A few years ago, we talked a lot about how cybersecurity is the Wild West, and there was a desperate need for more people to care about it in general, not to mention the very real risk to life that many cyber-attacks could pose.
Fast-forward to 2022, and it’s pleasing to see that some progress has been made, especially at the government level of many influential nations. For us, however, the journey towards truly secure code and safer software is without end. The advent of the digital darling of the moment – the Metaverse – adds a vast new attack surface for both code-level vulnerabilities and social engineering.
We’re simply unprepared for battle on this new field that thrives on smoke and mirrors.
Mixed Reality Comes With Intensified Risk
It’s very clear that not only is the metaverse concept here to stay, but it is also about to get a Mark Zuckerberg-sized push into the mainstream. This is an exciting evolution of the internet – or at least social media and some e-commerce – as we know it, but the opportunity for cyber-attacks and damaging exploits is mind-boggling.
The Metaverse attack surface is far-reaching, extending well beyond web-based software, APIs, and payment gateways. The peripheral elements of VR headsets and accessories also threaten core data, with the onboard software in those devices a very convenient red carpet to paydirt if they are vulnerable.
Security researchers from Rutgers University revealed ‘Face-Mic’ earlier this year, the first study of its kind examining how voice command features on virtual reality headsets could lead to serious privacy breaches, known as “eavesdropping attacks.” The work is fascinating, showing that threat actors could potentially use some virtual reality (AR/VR) headsets with built-in motion sensors to record speech-associated facial gestures, leading to the potential theft of sensitive information communicated via voice-activated controls, including credit card information and passwords. The root cause of the issue appears to be a lack of user authentication.
In the Metaverse, every movement you make is a data point, and if access to it is possible through lax software security, the incentive for attackers to try their luck is enormous.
Smart Contracts Face Smart(er) Adversaries
The meta-economy demands decentralization, dematerialization, flexibility, and of course, security without compromise. Right now, there are growing metaverse microeconomies in various cryptocurrency communities, like Shiba Inu. To buy virtual real estate and other intangible products, smart contracts stored on the blockchain are utilized.
Smart contracts are susceptible to exploitation thanks to a few fairly common vulnerabilities, namely integer overflow and underflow, replay attacks, and the (very damaging) blockchain-centric bug leading to re-entrancy attacks, the latter of which can lead to a user being drained of their stored crypto balance. These attacks are made possible by poor coding patterns leading to exploitable vulnerabilities and insecure design fundamentals.
This technology will only become more widely used, yet, as it stands today, we will struggle to find enough security-aware developers to ensure a secure, failsafe Metaverse. Organizations must understand the magnitude of their metaverse participation, particularly if data and currency are at stake… and it’s difficult to imagine a scenario where this wouldn’t be the case.
It’s an Unregulated Environment, and You’re (Still) the Product
Just as we have seen in movies, TV and video games like Second Life, a Metaverse environment allows us to be whoever we want. In a virtual world, the possibilities are only limited by your imagination, and that flexibility is a massive drawcard for users. However, the downside is that on the planned scale of something like Meta, it’s simply too vast and decentralized to police in a way that would render it air-tight from a security perspective. Scams will be inevitable, and skilled criminals will have even more to work with from a social engineering perspective.
Sensitive user data is the new gold, and the Metaverse has the potential to be the richest and most complete source of data we have seen to date, providing projected adoption goes as planned. While it can be assumed that Metaverse-related software builds will adhere to current regulatory standards and compliance measures, these will need updates that are fit to support a rapidly expanding digital universe and its economy. Core to this will be organizations taking responsibility for the security of their contributions to the Metaverse, with a level of in-house security maturity that ensures every person working on the software is thinking about and implementing security at every step in their process, especially the development cohort.
Why Secure Coding Will Be Crucial to the Success of the Metaverse
As fun as it may be to galavant across a lawless digital dimension, represented by an avatar that is everything you wish you could be in the real world, we must never forget that a human being is behind every ‘character.’ And when real people’s data and finances are at stake, it’s very far removed from a game.
In cybersecurity, we are well aware that mistakes have consequences that can be truly devastating, and the integrity of every component of the Metaverse cannot be an afterthought if widespread adoption and consumer trust are to come to fruition.
Organizations can start planning by making a realistic assessment of their security maturity, emphasizing uplifting the security skills of the developers actively working on software. As we can see from the Rutgers University study, access control is just one potent vulnerability that can lead to a widespread data leak. Security-aware developers would be far better placed to navigate these problems as code is written and well before they enter committed code.
Resting on the excuse of the cybersecurity skills shortage isn’t going to wash after a major metaverse data breach. We have the tools in front of us to not just do the best we can, but actively uplift software security standards for good. Now is the time to invest in training the architects of the Metaverse and reap the benefits of a virtual reimagination of products and services as we know them.