Cybersecurity in the era of the Metaverse

Cybersecurity in Metaverse

In the short span of a year, the metaverse went from being barely talked about in the public sphere to becoming one of the most popular search terms, reflecting its rising prominence as the next major talking point, both for seasoned business and information technology professionals, as well as for casual observers.

According to Google Trends, a service that analyzes the popularity of top search queries in Google Search, the term ‘metaverse’ went from being in the bottom one per cent of its popularity in December of the previous year to one hundred per cent ten months later, with markets like China, Singapore, Turkey, Canada, UAE and the United States retaining a sustained interest in the latest developments surrounding it.

But what exactly is the metaverse and how should it affect the way professionals, as well as small businesses and large organisations, think about their cybersecurity and privacy strategies moving forward?

What is the metaverse?

It is quite easy to view the concept of the metaverse in a convoluted manner, particularly due to the sheer scope of its potential and the vast number of current and prospective stakeholders. However, at its core, the metaverse is a fairly straightforward idea.

In its simplest form, the metaverse is an online, continuous virtual environment, containing digital representations of real-world concepts, practices and individuals, utilising personal computing, mobile computing, audiovisual means, as well as virtual and augmented reality to facilitate interactions and engagement.

While disparate metaverses have existed for quite some time, more often than not separated from one another, there is an effort to move towards an increased level of integration, where the metaverse comes to contain the entirety of the internet, where the image, text, audio and video-based of the internet is included in a single, all-encompassing, navigable three-dimensional environment.

Is the metaverse a new concept?

Quite simply, no, the metaverse as both an idea and a usable product or service has been around for quite some time.

The term itself was coined all the way back in 1992 by Neal Stephenson, where his fiction novel Snow Crash literally explained how people could interact with each other using digital avatars in a three-dimensional virtual space based on the real world.

Ernest Cline’s 2011 novel Ready Player One puts the metaverse right at the core of its narrative, with a future society escaping its dystopian disposition through a metaverse called the OASIS, all with the use of virtual reality headsets and wired gloves.

In more practical terms, one of the pioneers of the metaverse concept was 2003’s Second Life, an online multimedia platform that enabled people to create an avatar for themselves and have a second life in an online virtual world, complete with its own currency.

Loosely speaking, metaverses, in some form or another, have increased since then, with multiple developers utilising metaverse fundamentals to turn games or virtual worlds into thriving online communities, with users logging on without necessarily having a set objective, thus differentiating a metaverse from a purely game-oriented online platform.

“As we discuss the metaverse, we are thinking about both a new medium and an app type, like the way we talked about the web and websites a long, long time ago, aka the 1990s,” Microsoft’s Corporate Vice Presiden of Communications Frank Shaw said earlier this month in reference to Microsoft’s Ignite conference, centred around VR, AI and hyperconnectivity in a virtual world.

Shaw could not have been more explicit about the future proliferation of metaverses. “There will be more than one,” he said, explaining that cloud-based services, such as Microsoft’s own, will be able to offer a range of tools and resources to create and manage metaverses.

Indeed, there are already a number of successful metaverses out there, including Microsoft’s Minecraft, the Roblox metaverse, primarily aimed at young children and teenagers, as well as the Fortnite metaverse, itself revolving around the incredibly popular survival game.

While the underlying technologies that facilitate a new iteration of the metaverse have long been in development, it was the coronavirus pandemic that really fueled the ascendance of the metaverse.

The difficulty, and sometimes total inability, in meeting people face-to-face in a physical environment boosted the value of teleconferencing tools (for example, Zoom was worthy $62 per share in April of 2019, but skyrocketed to $511 per share in October of 2020), as more people shifted to a hybrid or fully remote working model during the pandemic.

However, Zoom, as well as its rivals in Skype and Microsoft Teams, among others, want to move beyond the confines of the laptop screen or desktop monitor. The metaverse allows for the replication of the office environment without the risks and threats of the pandemic.

Moreover, the metaverse can also combine augmented and virtual reality, with one being preferred over the other depending on the use case.

