Coming to terms with the security challenges of the Metaverse

Coming to terms with the security challenges of the Metaverse

Pieter Danhieux, CEO of Secure Code Warrior, explains the impact the Metaverse has on security and how to manage the challenges that come with it.

Pieter Danhieux, CEO of Secure Code Warrior

When Facebook announced in 2021 that it was working to create a Metaverse, it captured attention around the world. People were captivated by the idea of having a new way to interact while businesses were excited by the opportunities it would bring for digital commerce.

Despite the surge of interest, it’s important to realise that the concept of the Metaverse has existed for a long time. The online platform Second Life has been around since 2003, servicing a loyal niche with a fully customisable online universe where users’ avatars interact via voice and text chat, games can be played and companies like Adidas offer official virtual stores.

On the pure gaming side, massively multiplayer online (MMO) games, like Fortnite and World of Warcraft, deliver expansive worlds to their players and are increasingly dependent on microtransactions, or forking out real money for virtual items. Fortnite alone made US$4.3 billion in microtransaction revenue in its first two years in the market. 

It’s very clear that not only is the Metaverse concept here to stay, but it is also about to get a Mark Zuckerberg-sized push into the mainstream. This is an exciting evolution of the Internet – or at least social media and some e-commerce – as we know it. But the opportunity for cyberattacks and damaging exploits is mind-boggling. 

The metaverse attack surface is far-reaching, extending well beyond web-based software, APIs and payment gateways. The peripheral elements of VR headsets and accessories also pose a threat to core data with the onboard software in those devices a very convenient red carpet to paydirt if they are vulnerable. 

Security researchers from Rutgers University revealed ‘Face-Mic’ in early 2022, the first study of its kind examining how voice command features on Virtual Reality headsets could lead to serious privacy breaches, known as ‘eavesdropping attacks’.

The work is fascinating, showing that threat actors could potentially use some virtual reality (AR/VR) headsets with built-in motion sensors to record speech-associated facial gestures, leading to the potential theft of sensitive information communicated via voice-activated controls, including credit card information and passwords. The root cause of the issue appears to be a lack of user authentication.

With the accelerometer and gyroscope not requiring any permission to access, intricate facial movements, bone-borne vibrations and airborne vibrations could be recorded and used to deduce everything from banking PINs to highly restricted healthcare records, depending on the patterns of the user. 

In the Metaverse, every movement you make is a data point, and if access to it is possible through lax software security, the incentive for attackers to try their luck is enormous. 

Smart contracts face smart(er) adversaries

The meta-economy demands decentralization, dematerialization, flexibility and of course, security without compromise. There are growing metaverse microeconomies in various cryptocurrency communities, like Shiba Inu. To buy virtual real estate and other intangible products, smart contracts stored on the blockchain are utilised.

Mention ‘blockchain’ and most average people (with a little tech-savvy) understand it as a secure and anonymous system for what is, considered to be, the future of digital currency. There’s a little problem with that, however: no online fortress is impenetrable, and those smart contracts are no exception. They are essentially little programs, and they can be hacked. 

Smart contracts are susceptible to exploitation thanks to a few common vulnerabilities, namely integer overflow and underflow, replay attacks and the (very damaging) blockchain-centric bug leading to re-entrancy attacks, the latter of which can lead to a user being drained of their stored crypto balance. All these attacks are made possible by poor coding patterns leading to exploitable vulnerabilities and insecure design fundamentals. 

This technology will only become more widely used, yet we are going to struggle to find enough security-aware developers to ensure a secure, failsafe Metaverse. Organisations must understand the magnitude of their Metaverse participation, particularly if data and currency are at stake, and it’s difficult to imagine a scenario where this wouldn’t be the case.

It’s an unregulated environment, and you’re (still) the product

Just as we have seen in movies, TV, Second Life and video games, a Metaverse environment allows us to be whomever we want. In a virtual world, the possibilities are only limited by your imagination, and that flexibility is a huge drawcard for users. However, the downside is that on the planned scale of something like Meta, it’s simply too vast and decentralized to police in a way that would render it air-tight from a security perspective. Scams will be inevitable and skilled criminals will have even more to work with from a social engineering perspective. 

Sensitive user data is the new gold, and the Metaverse has the potential to be the richest and most complete source of data we have seen to date, providing projected adoption goes as planned. While it can be assumed that Metaverse-related software builds will adhere to current regulatory standards and compliance measures, these will need updates that are fit to support a rapidly expanding digital universe and its economy.

Core to this will be organizations taking responsibility for the security of their contributions to the Metaverse, with a level of in-house security maturity that ensures every person working on the software is thinking about and implementing security at every step in their process, especially the development cohort. 

Why secure coding will be crucial to the success of the metaverse

As fun as it may be to galivant across a lawless digital dimension, represented by an avatar that is everything you wish you could be in the real world, we must never forget that a human being is behind every ‘character’. And when real people’s data and finances are at stake, it’s very far removed from a game. 

In cybersecurity, we understand mistakes have consequences that can be truly devastating, and the integrity of every component of the Metaverse cannot be an afterthought if widespread adoption and consumer trust are to come to fruition. 

Once Facebook brings the Metaverse to life, its growth and evolution will be very rapid. For this reason, it’s important for organizations to begin planning now and working to understand the security implications.

There will be new challenges that need to be addressed and new skills to be learned. However, by starting as soon as possible, organizations can be well placed to make the best use of the opportunities this new platform will provide.

Browse our latest issue

Intelligent CIO APAC

View Magazine Archive