As technologies, hardware and infrastructure mature, metaverse-like apps will converge and with that comes the potential for cyberthreats, a new report from Trend Micro finds.
The metaverse is comprised of new and emerging technologies including augmented/virtual/mixed/extended reality, IoT, AI and machine learning and distributed ledger technology. There are some metaverse-like applications already, mainly for gamers. Still, over the next three-to-five years, more metaverse-like applications are expected that will be used for remote work, entertainment, education and shopping.
Once the technologies, hardware and network infrastructure have matured, there will be natural convergence of the many metaverse-like applications, Trend Micro observes in a new report, and with that, the potential for cyberthreats. Some are applicable now and some will be applicable in three to five years, the security firm said.
Cyberthreats in the metaverse
Trend Micro outlined eight potential threat categories:
A non-fungible token is a unique unit of data that is stored in a blockchain and can be sold and traded. Security concerns include integrity issues since NFTs regulate ownership of assets but don’t provide storage. “This may lead to ransoming or other criminal attacks,’’ Trend Micro said. “If NFT data files are encrypted in a ransomware attack, the user will still retain ownership but they can be blocked from accessing the assets if they do not pay the ransom.”
2. The darkverse
The darkverse is similar to the dark web, “except it exists inside the metaverse. In some ways, it is more dangerous than the dark web because of the pseudo-physical presence of the users.” The darkverse was created for facilitating and conducting illegal or criminal activities, according to the report. The space could also be used for free speech against oppressive entities or governments. It could be a space for illegal or criminal activities.
SEE: Artificial Intelligence Ethics Policy (TechRepublic Premium)
3. Financial fraud
Criminals “will be drawn to the metaverse because of the huge volume of e-commerce transactions that will occur in these worlds. There will be many who try and take advantage of users, steal their money, and capture their digital assets.”
4. Privacy issues
There will be groups of virtual worlds mainly created and hosted by large corporations that are free to use. But in return, “metaverse publishers will control all aspects of their meta spaces, collect vast amounts of user data, and monetize the collected data. Even if there are open-source metaverse worlds that users can host, the publisher who hosts them will still be able to collect and monetize user data.” Given the unprecedented visibility into user actions, Trend Micro anticipates privacy issues such as data sovereignty will become a major concern in the metaverse.
5. Cyber-physical threats
The spatial web is a computing environment that exists in 3D and is “a twinning of real and virtual realities enabled via billions of connected devices and accessed through VR/AR/MR/XR interfaces.” The metaverse will be an interactive application layer for the spatial web. This integration of IoT and cyber worlds could lead to cyber-physical threats such as man-in-the-middle attacks and unauthorized access to digital twins. The report suggests crimes like bullying and romance scams will occur “because assailants can create multiple avatars without revealing their identity.”
6. Virtual/augmented/mixed/extended reality threats
There will be both VR and MR in the metaverse and VR metaverse-like spaces will arrive within two to three years, while AR/MR metaverse spaces are at least four to five years away, according to Trend Micro. Because users can create a new identity and life in the metaverse, “bad actors will use a virtual world to plan and rehearse real-world crimes.” Criminals will attempt to block user avatars from accessing services they paid for, for example, preventing them from accessing or leaving a building or a virtual space. As mentioned in the NFT section, the malicious actors will ask for a ransom to grant users access to the services they paid for. Businesses will create digital replicas of their real-world stores in the metaverse. Criminals will copy these digital stores in a different metaverse space to scam shoppers.
7. Social engineering
Social engineering uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. “Criminals or state actors will look for vulnerable groups of people who are sensitive to certain topics and then drop targeted narratives to influence them. These narratives could be used to amplify current global issues.” Deepfakes can be used to commit crimes, and criminals can infiltrate a metaverse space to impersonate official avatars and then misdirect users to that space. They could also potentially impersonate service providers and give false information in return for payment.
SEE: Metaverse cheat sheet: Everything you need to know (free PDF) (TechRepublic)
8. Traditional IT attacks
Trend Micro anticipates that current threat scenarios will very likely also happen in the metaverse, including
- Distributed denial of service
- Bad actors attempting to write malicious code or phish people once metaverse application APIs are made public
- Cloud-specific attacks if existing technology is used when calling or executing API calls
- Vulnerable devices, since metaverse applications will communicate with many IoT devices to enable cyber-physical AR interactions.
Plan security models now
Trend Micro points out that it’s highly possible that “the metaverse we envisioned is not feasible nor attainable, and the whole metaverse idea train changes course in a new direction.” However, with large investments being poured into the metaverse, now is the time to start developing security models for it.
“This is challenging because we are exploring a constantly evolving concept and trying to create security guidelines for products and services that don’t currently exist,’’ the security company points out. But, “anticipating threats and acting early will help us protect both metaverse-like applications and the future metaverse.”