• ESET Expert

What security risks can the Metaverse hide?


Much has been said about the Metaverse and its possibilities, but will it be a safe environment? Here we propose some hypotheses about some points to which we must be attentive.


I've seen a lot of content talking about the Metaverse and much of this information treats the subject as if it were something present. Of course, to keep up with a trend, you need to start learning as soon as possible, but it's interesting to note that the Metaverse is, for now, just an idea—and a potentially big deal. Taking this into account, I raise some hypotheses about the possible security risks that may come from the hand of the Metaverse. Considering that many of the computer threats present in today's reality continue to constantly challenge companies and users and claim new victims, it is difficult to imagine that they will not be present in this virtual world.


Besides, Even though models are already being developed by big tech companies , calculations are being made, and teams are working to make it a reality, it's mostly an idea! And an idea that is not even that new, since there are some references that I consider excellent to portray what the Metaverse could become, one of them is the movie Ready Player One , by Steven Spilberg, which in my opinion portrays very well the good points of this type of digital universe. Other good references are a bit older. For anime lovers, Sword Art Onlineportrays a possible evolution of the Metaverse with an even more immersive reality. And as a final reference, because the world of video games could not be left out, the game Second Life was intended to allow its players to be able to do whatever they wanted within the world of the game, which I think is a preliminary version of the immersion that we are about to have.


All these examples cited can inspire us to create our expectations of this new reality. However, since not everything is flowers, I would like to focus on how security will be present. For this, I raise some points in which we may have to worry when this digital universe is a reality. It is important to note that everything that I explain below in this article are hypotheses based on current reality and historical background linked to computer threats and the emergence of new technologies. The purpose is to educate and raise awareness about what can happen during the eventual use of immersive reality as proposed by Metaverse.


Access Devices – This will definitely be the first point of attention, we don't know yet what devices will allow entry into the metaverse. If at first it will be accessed through traditional computers, if the entry will only be possible with certain gadgets such as glasses, gloves or joysticks and, above all, if specific configurations will be necessary for this connection to occur. Also if there will need to be a direct connection from hosts on the Internet to the device through specific firewall rules or if there will be a central server where clients will connect to it, regardless of the device used.


Will there be more than one virtual world? – The Metaverse will be the world created by the Meta company, which also owns platforms such as Facebook, Instagram and WhatsApp, but the question is whether this will be the only world. This may be a point of attention in case more worlds exist, which I think is likely, and I also think it will be possible to move between these worlds. What kind of information will need to be provided for exiting one world and entering another? Will the user actively do it or will the platforms trade with each other? Will the security of the stored information be the same for all worlds or is it possible that one of them is more "vulnerable"?


Impersonation – On platforms where it is possible to customize your avatar, images that have nothing to do with the physical characteristics of the user are usually used. This ability to change appearance is also used by people with bad intentions to obtain information or even money from other people who are part of this world. And this will surely also be present in the Metaverse with criminals trying to exploit social engineering, since, according to the project's presentation video, it will allow various customizations.


You might be wondering, “Okay, looks can change, but what about a person's voice? Will I not continue to listen to the true voice of the alleged criminal? And the answer is "Not necessarily", the software known asVoicechangers are already very popular and developers who create software with artificial intelligence have already managed to clone a person's voice with very short audios, about 5 seconds long, and the simulated voice is extremely faithful to the original voice. This gives us indications that it will not be difficult for someone to impersonate another to make more victims in this world.


Information exchanges and malware? – It is possible that different types of interactions are possible within an immersive environment, so in addition to the interaction of walking and talking with other people, it is possible to send and receive files of different types, such as images, videos or documents; It may even be possible to transfer resources directly between people, and these are points that can bring a series of headaches to users if they are not managed correctly.


If the interactions between people are totally free and each one can send what they want, how will it be validated if the file has malicious content? How will the platform allow you to interact with these eventual files? Will they be opened by the interface itself or will they need to be downloaded and handled separately? At the moment,


Stores, purchases and payment methods – Regardless of what type of currency circulates within the platform, one thing is (almost) certain, there will be the possibility of acquiring things within this world and this will give rise to fraud and scams. Items that you can receive in the real world or maybe customizable items, NFTs, and any other kind of business possibilities that we have today, and these transactions need to be highly protected.


I consider it essential to know where the payment information will be, whether it will be stored on the device that will connect to the Metaverse or in the cloud —or somewhere else? Also if it will be necessary to make validations for each purchase or if this process is automated when using the function once. Another point that makes me think is what I mentioned earlier, in case it is possible to buy directly from a person, What payment information will this person receive? Even if the quality of today's payment methods is imported into this world, we will still have a lot of attention points to worry about.


The management of Personal Information and the type of data – This is a point that will not be possible to adequately measure until we know how this whole environment will work, and I say this because I believe that personal information will be taken to the next level. Today we already have registration data such as name, telephone number, identity document, address and several others that allow us to identify ourselves, as well as passwords and information about personal tastes that make up the most sensitive group of data, but there may still be more.


Suppose that immersion in the Metaverse requires virtual reality glasses. These glasses will have even more sensors than a cell phone and will probably be able to read the user's height, perhaps even their weight, heart rate, provide facial recognition with an advanced level of precision, and if they have cameras they will be able to monitor the environment and avoid possible collisions with objects in the physical world.


All this is spectacular and will bring us security; But what happens if that information falls into the wrong hands? The camera will be able to provide a 3D plan to criminals, they will be able to know your height, in which room you use the device, if there are more people in the house with you, your precise geographical location, possibilities of creating deepfakes with the data collected from facial recognition, among others. others.


There is a lot of potential in everything that encompasses the Metaverse and any other universe that may arise, but historically speaking, innovations are not always developed with security in mind and technologies tend to go to market as soon as possible because the priorities are different. We hope that in this case the Metaverse is thought and developed taking into account the security of the environment as a whole, both for users, information, transactions and its structure in general.


I hope that this article has awakened in you the questions that I asked myself when thinking about the security of this world, and that you can question even more about several other points not covered here that could be points for improvement.


Even without having clear information about what this digital universe will be like, it is possible to take into account that criminals will also be part of it and, as always, it will be the responsibility of all of us to ensure the security of our assets and data and be aware of possible scams. that may arise in that environment.