People as avatars having a business meeting in a virtual metaverse VR office.
Image: supamotion/Adobe Stock

Fans of science fiction hear “metaverse” and think Neal Stephenson’s “Snow Crash” or William Gibson’s “Neuromancer.”

When it comes to security, the better reference for this emergent digital environment, which is predicted to generate $5 trillion in value by 2030, might actually be “Roadside Picnic,” a novel about a surreal and perilous landscape full of toxic hotspots where treasure hunters seek mysterious, powerful trinkets and icons to sell on the black market. What could possibly go wrong?

Jump to:

Metaverse poses risks for users and creators

The metaverse is evolving into a 3D digital world for buying, selling, recruiting and training, unbound by geography and currently without clear rules and regulations. For business opportunities, there are many invisible tripwires, toxic zones and attack vectors making it a danger zone for enterprise.

SEE: Metaverse cheat sheet: Everything you need to know (free PDF) (TechRepublic)

There are two main security threats in the metaverse and web 3.0, according to John Tsangaris, technical security leader at infosec company Optiv.

Lack of user education

With new technology, the user onboarding experience is focused on function and use cases rather than security. During this gap between figuring out how to use it and learning how to use it securely, there’s a massive potential for social engineering attacks.

Growth and innovation superseding security

The development of the metaverse precedes security, as it has for all forms of technological growth. When security becomes part of the conversation, it’s often piecemealed together or added after the fact.

“It’s really a social engineering problem,” Tsangaris said. “We’ve had multiple technology events in the last 30 years where something new comes out and we are so feature-focused that security isn’t even a thought. With the metaverse, we’re seeing the same thing.”

Joseph Williams, Infosys consulting managing partner for cybersecurity, the company’s representative to the Metaverse Standards Forum and former tech policy advisor to Washington Governor Jay Inslee, said this is endemic in corporate culture.

“Much of what brands are doing in the metaverse is being done by creatives in the company, and in my experience, the CISOs are not being invited to the dance, so the creatives are creating these metaverse experiences for the brand,” Williams said. “Cybersecurity will come late, and we will be retroactively trying to protect these assets. Cybersecurity people need to provide a reality check on what’s happening with their assets and the data that’s being collected. In my experience, the creatives are phenomenal at inventing these things but very poor at understanding legal obligations attached to them.”

While cybersecurity leaders see risk, they are forging ahead

Exposure management company Tenable issued a recent report on the metaverse that details security implications IT and cybersecurity experts are mulling, including configuration issues, the expanding threat landscape and blockchain.

The study, conducted in October and November, 2022, polled 1,500 cybersecurity, DevOps and IT professionals in the U.S., U.K. and Australia. In the study:

  • Almost three-quarters of respondents (74%) said invisible-avatar eavesdropping or “man in the room” attacks are very or somewhat likely to occur in the metaverse.
  • Some 77% of respondents think it is very or somewhat likely that the cloning of voice, facial features and hijacking video recordings using avatars might occur in the metaverse.
  • Only 48% said that they feel confident in their ability to curb threats in the metaverse.
  • As much as 93% conceded that they need a solid cybersecurity plan before offering services in the metaverse.

Yet the study also found that:

  • Some 86% of respondents said they would be comfortable sharing personal identifiable information of users across services in the metaverse.
  • Less than one-third (28%) of global businesses said they have been developing metaverse initiatives in the past six months.
  • More than half (58%) of respondents said they plan to do business in the metaverse within the next six months.
  • Less than half (44%) said they see opportunities in the metaverse to enhance customer engagement, while 41% said they see it as a channel for improving training and another 41% said the metaverse would enhance collaboration.

“One challenge is that there are so many different ‘metaverses’ out there,” said the study’s co-author Satnam Narang, senior research engineer at Tenable. “There are projects in gaming, blockchain, on platforms like Sandbox and Decentraland, and many more, so the challenge with so many different metaverses is figuring out where businesses are flocking to.”

Same as it ever was, but in 3D

Ultimately, with challenges around such exploits as spear phishing, malware and ransomware, the metaverse will extend the perennial cybersecurity cat and mouse game, Williams noted, pointing out that the metaverse and Web 3.0 also carry legal restrictions and gray areas that exist in web 2.0.

“In general, all of the laws that apply in real life apply in the metaverse,” Williams said. “But where it gets kind of dicey is the concept of legal nexus: If you are in the metaverse, what country are you in? That is unsettled with respect to commerce on the internet. If I sexually harassed someone in California, there are a set of laws that apply that would not apply if I did it in, say, Cambodia. Rules of evidence and penalties will vary.”

Like the web, metaverse comes with caveat emptor for users

Tsangaris noted that new attack surfaces for malicious actors include wearables and 3D experiences that could be leveraged for psychological attacks and traumatic subterfuge. Metaverse-specific crimes around NFTs and fake investments tied to crypto tokens are a clear danger.

“The education piece is lagging,” Tsangaris said. “The metaverse and its components are so new that we have a huge disparity between education and implementation. We need to make the interface simple and safe and educate the user to be able to meet it in the middle.”

Brand reputation risks in 3D

Williams explained that the kinds of blockchain and metaverse programs Adidas, Nike and Starbucks have been engaged with carry risks because transactions require a connection to users’ tangible identity in the real world.

“One big cyber risk is going to be that connection,” he said. “It’s hard enough to secure the real world. If I buy something from Amazon, and it’s all digital and then has to be physically delivered, information about my delivery is a cybersecurity risk that I’m extending into the metaverse.”

Companies are dipping a toe in the metaverse to gauge the virtues of the experience, but even that has cyber implications.

“If you have a bad activity in the metaverse attached to your brand, will it come into the physical world to negative effect?” Williams said. “Based on what’s happening in social media, I think you have to predict it will. Protecting your brand is probably the biggest thing you have to worry about in the metaverse — not creating the brand in the metaverse.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays