Malice in the metaverse: Fighting known cyber threats on a new frontier

A version of this article appeared in Infosecurity Magazine. It has been updated and syndicated here.

‍

A few years ago, we talked a lot about how cybersecurity is the Wild West, and there was a desperate need for more people to care about it in general, not to mention the very real risk to life that many cyberattacks could pose. 

Fast-forward to 2023, and it’s pleasing to see that some progress has been made, especially at the government level of many influential nations. For us, however, the journey towards truly secure code and safer software is one without end. The advent of the digital darling of the moment - the metaverse - adds a vast new attack surface for both code-level vulnerabilities and social engineering.

And we’re simply not prepared for battle on this new playing field that thrives on smoke and mirrors.

Mixed reality comes with intensified risk

Despite its current status as Flavor of the Month, the concept of the metaverse has existed for a long time. The online platform Second Life has been around since 2003, servicing a loyal niche with a fully customizable online universe where users’ avatars interact via voice and text chat, games can be played, and companies like Adidas offer official virtual stores. On the pure gaming side, massively multiplayer online (MMO) games like Fortnite and World of Warcraft deliver expansive worlds to their players, and are increasingly dependent on microtransactions, or, forking out real money for virtual items. Fortnite alone made $4.3 billion in microtransaction revenue in its first two years in the market. 

It’s very clear that not only is the metaverse concept here to stay, but it is also about to get a Mark Zuckerberg-sized push into the mainstream. This is an exciting evolution of the internet - or at least social media and some e-commerce - as we know it, but the opportunity for cyberattacks and damaging exploits is mind-boggling. 

The metaverse attack surface is far-reaching, extending well beyond web-based software, APIs, and payment gateways. The peripheral elements of VR headsets and accessories also pose a threat to core data, with the onboard software in those devices a very convenient red carpet to paydirt if they are vulnerable. 

Security researchers from Rutgers University revealed “Face-Mic” earlier this year, the first study of its kind examining how voice command features on virtual reality headsets could lead to serious privacy breaches, known as “eavesdropping attacks.” The work is fascinating, showing that threat actors could potentially use some virtual reality (AR/VR) headsets with built-in motion sensors to record speech-associated facial gestures, leading to the potential theft of sensitive information communicated via voice-activated controls, including credit card information and passwords. The root cause of the issue appears to be a lack of user authentication. With the accelerometer and gyroscope not requiring any permission to access, intricate facial movements, bone-borne vibrations, and airborne vibrations could be recorded and used to deduce everything from banking PINs to highly restricted healthcare records, depending on the patterns of the user. 

In the metaverse, every movement you make is a data point, and if access to it is possible through lax software security, the incentive for attackers to try their luck is enormous. 

Smart contracts face smart(er) adversaries

The meta-economy demands decentralization, dematerialization, flexibility, and of course, security without compromise. Right now, there are growing metaverse microeconomies in various cryptocurrency communities, like Shiba Inu. In order to buy virtual real estate and other intangible products, smart contracts stored on the blockchain are utilized.

Mention “blockchain”, and most average people (with a little tech savvy) understand it as a secure and anonymous system for what is considered to be the future of digital currency. There’s a little problem with that, however: no online fortress is impenetrable, and those smart contracts are no exception. They are essentially little programs, and they can be hacked.

Smart contracts are susceptible to exploitation thanks to a few fairly common vulnerabilities, namely integer overflow and underflow, replay attacks, and the (very damaging) blockchain-centric bug leading to reentrancy attacks, the latter of which can lead to a user being drained of their stored crypto balance. All of these attacks are made possible by poor coding patterns leading to exploitable vulnerabilities, and insecure design fundamentals.

This technology will only become more widely used, yet, as it stands today, we are going to struggle to find enough security-aware developers to ensure a secure, failsafe metaverse. Organizations must understand the magnitude of their metaverse participation, particularly if data and currency are at stake… and it’s difficult to imagine a scenario where this wouldn’t be the case.

It’s an unregulated environment, and you’re (still) the product

Just as we have seen in movies, TV, Second Life, and videogames, a metaverse environment allows us to be whoever we want. In a virtual world, the possibilities are only limited by your imagination, and that flexibility is a huge drawcard for users. However, the downside is that on the planned scale of something like Meta, it’s simply too vast and decentralized to police in a way that would render it air-tight from a security perspective. Scams will be inevitable, and skilled criminals will have even more to work with from a social engineering perspective. 

Sensitive user data is the new gold, and the metaverse has the potential to be the richest and most complete source of data we have seen to date, providing projected adoption goes as planned. While it can be assumed that metaverse-related software builds will adhere to current regulatory standards and compliance measures, these will need updates that are fit to support a rapidly expanding digital universe and its economy. Core to this will be organizations taking responsibility for the security of their contributions to the metaverse, with a level of in-house security maturity that ensures every person working on the software is thinking about and implementing security at every step in their process, especially the development cohort. 

Why secure coding will be crucial to the success of the metaverse

As fun as it may be to galavant across a lawless digital dimension, represented by an avatar that is everything you wish you could be in the real world, we must never forget that a human being is behind every “character”. And when real people’s data and finances are at stake, it’s very far removed from a game. 

In cybersecurity, we are well aware that mistakes have consequences that can be truly devastating, and the integrity of every component of the metaverse cannot be an afterthought if widespread adoption and consumer trust are to come to fruition. 

Organizations can start planning now by doing a realistic assessment of their security maturity, placing emphasis on uplifting the security skills of the developers actively working on software. As we can see from the Rutgers University study, access control is just one potent vulnerability that can lead to a widespread data leak, and security-aware developers would be far better placed to navigate these problems as code is written, and well before they enter committed code. 

Resting on the excuse of the cybersecurity skills shortage isn’t going to wash after a major metaverse data breach, and we have the tools in front of us to not just do the best we can, but actively uplift software security standards for good. Now is the time to invest in training the architects of the metaverse, and reap the benefits of a virtual reimagination of products and services as we know them.