Light Dark
February 7, 2022 By Mike Elgan 4 min read
Data Protection
Mobile Security
Application Security
Security Services

How much do you know about the metaverse?

Everyone started talking about the metaverse in the summer of 2021. Facebook CEO Mark Zuckerberg kicked it off with his plan to focus his company on building what he imagined would be the future of social, business, leisure and culture: the metaverse. He even changed the name of his company from Facebook to Meta.

Since then, the chatter about the coming changes has been loud. Silicon Valley, the global tech industry, the media — everyone is talking about it. But what is the metaverse, exactly?

What is the metaverse?

Experts disagree on a clear definition. But the fuzzy outline is this: in the future, people will interact with each other in simulated environments in virtual reality (VR). Avatars will represent real people in the virtual spaces. Some of the things we do now in the real world will take place in the virtual world — meetings, school, art, concerts and more.

Most definitions include augmented reality (AR) as well. For example, if you buy or create a virtual dog in VR, you’ll also see your virtual dog running around in the real world when you’re wearing AR glasses. Some people include so-called Web 3.0 ideas in the idea of the metaverse — blockchain, cryptocurrencies and nonfungible tokens (NFTs).

Science fiction roots

Some assert or assume that there will be one metaverse — a single virtual world shared by all. The word ‘metaverse’ was coined in 1992 by author Neal Stephenson in the novel “Snow Crash”. In the novel, there was a single metaverse. That’s also true of other science fiction stories like “The Matrix” and “Ready Player One”.

Science fiction has mostly focused on the idea of a single digital world for everybody. The most likely outcome, however, will be many metaverses. Companies will create proprietary, incompatible virtual worlds they own and control. Zuckerberg mainstreamed the term, but nearly all tech giants and thousands of smaller companies are gearing up to be involved. “Second Life”, a 2003 role-playing game and attempt at a parallel digital world that failed to make a big impact on business, is even back in the running.

Either way, as more human activity takes place in virtual spaces, the challenges around security will become more important. The shift from today’s VR to tomorrow’s metaverse is mainly about shifting from video games to actual living in virtual spaces. Today, we tend to think about VR as strictly for entertainment. Changing it to a parallel universe where we spend much of our day raises the stakes for cybersecurity.

The Metaworst case scenarios

Fast forward 10 years into the future. Imagine business leaders have replaced Zoom calls and video meetings with meetings that take place in virtual reality— in the metaverse. Each meeting participant has an avatar that looks like a cartoonish version of the real person. When I look at someone’s avatar and they look at mine, we’re making avatar eye contact. I can see who’s talking and use real-world gestures and facial expressions which my avatar will convey on my behalf.

But how can we be sure that each person is actually who they say they are? An attacker might impersonate an authorized participant for a malicious purpose. Imagine if normal business meetings suddenly had a spy from a competitor in the room. Or, what if an imposter replaced the boss?

One widely embraced idea among companies working on future VR and AR applications (including Apple) is the building of biometrics into the hardware. For example, future products might include iris recognition in headsets or fingerprint readers on the sides. We can’t yet know if users will accept biometrics like this in the future. Future malicious actors might figure out how to spoof or defeat metaverse biometrics.

Anyone able to gain access to credentials or otherwise gain access to a metaverse account effectively becomes that person. It’s the ultimate opportunity for identity theft, spying and social engineering.

Man-in-the-room metaverse attacks

Another concern is invisible-avatar eavesdropping, or ‘man in the room’ attacks. Future malicious actors may figure out how to make their presences undetectable. From there, they could invisibly join meetings and listen in on business conversations. State actors and spy agencies, as well as industrial espionage actors, may devote enormous resources to figuring this out.

Commerce and even banking are expected to take place in the metaverse. Advocates talk about buying virtual real estate, purchasing virtual versions of clothing and valuables and paying for it all with cryptocurrencies. Attackers could steal any of this, leaving victims without property or recourse.

Today, social media is plagued with fake accounts, AstroTurf campaigns and automated bots pretending to be legitimate users. There’s no reason to believe that the metaverse will fare any better than social media platforms.

New world, new security solutions

Today’s threats may still exist in the metaverse era. However, the virtual worlds of the future will almost certainly involve novel threats that don’t really exist today.

For example, imagine an attacker being able to manipulate the environment and avatar to make the physical user injure themselves by falling down stairs or walking outdoors. Some experts have pointed out that because metaverse interfaces plug directly into our senses, our brains become part of the attack surface.

What we can imagine more clearly is the scale of the potential threat. The future of VR and AR spaces will involve a huge increase in new devices connecting to each other. It will include new apps and mountains of data moving around. If nothing else, the metaverse represents a gigantic increase in the attack surface.

We can’t know exactly how good or bad the security implications of metaverse platforms will be. But we can expect a whole universe of metaverse security challenges and solutions ahead.

 |  |  |  |  | 
Mike Elgan

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature