One of the most frequently discussed topics in technology today is the “metaverse,” which is loosely described as the intersection between the virtual and physical worlds. As it is in its infancy, it has not yet been fully defined and it is still partly in the realm of speculation.
Bill Malik (pictured above), vice president of infrastructure strategies at Trend Micro, estimates that full implementation of the Metaverse will take about five to 10 years before it becomes a full reality. However, cyber security experts have already foreseen some threats which must be dealt with first.
A recent report from Trend Micro warned of the existence of the darkverse, which is the dark web brought to the metaverse. Due to the lack of oversight by regulators and law enforcement, the darkverse is a space for underground markets, criminal communications, and illegal activity.
“The metaverse allows individuals and bots to operate essentially without oversight, standards, regulations, or laws,” Malik said. Business risk and insurance. “Among the risks are the theft or alteration of an organization’s intellectual property, violations of an individual’s privacy, and criminal transactions.”
According to the report, darkverse spaces will be in secure locations, accessible only to those with the appropriate authentication tokens. Communication will be limited to proximity-based messaging, and these marketplaces will serve as locations for illegal activities, such as selling malware, trading stolen data, and planning true crimes.
Malik said legitimate organizations doing business on the Metaverse should have sufficient protection for their information technology (IT) and operational technology (OT).
“A business transaction connects a seller who has a product or service and some intellectual property with a buyer who has money and a business need over a communication medium,” Malik said. “In the metaverse, the infrastructure that makes it feel real consists of many different forms of technology, both conventional computing and OT, working to manage the detection of components, their physical interrelationships and their interactions. While most computer protocols can be secured, OT lacks information security and privacy design principles. Thus, malicious actors will be able to subvert business transactions by stealing or tampering with the product, service or intellectual property, stealing or redirecting the buyer’s money, spying on business needs or tampering with transactions that flow between them.
Another complicating factor in managing the metaverse is that no one fully understands what it is. This could lead to serious missteps and oversights by organizations’ risk managers.
“The metaverse will need greater network bandwidth, processing power and storage capacity than traditional e-commerce or contemporary digital transformation,” Malik said. “The biggest mistake will be misunderstanding the infrastructure requirements that the metaverse will command. Close to that will be not understanding the myriad of vulnerabilities that this environment adds to the organization’s attack surface.
Since the Metaverse is an intersection of the virtual and physical worlds, real-life issues such as social engineering, propaganda, and “fake news” are expected to spill into the Metaverse, complicating how organizations and individuals navigate this space.
“These risks are major issues right now and will only increase over time,” Malik said. “Enterprises will face enhanced corporate email compromise, spear phishing and ransomware attacks that will now have a larger and more expensive target: the expensive metaverse infrastructure itself. Individuals will find an emotionally engaging environment brimming with enhanced sensors, giving advertisers and propagandists greater insight into attendees, as well as greater influence and persuasive abilities.
Malik explained that by using the metaverse’s enhanced interactivity and data collection, bad actors can exploit the psychological tendencies of humans to further their goals.
“We know from psychology that people react to visual images that they may only see for a moment,” Malik said. “These responses come in the form of micro-expressions, like the briefest smile or frown. While a participant is enjoying the broadcast, an announcer may project a single image of, say, a sheep, at which the participant may briefly smile. Note that neither the image nor the smile reaches the participant’s consciousness. Moments later, the announcer might show an image of a bull, at which the participant might briefly frown. The announcer now knows that this participant has an emotional reaction to these images. Later, the participant can watch a news clip of two contestants. As the first contestant speaks, the announcer slips in a brief image of a sheep. The participant does not see the image but thinks “She is nice”. When the second contestant is on screen, the announcer flashes an image of a bull. “He’s creepy,” said the participant. The announcer succeeded in influencing the participant who never consciously saw either of the triggers. In this way, the metaverse will also be able to harvest vast and detailed information about each of its participants.
One way to protect organizations and individuals from the various risks in the metaverse is to provide participants with proper training to avoid falling prey to bad actors, Malik said. However, this is not enough.
“Metaverse providers could provide training spaces so participants can exercise their judgment and practice dealing with fake news, rumors and persuasion techniques,” Malik said. “However, companies funding this environment have no economic incentive to make their users smart. Paying customers – the advertisers and influencers who generate the revenue – would prefer an uninformed consumer. They would be easier targets.
“Ultimately, we will have to resort to regulation and legislation to make the metaverse safe,” he said. “It will take time. Ongoing revelations about privacy violations and security breaches by today’s social media giants show that self-regulation won’t work. It is essential that the technology and security community also step in now to consider how the metaverse will be exploited by threat actors in the coming years.