How much do you know about the metaverse?

Everyone started talking about the metaverse in the summer of 2021. Facebook CEO Mark Zuckerberg kicked it off with his plan to focus his company on building what he imagined would be the future of social, business, leisure and culture: the metaverse. He even changed the name of his company from Facebook to Meta.

Since then, the chatter about the coming changes has been loud. Silicon Valley, the global tech industry, the media — everyone is talking about it. But what is the metaverse, exactly?

What is the metaverse?

Experts disagree on a clear definition. But the fuzzy outline is this: in the future, people will interact with each other in simulated environments in virtual reality (VR). Avatars will represent real people in the virtual spaces. Some of the things we do now in the real world will take place in the virtual world — meetings, school, art, concerts and more.

Most definitions include augmented reality (AR) as well. For example, if you buy or create a virtual dog in VR, you’ll also see your virtual dog running around in the real world when you’re wearing AR glasses. Some people include so-called Web 3.0 ideas in the idea of the metaverse — blockchain, cryptocurrencies and nonfungible tokens (NFTs).

Science fiction roots

Some assert or assume that there will be one metaverse — a single virtual world shared by all. The word ‘metaverse’ was coined in 1992 by author Neal Stephenson in the novel “Snow Crash”. In the novel, there was a single metaverse. That’s also true of other science fiction stories like “The Matrix” and “Ready Player One”.

Science fiction has mostly focused on the idea of a single digital world for everybody. The most likely outcome, however, will be many metaverses. Companies will create proprietary, incompatible virtual worlds they own and control. Zuckerberg mainstreamed the term, but nearly all tech giants and thousands of smaller companies are gearing up to be involved. “Second Life”, a 2003 role-playing game and attempt at a parallel digital world that failed to make a big impact on business, is even back in the running.

Either way, as more human activity takes place in virtual spaces, the challenges around security will become more important. The shift from today’s VR to tomorrow’s metaverse is mainly about shifting from video games to actual living in virtual spaces. Today, we tend to think about VR as strictly for entertainment. Changing it to a parallel universe where we spend much of our day raises the stakes for cybersecurity.

The Metaworst case scenarios

Fast forward 10 years into the future. Imagine business leaders have replaced Zoom calls and video meetings with meetings that take place in virtual reality— in the metaverse. Each meeting participant has an avatar that looks like a cartoonish version of the real person. When I look at someone’s avatar and they look at mine, we’re making avatar eye contact. I can see who’s talking and use real-world gestures and facial expressions which my avatar will convey on my behalf.

But how can we be sure that each person is actually who they say they are? An attacker might impersonate an authorized participant for a malicious purpose. Imagine if normal business meetings suddenly had a spy from a competitor in the room. Or, what if an imposter replaced the boss?

One widely embraced idea among companies working on future VR and AR applications (including Apple) is the building of biometrics into the hardware. For example, future products might include iris recognition in headsets or fingerprint readers on the sides. We can’t yet know if users will accept biometrics like this in the future. Future malicious actors might figure out how to spoof or defeat metaverse biometrics.

Anyone able to gain access to credentials or otherwise gain access to a metaverse account effectively becomes that person. It’s the ultimate opportunity for identity theft, spying and social engineering.

Man-in-the-room metaverse attacks

Another concern is invisible-avatar eavesdropping, or ‘man in the room’ attacks. Future malicious actors may figure out how to make their presences undetectable. From there, they could invisibly join meetings and listen in on business conversations. State actors and spy agencies, as well as industrial espionage actors, may devote enormous resources to figuring this out.

Commerce and even banking are expected to take place in the metaverse. Advocates talk about buying virtual real estate, purchasing virtual versions of clothing and valuables and paying for it all with cryptocurrencies. Attackers could steal any of this, leaving victims without property or recourse.

Today, social media is plagued with fake accounts, AstroTurf campaigns and automated bots pretending to be legitimate users. There’s no reason to believe that the metaverse will fare any better than social media platforms.

New world, new security solutions

Today’s threats may still exist in the metaverse era. However, the virtual worlds of the future will almost certainly involve novel threats that don’t really exist today.

For example, imagine an attacker being able to manipulate the environment and avatar to make the physical user injure themselves by falling down stairs or walking outdoors. Some experts have pointed out that because metaverse interfaces plug directly into our senses, our brains become part of the attack surface.

What we can imagine more clearly is the scale of the potential threat. The future of VR and AR spaces will involve a huge increase in new devices connecting to each other. It will include new apps and mountains of data moving around. If nothing else, the metaverse represents a gigantic increase in the attack surface.

We can’t know exactly how good or bad the security implications of metaverse platforms will be. But we can expect a whole universe of metaverse security challenges and solutions ahead.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today