The Security Challenge of the Century: Security in the Metaverse

Written by

Kate O'Flaherty considers the security challenges in the metaverse and investigates how they can be resolved

It’s official – whether people like it or not, the metaverse is coming, and if recent reports are to be believed, it’s going to be led by firms including Facebook owner Meta. The metaverse, however, is also a security and privacy minefield, partly due to the sheer scale of the soon-to-be-realized virtual worlds.

As the technology continues to develop, some companies are already taking their first (cautious) steps into the metaverse. Sportswear brand Nike is one: the firm has partnered with online gaming platform Roblox to create a virtual world called Nikeland.

Others, including Microsoft, Facebook and Google, will provide the overarching experience across the metaverse as virtual worlds emerge over the coming months and years. Online gaming ecosystems such as Second Life, Roblox and Decentraland also have a central part to play.

When it arrives, the metaverse will be an open-ended collection of digital experiences, environments and assets leveraging virtual technologies, says Roberto Schiavulli, head of games and immersive experiences at Dark Slope, a metaverse and virtual production company.

He explains that this will include virtual and augmented reality and a complimentary digital economy. “It’s helpful to think of the metaverse in the same way we think of the internet: less a single tool or platform than the combined sum of these experiences.”

The metaverse is rapidly expanding, creating urgent security issues to address. Among the concerns, verification is key to ensuring people can’t spoof their identity. Another challenge is the vast amounts of sensitive data such as biometrics which, alongside cryptocurrencies used to make purchases, will make the virtual worlds hugely attractive to cyber-criminals.

Nation-states, hacktivists and criminals all stand to benefit from poor data security and privacy practices in the metaverse. So how can the security challenge of the century be resolved?

Verification in the Metaverse

Verification in the metaverse is one of the biggest challenges to overcome. A system where people can attend appointments with a doctor or lawyer will depend heavily on authentication of their real-world identity, Will Richmond-Coggan, a data protection expert at Freeths LLP points out.

"Unless more people realize the possible threats from handing over their sensitive data to the technology giants, we are potentially sleepwalking into a privacy minefield which will affect us all"

Without proper verification, he says, the risk of impersonation will be “impossible to control.”

A lack of robust verification will lead to fraud and fake news, allowing malicious actors to cause havoc, agrees Alexey Khitrov, CEO at ID R&D. “There are many security risks posed by the metaverse, and any environment where people hide behind avatars.”

Among the issues, poor verification practices could lead to misinformation, people signing up with fake identities and adversaries hacking user accounts, he says.

To weed out the fakes from the real people, metaverse providers will need strong identity verification, “both in the sign-up process and continuously as the platform is used,” says Khitrov. 

Facial recognition technology will likely provide verification in the metaverse – and this sensitive user data must be kept secure and private. A metaverse requires interaction between multiple devices, which means “a great deal of data being shared,” says Schiavulli. Because metaverses use optical and biofeedback-reading devices to make their virtual worlds more interactive, it will mean collecting personal data such as facial expressions, pulse rate and breathing metrics. 

At the start, the metaverse will probably use the same confidentiality and security measures currently applied to smart internet of things devices, says Schiavulli. However, as metaverses become more popular, he thinks more tailored third-party security solutions will emerge.

Given what you can do in the metaverse, criminals have a large scope to take advantage of, says Sean Wright, SME security lead at Immersive Labs. “You could literally get married in the metaverse. If a criminal were able to carry out this ceremony by pretending they were a legitimate person, they could potentially gain access to a lot of personal data. People will be putting their personal lives into this platform; that’s going to provide a very juicy target for criminals.”

There are also less obvious considerations that must not be forgotten as the metaverse expands. For example, if firms including Meta allow third-party apps at some point in the future, it will be essential to assess security measures from the outset to protect user data, says Jake Moore, global cybersecurity advisor at ESET. “It will also be imperative to monitor for potentially malicious or insecure apps that will no doubt be developed to exploit any unknown weaknesses.”

Data Privacy in the Metaverse

The privacy of metaverse data is another issue that must be resolved. One of the biggest concerns is that Mark Zuckerberg’s Meta, which has a poor reputation in data privacy, will largely handle data privacy in the metaverse. Google is another company with a big part to play in the metaverse, and both tech firms’ business models are funded by advertising that depends on vast amounts of user data.

