The metaverse is emerging as a new technology that both consumers and businesses see as valuable for communication, collaboration, enhanced services, entertainment and real estate, but those hopes also come with the same security concerns any IT professionals have about a new technology.
Nearly 70% of organizations are planning to do business in the metaverse over the next three years, but more than 40% have concerns that the security of the metaverse is a significant factor in their metaverse investment decisions, according to a study from vulnerability management company Tenable.
Tenable polled 1,500 IT, cybersecurity and DevOps professionals in the U.S., U.K. and Australia and found that 23% have already started investing in the metaverse, 68% say they plan to do so over the next two-plus years. Just 9% say they either don’t have plans or have decided to not invest in the metaverse. However, fewer than 50% say they are confident in their ability to address cybersecurity threats in the metaverse.
Citing things such as enhanced customer engagement, improved learning and training, remote working/collaboration, new revenue streams, enhanced services, entertainment and digital real estate, it’s clear that organizations see value in the metaverse.
However, those same organizations also see threats, according to Tenable, which found that 41% of organizations are concerned with cybersecurity in the metaverse. Meanwhile, 38% of respondents say their organization will wait to see how the macroeconomic conditions unfold before exploring the metaverse.
What are the threats in the metaverse?
The metaverse is a broad term to describe several different iterations of a virtual world that is used to communicate, collaborate, socialize and conduct business. However, there are several different players in the metaverse market, such as Decentraland, Roblox, Sandbox, Microsoft, Meta and others.
According to Satnam Narang, senior staff research engineer at Tenable, even the game Fortnite could be considered a metaverse.
Social engineering and phishing tricks designed to compromise accounts and take them over have been the preferred method of malicious actors for several years, and Narang says metaverse users should expect to see more of the same.
“When you think about it from the consumer perceptive, it comes to threats to user accounts being compromised, impersonation or avatar cloning,” Narang says.
Cloning of voice and facial features and hijacking video recordings using avatars were one of the threats that Tenable identified in the study. Avatars with synthetic voices and features that mimic those of real users or employees is one of the draws to the metaverse, but those avatars also generate a lot of data, such as voice, video and message.
This presents a scenario in which there is no way of identifying who is really behind the avatars, especially since personal information and content stored in a virtual environment can always be forged or leaked, Tenable asserts in the study.
Tenable’s study also identified man-in-the-room attacks, which the company says is done by leveraging security vulnerabilities in the widely used VR social application Bigscreen. These vulnerabilities allow attackers to invisibly eavesdrop in virtual reality rooms, and attacks could also exploit the flaws to gain complete control over Bigscreen users’ computers to covertly deliver malware or even start a worm infection spreading through virtual reality.
According to Narang, this is similar to what happened with Clubhouse, a social audio app, at the beginning of the pandemic. Researchers figured out a way to join private clubhouse rooms without being detected and eavesdrop of conversations.
In business context, eavesdropping on sensitive meetings is a massive security concern, Narang says.
Although a new and emerging technology that is expected to grow into an $800 billion market in 2024, the cybersecurity threats facing the metaverse aren’t all that new, Narang says.
“A lot of the security concerns, from a business perspective, are all stuff we’re pretty familiar with, such as patching vulnerabilities and securing code at runtime,” Narang says.
In fact, Tenable’s study identified phishing, malware and ransomware as the most likely security threat facing the metaverse. With a long history of success with exploiting unpatched vulnerabilities and cloud misconfigurations, cybercriminals will be just as likely to use the same tactics where applicable in the metaverse.
Compromised machine identifies and API transactions
Also identified by Tenable as a potential security threat to the metaverse is the compromising of machine identities and API transactions. Traditional IT systems now boast “billions of machine-to-machine communications” across the IoT, sensors, control systems, edge devices, cloud systems and traditional IT systems, all without zero human interaction daily.
Per the study, 78% of respondents say it is very likely or somewhat likely that compromised machine identities and API transactions might occur across metaverses.
Prevention and new required skills
According to Narang, preventing attacks and ensuring security of the metaverse depends on the specific offering and its structure. For example, blockchain-based metaverses such as Decentraland and Sandbox include tokeneomics, which adds a financial component to the equation.
“Your seed phrase is your own,” Narang says. “You’re basically authenticating to Decentraland or Sandox. You’re connecting your account, your wallet, to that service. You are the owner of that wallet and your profile is governed by your ownership of it.”
Users don’t create an account on those platforms, and instead are connecting their crypocurrecny wallet to it, Narang explains.
On the flipside, Roblox and Fortnite users create accounts on the platform , allowing users to reset passwords and reach out to customer support for assistance.
“There are different challenges for different platforms,” Narang says.
Similarly, the skills required to help secure metaverse platforms differ based on the underlying infrastructure of each offering.
For metaverse offerings built in the cloud, Narang suggests learning cloud development and identity security skills.
For organizations looking to partner and build experiences on the platforms, they need to due their due diligence and vet the security of the metaverse offerings they explore. That should include looking to see how the platforms are meeting compliance and standards for how they capture and control user information.
For blockchain-based platforms, Narang suggests making sure that there’s been some type of third-party auditing of the underpinning code for that blockchain.
It comes down to the basics
While a new and exciting technology that is beginning to find its way into the enterprise, IT and security professionals don’t need to reinvent the wheel when it comes to security in the metaverse, Narang says.
Companies need to remain vigilant about patching vulnerabilities and should proceed with caution when things just don’t seem right.
“All it really takes is one avenue for an attacker to get into a network before they can wreak havoc, and there are a lot of different approaches they can take,” Narang says. “While the basic cyber hygiene message is old and is something we continue to hear, we’re still seeing a lot of struggles in that area.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!