dystopian possibility of the metaverse is the impact it could have on the mental health of its users. More immediately, the problem of bullying will be something that developers of virtual environments will have to address.
Because these are new technologies, there are no long-term studies on their physical and mental impacts. Although side effects vary between people, immersive games can lead to depression, isolation, solitary behavior, and even suicide and violence.
“The current main avenue of physical exploitation in VR spaces is sexual harassment and abuse, often aided by weak or absent security settings,” Boyd explained. “This has been a problem in virtual spaces for a long time, and there are many options to combat it.”
Other potential mental health issues will arise from long-term immersion in virtual worlds
Pearlman, who was head of security at Linden Lab, said that while working on the VR platform Sansar, she experienced a sensation called “phantom timeline syndrome,” in which the lines between the virtual and physical worlds became blurred.
“You’re not able to distinguish reality from VR,” Pearlman recounted. “You come out of VR and you still feel like everything around you is VR.”
This, he said, will be a particular danger for children growing up with the metaverse. Given that young, impressionable minds spend a lot of time on VR and AR platforms, Pearlman worries that attackers could use misinformation to manipulate children and imprint false beliefs on them.
Theft of personal data
Since metaverse platforms could collect images and other personal details of their users, children would potentially be exposed to further privacy breaches.
When avatars are used as a form of identification, the person and personal data become susceptible to copying, theft, deletion or manipulation. While biometric identification could be a solution, impersonation is another risk.
“The concept of privacy becomes much more of a concern when you’re talking about children in this space,” said Benoit-Kurtz. “Inevitably, children will be in this space, and the legacy Children’s Online Privacy Protection Act (COPPA) is not sufficient to address the future of this technology or adequate safeguards to deal with the exponential personal information these environments will collect.”
There are no laws or legal jurisdiction in the metaverse, as there are also no physical boundaries or borders. For the same reason, there is no accountability for actions, although there is an advanced path in terms of regulating social networks.
Due to its digital nature, actions in a scenario such as a metaverse translate into personal, biometric, financial and even emotional data, so concerns about its security, confidentiality and intellectual property also arise.
Data and cybersecurity
The metaverse will increase the number of locations that can come under attack. While underlying systems will continue to be targets for data theft, this could change as platforms become more popular.
How to prepare?
Both Pearlman and Benoit-Kurtz agreed that to protect their data and the privacy of their employees, companies will need more than a few policy changes.
Companies will need to plan ahead for how they will ensure that their AR and VR platforms are not subject to abuse, either externally by hackers or internally by unethical managers seeking to violate the privacy of their colleagues and subordinates.
“An organization’s adoption of this type of technology goes far beyond IT and HR. This move into the metaverse will transform organizations significantly over the next five to 10 years,” advised Benoit-Kurtz.
“Rather than waiting for the technology to come knocking, organizations should take a proactive approach to the issue by starting to address the conversations at the organizational level now.”
Because these are relatively new technologies, there are no long-term studies on the physical and mental implications of it. However, there is plenty of research describing cybersickness, the dizziness and discomfort caused by prolonged use of screens or virtual reality items.