Why the metaverse could be hacker heaven

The metaverse is happening. Mark Zuckerberg likes it so much he’s named Facebook’s parent company “Meta”.

Virtual real-estate sales topped $500 million in 2021 and could double this year. And the metaverse as a whole has been described as a $1 trillion opportunity.

The excitement is contagious. Your organisation may be eager to leap on wearables (Balenciaga Fortnite skins, anyone?) or tie-ins (like attending a virtual Australian Open and even buying a chunk of the court as an NFT). For others, the prospect of immersive experiences in which users try on avatars, personalise products, or attend glossy, gamified virtual meetings will be irresistible.

But there’s still so much about the metaverse that’s still uncertain. Just like with any new technology, there’s a danger that bold new ideas will rush forward headfirst, leaving security scrambling to keep up. There are already questions surrounding tech, privacy, theft and fraud popping up, so security leaders will likely have plenty of threats to worry about in the metaverse.

What exactly is the metaverse?

The metaverse can be hard to define. That’s partly because of all the marketing hype surrounding it, but also because it’s not yet fully formed.

The dictionary definition is “a virtual-reality space in which users can interact with a computer-generated environment and other users”. To that starting point, it’s worth adding a note about interoperability – the idea of the metaverse as not just one space, but a series of linked spaces that your avatar, digital possessions and cash can move through. This is the world celebrated in a famous video in which Mark Zuckerberg dons a VR headset to enter a galactic poker game, take calls, check out street art and show off a large virtual chiminea.

Another central plank of the metaverse is that it’s seriously immersive. Motion sensors, headsets and holograms are expected to combine to produce an experience that becomes the real thing – a place to buy, sell, meet, explore and just hang out.

The metaverse is already a risky place

Since interoperability is one of the core concepts of the metaverse, we can already imagine the risks involved in making sure different services play together nicely (and securely). All those APIs and microservices aren’t going to secure themselves.

But the metaverse is still in its infancy. Avatars can’t stroll from World of Warcraft to a Microsoft Mesh call, and holograms aren’t yet sophisticated enough to project the metaverse into real life. But the technology doesn’t have to be advanced to catch hackers’ attention; it just has to be prevalent. NFT’s are an example of popular tech being used by hackers to carry out social engineering scams.

Owning NFTs is a crucial way for people to present themselves in the metaverse, and is a crucial early market in this new world. Their use of blockchain technology means unique or limited-edition artefacts can be bought, sold and verified. But their soaring value (one artwork, The Merge, sold for $91.8m) has helped attract criminals, via phishing scams, artificially inflated prices and counterfeits (a seller not owning an NFT or the rights to the images it’s based on).

As the metaverse grows more bigger, more complex and more valuable, threats will escalate. Malware and data breaches present a real danger on unsecured devices, and we’ve already seen the Internet of Things (IoT) increase the attack surface for cybercriminals to exploit.

That surface may soon explode, with virtual reality (VR) and augmented reality (AR) headsets, glasses and sensors possibly becoming a more attractive attack vector than mobile phones.

Data will be the currency of the metaverse

There are likely to be serious privacy concerns in the metaverse. VR and AR devices will collect large amounts of data, including detailed biometrics – with plenty of potential for misuse. Just think about how valuable health records are now, and you can imagine the value of detailed biometric data.

For the metaverse to function, users’ avatars will need to move seamlessly from one platform to another, digital artefacts and social networks in tow. And for people to really exist in the metaverse, they need to bring a lot with them. Today’s social media platforms are already wracked with fraud, and cybercriminals routinely use the data found there for launching phishing attacks. In the metaverse, there will be far more intimate details as users build replicas of themselves, complete with personal, professional and employer information to flesh out deeper virtual relationships. Protecting data will be a crucial part of the metaverse, but there will be real pressure for that security to come with minimal friction – the whole point of the metaverse, after all, is that it sucks you in.

Meta money, meta problems

Crime in the metaverse may be easy to commit and hard to police. Online crime has shown us that even with the current state of technology, criminals can operate anonymously and dupe innocent users. Avatars may mean criminals become harder to identify, their real location and identity cloaked beneath multiple layers of AR, VR and increasingly sophisticated bots.

Another USP of the metaverse – its free, decentralised nature – presents other problems. Without administrators, cracking down on crime and regaining stolen assets will be difficult. NFT and crypto scams are likely to proliferate, with criminals targeting virtual wallets, selling fake NFTs, setting up false marketplaces and using the metaverse’s immersive nature to hook users with offers that may – through the rosy glow of a VR headset – seem irresistible. Ransomware gangs will have new assets to play with, and domain spoofing is likely to grow more sophisticated.

Staying safe in the metaverse

The uncertainty around the way the metaverse will take shape means it’s hard to set concrete rules about how to stay safe in it. Endpoint protection for new devices will be crucial, and VPNs, proxies and anti-malware software may all have a role to play.

The threat landscape will be transformed, and effective threat hunting, penetration testing and monitoring will prove invaluable as organisations ensure that their security posture is metaverse-appropriate. Frequent, relevant training will also be essential to help employees stay from phishing gangs.

The metaverse and cybersecurity

The metaverse is already a big deal for early adopters and some key tech firms. It’s far from the finished article, but some organisations will hope to leverage the metaverse’s opportunities early via gamified spaces, virtual retail and immersive experiences. They will face new cybersecurity risks, as well as old risks dressed in immersive new clothes.

Regulation will take time, putting the onus on security leaders to secure their assets and employees, and make sure cybersecurity is given serious thought as strategies are hammered out. A mix of technical solutions and awareness training will be needed, backed by a cybersecurity posture that is nimble, robust and alive to the threats the metaverse will bring in its glittering wake.