For example, a brainstorming meeting can take place in virtual reality, since it is inherently more casual and unstructured, while a meeting arranged to discuss the management of a supermarket warehouse can utilise augmented reality to superimpose useful numerical data and product categorisation over a live feed of the warehouse in real-time.

Further to the above, the way the metaverse can enhance everyday tasks and activities is essentially limitless, with development work, hardware cost and our imagination being the primary limiting factors.

A simple history class can fuse instant geographical travel through virtual reality at the mere mention of a remote location, while gamification techniques can trigger interest and increased engagement with any given subject matter.

“The metaverse is not only the next generation of the Internet — it is a generation that is shaped by several decades of videogame development,” entrepreneur Jon Radoff explained earlier this year.

“In contrast to the unfortunately-named gamification fad from a few years ago, the metaverse is layering in the more challenging aspects of game experiences to improve use cases like education, shopping, live music, fitness and myriad others,” Radoff added.

Why are brands, companies and organisations flocking to the metaverse?

The rush to stake a claim in the metaverse while it is still being shaped, dynamic and yet to reach saturation has been anything but subtle.

In December of this year, American multinational corporation Nike, which generated more than $37 billion during the previous, acquired RTFKT for an undisclosed amount speculated to be around the $60 million mark.

RTFKT specialises in virtual sneakers and NFTs (Non-fungible tokens), with Nike expected to use the company’s know-how to bolster its metaverse presence, rolling out virtual garments and other digital accessories that can be purchased by users online.

“RTFKT is a leading brand that leverages cutting edge innovation to deliver next-generation collectables that merge culture and gaming,” Nike said in a statement, hinting at how it views the entire endeavour.

“This acquisition is another step that accelerates Nike’s digital transformation and allows us to serve athletes and creators at the intersection of sport, creativity, gaming, and culture,” Nike president and CEO John Donahoe stated about the acquisition.

Things have escalated beyond cosmetic upgrades. According to media outlet Business Insider, the value for digital properties in the metaverse have been rising at an exponential rate.

According to the site, more than $100 million have been invested in virtual real estate purchases in a two-week span alone, with a single property plot of virtual land being sold for $4.3 million.

But why is this happening? There are two key reasons. One of the two revolves around the issue of identity.

Since the metaverse hinges on the concept of a fully-realised digital identity, with users keen to create accurate reflections of their physical selves within a digital world, that means that they are divulging a lot of personal information, both directly and indirectly.

This naturally is very attractive to retail companies and advertisers, who wish to refine product promotion and marketing, as well as to sell their products in both the physical and digital world the user inhabits.

“Metaverse is a shift away from traditional advertising and toward the creation of brand engagements that are more experiential and thrilling while also being less intrusive than what we are now seeing with digital advertising,” Hina Irshad wrote recently for Coinmarketcap.

“Current digital marketing is simply not enough anymore,” Irshad added, explaining that “marketing strategies must be fascinating, meaningful, and immersive in order to be considered successful” and how this can be facilitated by the metaverse.

The second reason is related to cryptocurrency and blockchain technology in general, with both having experienced a tremendous surge in use and popularity over the past decade.

Cryptocurrency is already being used to purchase items on the metaverse, while there are metaverses that have been built using blockchain technology.

One pertinent example is Decentraland, which combines cryptocurrencies, blockchain technology, as well as the aforementioned ability to purchase virtual real estate.

In Decentraland, users can purchase LAND, a non-fungible ERC-721 token representing the ownership of virtual land in that particular metaverse.

The cryptocurrency Decentraland uses to purchase either LAND or other virtual goods and services is called MANA, a fungible ERC-20 token.

Are there any risks involved with the metaverse?

In one word, yes. As with any new medium, particularly one attracting an inordinate number of new users, with many of them being ill-versed with the technologies involved, there are numerous risks and threats one should be aware of, which will be examined below.

What threats does the metaverse expose you to?

