How much do you know about the metaverse?

Everyone started talking about the metaverse in the summer of 2021. Facebook CEO Mark Zuckerberg kicked it off with his plan to focus his company on building what he imagined would be the future of social, business, leisure and culture: the metaverse. He even changed the name of his company from Facebook to Meta.

Since then, the chatter about the coming changes has been loud. Silicon Valley, the global tech industry, the media — everyone is talking about it. But what is the metaverse, exactly?

What Is the Metaverse?

Experts disagree on a clear definition. But the fuzzy outline is this: in the future, people will interact with each other in simulated environments in virtual reality (VR). Avatars will represent real people in the virtual spaces. Some of the things we do now in the real world will take place in the virtual world — meetings, school, art, concerts and more.

Most definitions include augmented reality (AR) as well. For example, if you buy or create a virtual dog in VR, you’ll also see your virtual dog running around in the real world when you’re wearing AR glasses. Some people include so-called Web 3.0 ideas in the idea of the metaverse — blockchain, cryptocurrencies and nonfungible tokens (NFTs).

Science Fiction Roots

Some assert or assume that there will be one metaverse — a single virtual world shared by all. The word ‘metaverse’ was coined in 1992 by author Neal Stephenson in the novel “Snow Crash”. In the novel, there was a single metaverse. That’s also true of other science fiction stories like “The Matrix” and “Ready Player One”.

Science fiction has mostly focused on the idea of a single digital world for everybody. The most likely outcome, however, will be many metaverses. Companies will create proprietary, incompatible virtual worlds they own and control. Zuckerberg mainstreamed the term, but nearly all tech giants and thousands of smaller companies are gearing up to be involved. “Second Life”, a 2003 role-playing game and attempt at a parallel digital world that failed to make a big impact on business, is even back in the running.

Either way, as more human activity takes place in virtual spaces, the challenges around security will become more important. The shift from today’s VR to tomorrow’s metaverse is mainly about shifting from video games to actual living in virtual spaces. Today, we tend to think about VR as strictly for entertainment. Changing it to a parallel universe where we spend much of our day raises the stakes for cybersecurity.

The Metaworst Case Scenarios

Fast forward 10 years into the future. Imagine business leaders have replaced Zoom calls and video meetings with meetings that take place in virtual reality— in the metaverse. Each meeting participant has an avatar that looks like a cartoonish version of the real person. When I look at someone’s avatar and they look at mine, we’re making avatar eye contact. I can see who’s talking and use real-world gestures and facial expressions which my avatar will convey on my behalf.

But how can we be sure that each person is actually who they say they are? An attacker might impersonate an authorized participant for a malicious purpose. Imagine if normal business meetings suddenly had a spy from a competitor in the room. Or, what if an imposter replaced the boss?

One widely embraced idea among companies working on future VR and AR applications (including Apple) is the building of biometrics into the hardware. For example, future products might include iris recognition in headsets or fingerprint readers on the sides. We can’t yet know if users will accept biometrics like this in the future. Future malicious actors might figure out how to spoof or defeat metaverse biometrics.

Anyone able to gain access to credentials or otherwise gain access to a metaverse account effectively becomes that person. It’s the ultimate opportunity for identity theft, spying and social engineering.

Man-in-the-Room Metaverse Attacks

Another concern is invisible-avatar eavesdropping, or ‘man in the room’ attacks. Future malicious actors may figure out how to make their presences undetectable. From there, they could invisibly join meetings and listen in on business conversations. State actors and spy agencies, as well as industrial espionage actors, may devote enormous resources to figuring this out.

Commerce and even banking are expected to take place in the metaverse. Advocates talk about buying virtual real estate, purchasing virtual versions of clothing and valuables and paying for it all with cryptocurrencies. Attackers could steal any of this, leaving victims without property or recourse.

Today, social media is plagued with fake accounts, AstroTurf campaigns and automated bots pretending to be legitimate users. There’s no reason to believe that the metaverse will fare any better than social media platforms.

New World, New Security Solutions

Today’s threats may still exist in the metaverse era. However, the virtual worlds of the future will almost certainly involve novel threats that don’t really exist today.

For example, imagine an attacker being able to manipulate the environment and avatar to make the physical user injure themselves by falling down stairs or walking outdoors. Some experts have pointed out that because metaverse interfaces plug directly into our senses, our brains become part of the attack surface.

What we can imagine more clearly is the scale of the potential threat. The future of VR and AR spaces will involve a huge increase in new devices connecting to each other. It will include new apps and mountains of data moving around. If nothing else, the metaverse represents a gigantic increase in the attack surface.

We can’t know exactly how good or bad the security implications of metaverse platforms will be. But we can expect a whole universe of metaverse security challenges and solutions ahead.

More from Mobile Security

Juice jacking: Is it a real issue or media hype?

4 min read - You get off a flight and realize your phone is almost out of battery, which will make getting an Uber at your destination a bit challenging. Then you see it — a public charging station at the next gate like a pot of gold at the end of the rainbow. As you run rom-com style to the USB port, you may briefly wonder if it’s actually safe from a cybersecurity perspective to plug in your phone. The answer is technically…

Third-party app stores could be a red flag for iOS security

4 min read - Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

A view into Web(View) attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

How the Mac OS X trojan Flashback changed cybersecurity

4 min read - Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…