As organizations start to look to metaverse platforms the associated cyber security threats need consideration. Matias Madou looks at cyber security issues associated with the metaverse and offers some recommendations…
Research by McAfee discovered 81 percent of global organizations experienced increased cyber threats during the COVID-19 pandemic. With the immediate need to work virtually due to the pandemic, the cybersecurity posture among organisations was tested, and prompted businesses to step up cyber strategies, such as code-level software security.
Measurable security awareness and the need to adopt a preventative mindset is now crucial, and there are several emerging technology areas cybercriminals are now starting to target. One of the fastest evolving is the metaverse, which is quickly becoming the latest attack surface for cybercriminals to target.
This is a big and growing issue in cyber security terms. The creation of persistent, shared and immersive virtual worlds, where people interact as 3D avatars, are being devised by some of the world’s largest organizations such as Meta. With a significant amount of new infrastructure and devices being incorporated into these new virtual worlds, the cyber security risk associated with them will naturally increase.
Scaling the threat
While general cyber security pitfalls like phishing scams will be inevitable (and likely plentiful while everyone is finding their feet with the metaverse), there are a range of other threats that are likely to come on stream.
Commentary in the industry has focused on the level of security integrated into metaverse platforms from the outset, and whether this will dictate how successful they are with consumers. Attacks that aim to exploit web services are likely to present a similar challenge in the metaverse. The cross-site scripting, SQL injection and web shell techniques typically employed by bad actors as part of zero-day attacks could continue to be a major hurdle when it comes to virtual applications as well.
Moreover, the actual infrastructure and devices that make this immersive virtual world possible will need to be made secure. Virtual reality (VR) headsets are the new gateway to mountains of user data. Complex embedded systems security will be required to make Internet of Things (IoT) gadgets safe as usage increases, and the brave new world of mainstream VR and augmented reality (AR) is no exception.
AR and VR headsets could act as an entry point for data breaches and for malware. They collect large amounts of user data and intelligence, after all, potentially including biometric information and that could become a target for hackers. Moreover, as with the Log4Shell exploit, simple errors at the code level can bloom into a backstage pass for cybercriminals, and in a simulated reality, every movement creates data that can be stolen.
The success of the metaverse will also hinge on practical adoption of cryptocurrency. Non-fungible tokens, known as NFTs, mean our real-life wealth, identity, data, and livelihoods are potentially opened up to a new ‘Wild West’ that can put people at risk. Indeed, we are already seeing an increase in NFT scams, including selling fake NFTs. Before engineers start getting carried away developing the latest epic features and enhancements for the metaverse. minimising this new, vast attack surface from the ground up should be a priority.
Focus needs to be placed on architectural security
The threats to the metaverse are just one, albeit critical element, of wider cyber security threats many businesses face today. There is a plethora of other attack vectors. The zero-day attack on the Log4j logging tool was reported to be among the worst on record. It’s a lesson that many organizations just don’t act swiftly enough to protect themselves. It is a lesson those protecting the metaverse should do well to remember also.
While there are already patch management mandates and recommendations in some critical industries, widespread legislation is another story. Preventative software security will always be the best chance to avoid urgent security patching altogether, but best practices dictate that patching is non-negotiable and should be a priority measure.
Secure coding and security best practices are key both in developing the metaverse and beyond - and developers will need to be the first line of defence. Significant additions were included in the recent Open Web Application Security Project (OWASP) Top 10 report. The new additions reflect a new stage of a developer’s journey in secure coding and security best practices, but most unfortunately remain unequipped to reduce risk due to a lack of appropriate training.
Developers who find themselves building metaverse features and infrastructure need to be fully skilled in security to battle against common code security bugs. More businesses are taking this challenge on with developer-driven prevention. Despite this, insecure design, otherwise expressed as ‘missing or ineffective control design’, is in the OWASP Top 10 and is characterised by architectural security issues rather than a specific security bug. Developers will need to be encouraged to go beyond the basics once they’ve mastered them.
It’s vital that metaverse developers, in particular, are informed about threat modelling and the security team should also be supporting, which will help to take the pressure off them once developers are skilled in this area. As it stands however, it’s still a knowledge gap for many software engineers. The onus is on the rest of the security function of the organization to help create a positive security culture for developers moving forward.
Matias Madou, CTO and Co-Founder, Secure Code Warrior.