First and foremost, the metaverse is largely unregulated, reflecting both how nascent it is as a medium, but also the inherent characteristics of some of its underpinning technologies and tools.

“There’s a huge potential for things like fraud and other traditional crimes, without there having the safety precautions that you have in other areas,” Cisco Talos head of outreach Nicki Biasini said during an interview with Business Insider.

“And for the people affected by these scams, there’s not a lot of recourse,” Biasini added, explaining that should a scam take place, there is not much that the victim can do to amend the situation.

Potential attacks can use techniques as simple as posing as a legitimate seller of a virtual product in order to extract a cash amount or a user’s personal data so that it can be used for a malicious purpose later down the line.

Some of the recorded scams that have already taken place include malicious smart contracts where the victim is fooled into authorising a transaction where they give the malicious actor full access to their crypto wallet, in turn losing all of their tokens and cryptocurrency.

“One of the functions in a smart contract might be the approve function,” Talos Technical Leader Jaeson Schultz has said, explaining that this enables the online swap services to transfer tokens out of a buyer’s Ethereum wallet after certain conditions have been satisfied.

“So we’ve seen cybercriminals abusing that approve function so that they can get approval to move all of the Ethereum, all of the NFTs out of users’ wallets,” Schultz added.

In addition, some blockchain users can pose as legitimate brands, including banks and other financial institutions, in order to defraud people of their money.

Since blockchain technology is inherently decentralised with no designated administrator, a moderator or other regulatory authority, there is no structured avenue to reclaim the stolen or otherwise illegally extracted amount.

Furthermore, hackers are already trying to steal non-fungible tokens (NFTs), while also attempting to sell zero-day exploits as tokens, as well as selling fake NFTs under the pretence of legitimacy.

What can be done to make the metaverse safer?

It is difficult to explicitly delineate concrete, by-the-book measures when it comes to the metaverse, mainly due to the reasons listed above, meaning that a lot of the protection lies in how educated, sharp, proactive and careful each user or entity is while navigating and interacting with other users on the metaverse.

One piece of advice relates to how you are perceived by hackers or other malicious actors, since the higher value you are perceived as a target, in terms of how many tokens your wallet is thought to contain, the higher the probability that you will be targeted with scams or other attacks.

This is related to the aforementioned smart contract, which is run on the blockchain. It is extremely pertinent to remember that smart contracts dictate the rules of a transaction, just like a contract in real life, with the only difference being that the completion of the smart contract will automatically enforce its rules and conditions through the code.

With this in mind, organisations and individuals operating in the metaverse should always go by one key rule: a smart contract is only as safe, secure and effective as the rules and conditions that shape it.

You should only always consult with a trusted partner who can assess the smart contract and drastically decrease the possibility of an exploit to the maximum possible extent. Such partners need to be well versed in cyber security, as well as legal technology.

Moreover, an organisation dealing with the metaverse should maintain the highest privacy, data security and cybersecurity standards in the traditional sense, before then designing a custom strategy to account for the particular attributes and characteristics of the metaverse.

The metaverse does not exist in a vacuum. Just like other mediums before it, including the internet itself, as well as other online platforms, you will need other means to connect to it, including devices, infrastructure and software.

All hardware and software must be secure, up to date with all of the latest security patches, correctly configured, designed and set up.

This means that your conventional cybersecurity protocols and strategy should receive equal thought, planning and investment as your security strategy for the metaverse.

While additional, more robust cryptocurrency and blockchain technology regulation has been hinted to be on the way, it is neither particularly imminent nor would it resolve all of the security issues currently affecting the metaverse.

One crucial point to keep in mind is that since the metaverse is based on a distributed system structure, your organisation must be well-versed in personal data protection and how this is handled in different geographical locations and under the supervision of different regulatory bodies.

You can get in touch with us to find out exactly how Boltonshield can help you by clicking here.

If you want to get updated about our recent publications about cybersecurity related topics, subscribe to our newsletter.

Subscribe to our Newsletter

Sign up for our content, including blog articles, news, tips and more