Safety in the metaverse: What are the risks for businesses?
Like any new innovation, the metaverse is currently at the center of a 'risk versus reward' debate. Unsurprisingly, the 3D virtual world has received a lot of attention, with McKinsey confirming that more than $120 billion was invested in building out metaverse technology and infrastructure in the first five months of 2022.
Promises of extraordinary use cases, from teaching virtualized university lectures to performing surgeries for patients in other countries -- not to mention the potential cost saving and accessibility benefits -- have garnered curiosity. But while it could be some time until we see mass adoption of the metaverse, the security community is already apprehensive of the evolving security risks.
Adversaries, as opportunistic as they are, will take advantage of the growing attack surface that the metaverse paves via social media, streaming services and online gaming, and capitalize on the mistakes made in its development. Incidents of deepfake attacks in the current version of our digital world are already mounting, whereby advances in artificial intelligence are used to digitally alter and simulate a person’s voice or appearance with ill intent.
66 percent of respondents in our Global Incident Response Threat Report saw malicious deepfakes used as part of an attack last year (up 13 percent), with the majority (58 percent) witnessing deepfake attacks most often taking the form of video. But more pressing is the fact that new platforms are increasingly being targeted, including third-party meeting applications (31 percent) and business collaboration tools (27 percent).
What’s not to say there won’t be an uptick in similar scams inside of the metaverse virtual reality?
Assuming the metaverse takes off in a big way, organizations will need to be considered in their approach to delivering this nascent technology. Exploring how tools and authentication techniques can be leveraged will be essential for those seeking to safeguard and shepherd the virtual world.
Emerging cybersecurity concerns
It is becoming more apparent that existing types of cybercrime could spread to the metaverse. What a lot of adopters do not realize is that new metaverse technology is being built upon old technology, like Linux servers, in which security is not intrinsically built and vulnerabilities are deep rooted. Europol Innovation Lab has warned that cyberattacks, like misuse of stolen identity to commit fraud and even abuse other users (or avatars), could be replicated in the metaverse.
In the context of virtual reality authentication, sophisticated eye tracking, face tracking and motion haptics could be used to record a user’s interactions with the device -- how will we be able to tell the friend or colleague we’re interacting with is really who they say they are? Eventually, the platform could become a magnet for ransomware and money laundering, with cryptocurrencies in active use and more platform-specific currencies expected to materialize.
Continuing to rely on passwords as the primary form of authentication in the virtual world would be a recipe for these breaches to breed. Organizations involved in its build out or use will need to show thoughtfulness towards the controls in place to identify users and deploy watertight authentication.
Becoming 'metaverse-ready'
One-time authentication simply would not work in the metaverse; it needs to be viewed as a lived space, not as a single-use service. Instead, a system of continued authentication leveraging different factors, such as biometrics, and closely monitoring user behavior will be critical to alleviating some security concerns while providing a seamless experience in the metaverse.
The same principles of zero trust security we’ve become accustomed to in the 'real world', namely the belief that implicit trust is always a vulnerability and we must always verify devices and users, need to be replicated in the metaverse. Indeed, it is a delicate balancing act as continual authentication may be deemed invasive by some, constantly collecting user data to qualify that users are who they claim to be. But with the tonnes of data that will be collected to produce a personalized and realistic user experience in the metaverse, there is an urgent need for the security of the authentication process to be improved.
Continuous digital authentication of a device, and the identity of the human using the device, provides that additional layer of security to the logging-in process and helps to detect anomalies in the form of mimicry.
Beyond the security challenges in the technology itself, safety in the metaverse must also encompass the safety of individuals in that space. Any nefarious activities humans can do in this world, can be recreated by them in the metaverse. Whether regulation is decentralized or enforced by the government, action must be taken. Otherwise, we may end up with fragmented versions of the metaverse, each existing within its own walled garden of regulation and security policies.
But before new cyber security strategies can be developed, existing defences for technologies vital to the metaverse, such as 5G, IoT, blockchain and artificial intelligence, need to be fortified. Only then can we ensure a solid foundation for this new virtual realm.
Learning from our security mistakes
While the metaverse remains on the fringes of how we use the internet currently, there is optimism that it will introduce new ways of interacting and whole new virtual worlds to live in. With the potential to transform our lives, however, comes a new and attractive opportunity for threat actors. Existing vulnerabilities, inherited by building this new frontier on legacy technology, could be exploited in the professional and personal spheres in order to profit or cause harm to others. To tackle the cyber risk, a harmonious network of continuous digital authentication, zero trust and thoughtful means of data collection will need to be adopted as the standard operating procedures.
Image Credit: Wayne Williams
Rick McElroy is Principal Cybersecurity Strategist at VMware.