• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

The Metaverse Presents Opportunity, but Also Security Risks

The metaverse is emerging as a valuable new business and consumer tool, but it also comes with a new set of security concerns.

December 20, 2022 Zachary Comeau Leave a Comment

Metaverse Security
stock.adobe.com/DIgilife

The metaverse is emerging as a new technology that both consumers and businesses see as valuable for communication, collaboration, enhanced services, entertainment and real estate, but those hopes also come with the same security concerns any IT professionals have about a new technology.

Nearly 70% of organizations are planning to do business in the metaverse over the next three years, but more than 40% have concerns that the security of the metaverse is a significant factor in their metaverse investment decisions, according to a study from vulnerability management company Tenable.

Tenable polled 1,500 IT, cybersecurity and DevOps professionals in the U.S., U.K. and Australia and found that 23% have already started investing in the metaverse, 68% say they plan to do so over the next two-plus years. Just 9% say they either don’t have plans or have decided to not invest in the metaverse. However, fewer than 50% say they are confident in their ability to address cybersecurity threats in the metaverse.

Citing things such as enhanced customer engagement, improved learning and training, remote working/collaboration, new revenue streams, enhanced services, entertainment and digital real estate, it’s clear that organizations see value in the metaverse.

However, those same organizations also see threats, according to Tenable, which found that 41% of organizations are concerned with cybersecurity in the metaverse. Meanwhile, 38% of respondents say their organization will wait to see how the macroeconomic conditions unfold before exploring the metaverse.

What are the threats in the metaverse?

The metaverse is a broad term to describe several different iterations of a virtual world that is used to communicate, collaborate, socialize and conduct business. However, there are several different players in the metaverse market, such as Decentraland, Roblox, Sandbox, Microsoft, Meta and others.

According to Satnam Narang, senior staff research engineer at Tenable, even the game Fortnite could be considered a metaverse.

Account hijacking

Social engineering and phishing tricks designed to compromise accounts and take them over have been the preferred method of malicious actors for several years, and Narang says metaverse users should expect to see more of the same.

“When you think about it from the consumer perceptive, it comes to threats to user accounts being compromised, impersonation or avatar cloning,” Narang says.

Cloning of voice and facial features and hijacking video recordings using avatars were one of the threats that Tenable identified in the study. Avatars with synthetic voices and features that mimic those of real users or employees is one of the draws to the metaverse, but those avatars also generate a lot of data, such as voice, video and message.

This presents a scenario in which there is no way of identifying who is really behind the avatars, especially since personal information and content stored in a virtual environment can always be forged or leaked, Tenable asserts in the study.

Eavesdropping

Tenable’s study also identified man-in-the-room attacks, which the company says is done by leveraging security vulnerabilities in the widely used VR social application Bigscreen. These vulnerabilities allow attackers to invisibly eavesdrop in virtual reality rooms, and attacks could also exploit the flaws to gain complete control over Bigscreen users’ computers to covertly deliver malware or even start a worm infection spreading through virtual reality.

According to Narang, this is similar to what happened with Clubhouse, a social audio app, at the beginning of the pandemic. Researchers figured out a way to join private clubhouse rooms without being detected and eavesdrop of conversations.

In business context, eavesdropping on sensitive meetings is a massive security concern, Narang says.

Conventional attacks

Although a new and emerging technology that is expected to grow into an $800 billion market in 2024, the cybersecurity threats facing the metaverse aren’t all that new, Narang says.

“A lot of the security concerns, from a business perspective, are all stuff we’re pretty familiar with, such as patching vulnerabilities and securing code at runtime,” Narang says.

In fact, Tenable’s study identified phishing, malware and ransomware as the most likely security threat facing the metaverse. With a long history of success with exploiting unpatched vulnerabilities and cloud misconfigurations, cybercriminals will be just as likely to use the same tactics where applicable in the metaverse.

Compromised machine identifies and API transactions

Also identified by Tenable as a potential security threat to the metaverse is the compromising of machine identities and API transactions. Traditional IT systems now boast “billions of machine-to-machine communications” across the IoT, sensors, control systems, edge devices, cloud systems and traditional IT systems, all without zero human interaction daily.  

Per the study, 78% of respondents say it is very likely or somewhat likely that compromised machine identities and API transactions might occur across metaverses.

Prevention and new required skills

According to Narang, preventing attacks and ensuring security of the metaverse depends on the specific offering and its structure. For example, blockchain-based metaverses such as Decentraland and Sandbox include tokeneomics, which adds a financial component to the equation.

“Your seed phrase is your own,” Narang says. “You’re basically authenticating to Decentraland or Sandox. You’re connecting your account, your wallet, to that service. You are the owner of that wallet and your profile is governed by your ownership of it.”

Users don’t create an account on those platforms, and instead are connecting their crypocurrecny wallet to it, Narang explains.

On the flipside, Roblox and Fortnite users create accounts on the platform , allowing users to reset passwords and reach out to customer support for assistance.

“There are different challenges for different platforms,” Narang says.

Similarly, the skills required to help secure metaverse platforms differ based on the underlying infrastructure of each offering.

For metaverse offerings built in the cloud, Narang suggests learning cloud development and identity security skills.

For organizations looking to partner and build experiences on the platforms, they need to due their due diligence and vet the security of the metaverse offerings they explore. That should include looking to see how the platforms are meeting compliance and standards for how they capture and control user information.

For blockchain-based platforms, Narang suggests making sure that there’s been some type of third-party auditing of the underpinning code for that blockchain.

It comes down to the basics

While a new and exciting technology that is beginning to find its way into the enterprise, IT and security professionals don’t need to reinvent the wheel when it comes to security in the metaverse, Narang says.

Companies need to remain vigilant about patching vulnerabilities and should proceed with caution when things just don’t seem right.

“All it really takes is one avenue for an attacker to get into a network before they can wreak havoc, and there are a lot of different approaches they can take,” Narang says. “While the basic cyber hygiene message is old and is something we continue to hear, we’re still seeing a lot of struggles in that area.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Cybersecurity, Metaverse, Tenable

Related Content:

  • Cisco Live 2023 Cisco Live 2023: Simplified Management, Enhanced Security, AI
  • Phishing, Email security Email Attacks are Evading Security Protections. Here’s How…
  • MOVEit, ransomware, CVE-2023-34362, Ransomware Groups Confirmed to be Exploiting MOVEit Bug
  • Shure Stem Ecosystem Shure: Democratizing Conferencing Hardware With The Stem Ecosystem

Free downloadable guide you may like:

  • Download TechDecisions' Blueprint Series report on Security Awareness now!Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

    Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared to defend against them in this report from TechDecisions' Blueprint Series.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Download TechDecisions' Blueprint Series report on Security Awareness now!
Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared t...

Workplace Collaboration Tools for Corporate Spaces
Workplace Collaboration Tools for Corporate Spaces

From lobbies and shared spaces to conference rooms and multipurpose facilities, you need high-performing AV technology to effectively share informa...

ChatGPT, generative AI, enterprise, workplace
Blueprint Series: ChatGPT and Generative AI in the Workplace

This latest release of the TechDecisions Blueprint Series explores the new phenomenon of tools such as ChatGPT and how IT leaders should go about d...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.