Metaverse and Cybersecurity: Potential Threats

The Metaverse is defined as a network of connected virtual worlds that use virtual reality (VR) and/or augmented reality (AR) technologies to offer a more immersive experience for users. Although the concept has been around for three decades (it comes from the science fiction novel "Snow Crash") and it forms the basis of platforms such as Second Life, the Metaverse has gained popularity in recent months thanks to initiatives such as Meta Quest 2, the virtual reality (VR) devices promoted by Meta, the current name of the company formerly known as Facebook.  

The benefits and opportunities of these virtual worlds are enormous: beyond pure entertainment, they can be used to improve work productivity in remote work environments or for educational tasks (e-learning). However, like any connected tool, it also carries potential threats in the field of cybersecurity.

The threats the Metaverse faces include:  

- Phishing:

As a term that is becoming increasingly popular, the Metaverse and other related issues will be used as bait by hackers to lead users to pages with malicious content. As always, cybersecurity training plays a key role in helping us avoid falling victim to social engineering scams, but training is not enough, and other steps are needed. According to a Pulse survey of cybersecurity experts, 35% believe that the best way to protect organizations from phishing in the Metaverse is to implement cybersecurity solutions to protect employees and users, while 31% also say that employees need to receive training and 18% say that users need training.  

- Recording user movements:

A relatively new cybersecurity challenge with the Metaverse is that its devices record user data that most devices have not done before, such as body, head, hand and even eye movements, which are collected by the VR goggles. The combination of these movements represents a unique set for each person that can serve as a signature. For this reason, some companies are already researching using these biometric parameters in authentication technologies for Metaverse spaces or even for commercial purposes, like Alexa does by recording users' conversations. But, like any of the users' personal data, these records of body parameters require special treatment and protection.  

- Recording the user's physical environment:

Inside-out AR/VR tracking systems use cameras and sensors from multiple angles on the headset and techniques similar to photogrammetry to obtain a 3D view of the space where the user is located. The software combines the virtual environment with the user's actual physical space. The problem is that, in practice, these sensors generate 3D maps of the surroundings, which may include their homes and offices. In theory, these maps should not leave the devices themselves, but companies are likely to end up recording them in some way. This leads to scenarios that not only encompass cybersecurity risks, but also pose risks to users' own physical security: burglars or other criminals could use these maps if they are offered for sale on the dark web, for instance. 

- Impersonation:

Users can access Metaverse spaces with their real name or an avatar, but in both cases, malicious cyber actors could get hold of their login credentials and impersonate them. This could be particularly dangerous in business Metaverse environments, as they could obtain sensitive data, or in scenarios where purchases or financial transactions are made.  

How to reinforce cybersecurity in the Metaverse?

In the face of these threats, Metaverse platforms have a duty to protect user data. But users and organizations participating in the spaces cannot blindly trust that their data will not be used by third parties or even exposed by data breaches. For this reason, they have to be extremely careful about the information they share there. They also need to be very aware of how they access the virtual worlds to avoid cases of impersonation. Organizations must operate strict access control to their Metaverse platform spaces in accordance with policies established by management, HR or IT and with credentials that should be linked to advanced and secure multi-factor authentication (MFA).