"There are many security risks posed by the metaverse, and any environment where people hide behind avatars"

It’s worth noting that Meta already has one foot in the metaverse by way of Oculus, a division of Meta platforms. Andrew Bosworth, the incoming CTO of Meta, stated in October 2021 that a brand change is imminent. “We’re simplifying our brand architecture and shifting away from the Oculus brand for our hardware. Starting in early 2022, you’ll start to see the shift from Oculus Quest from Facebook to Meta Quest.”

With this in mind, it’s essential to be realistic, Richmond-Coggan says. “The internet may have been founded on an altruistic basis, but more or less every aspect of it in its current form is in private hands. Those private entities will need to be persuaded to make a substantial investment in the infrastructure of the new metaverse if it is to succeed and will expect to be able to recoup their investment.”

Without changes to Facebook and Google’s business models, “there will inevitably be an attempt to use the metaverse environment to continue to deliver targeted advertising and derive even richer insights into users’ behavior and preferences that can be commoditized,” Richmond-Coggan says.

Taking this into account, it’s likely the metaverse will require more complex and granular systems to manage privacy preferences. This could include how accurately a person’s features or behavior are portrayed, in addition to information about their activities and preferences online.

Moore predicts, at least at first, that metaverse privacy settings will be in the user’s hands – and many people are apathetic about how their data is handled and shared. “We are already able to control our sensitive data and hand it out when we choose. Yet, this is currently clunky on many sites, and lots of people aren’t bothered enough to do it,” he points out. “Unless more people realize the possible threats from handing over their sensitive data to the technology giants, we are potentially sleepwalking into a privacy minefield which will affect us all,” Moore warns.

Regulation such as the General Data Protection Regulation (GDPR) in Europe and state and federal laws in the US could help. These, however, will need to be “adhered to and incrementally updated” as people interact with metaverse technology, says Schiavulli. “Companies like Google and Meta will need to be held accountable for the data they handle, whether that manifests through state regulators or consumer-driven pressure.”

Yet the global nature of the metaverse could pose a challenge to a joined-up approach. “There is a danger that in the absence of joined-up cross-border regulation, any protection a specific nation seeks to impose will be easily circumvented,” says Richmond-Coggan.

Going forward, technology manufacturers contributing to the infrastructure have a role to play, Richmond-Coggan continues. “There have been positive recent trends towards greater emphasis on privacy in both the Apple iOS and Google Android operating systems, but it is hard to know how much this is a response to consumer demand, and an attempt to avoid greater regulation.”

In the case of the metaverse, harmonizing the standards by which privacy will be protected and information secured is going to be “just as important as ensuring interoperability across different platforms,” Richmond-Coggan says.

For this to be achieved, there needs to be a global discussion involving privacy advocates, regulators, businesses, governments and users.

Resolving Security and Privacy Issues in the Metaverse

It will take time, but a secure foundation is key to a safe metaverse as with any new solution. The metaverse depends on building tools, devices, platforms and private and secure services by design and by default, says Richmond-Coggan.

“Many existing security and privacy solutions depend on placing a layer of protection over an existing solution. This will simply not be feasible in the inter-connected metaverse, and it requires a new way of thinking about and building the components of this new ecosystem.”

As part of this, security providers will need to innovate alongside the technologies they monitor, adapting to threats and anticipating user behavior. “We need to be able to recognize and authenticate our virtual identities just like we do our real ones, whether that’s through facial recognition security, data moats, firmware or other digital bulwarks,” says Schiavulli. 

“Like the internet, a metaverse is an ecosystem that requires accountability from many parties to function safely,” he points out. “This is bad news for anyone looking for easy answers, but it offers the opportunity for better collaboration in pursuit of a shared goal.”

Security firms will step up to meet the challenge, but the metaverse is still very early in the process. For now, Wright thinks all companies considering delving into the metaverse should wait to let the platform mature. “This is entirely new technology, and its sheer size is likely to be vast. Put both together, and there is potential for many holes and issues to appear.”

What’s hot on Infosecurity Magazine?