What are the potential cybersecurity threat scenarios that world is likely to encounter in the early stages of the metaverse?
Trend Micro released which examines nine different categories of threats against the metaverse and inside the metaverse, including cyber-physical crime, financial fraud, legal implications and more.
The threats are sorted into nine categories outlined below:
- NFTs: There are integrity issues. NFTs regulate ownership of assets, but do not provide storage for the assets. This may lead to ransoming or other criminal attacks. If NFT data files are encrypted in a ransomware attack, the user will still retain ownership but they can be blocked from accessing the assets if they do not pay the ransom.
- Darkverse: The darkverse is like the dark web, except it exists inside the metaverse. In some ways, it is more dangerous than the dark web because of the pseudo-physical presence of the users. It mimics clandestine physical meetings versus the purely online open discussion threads in dark web criminal forums. The darkverse lives inside the deepverse, which is unindexed like the deep web.
- Financial fraud: Criminals and criminal groups will be drawn to the metaverse because of the huge volume of e-commerce transactions that will occur in these worlds. There will be many who try and take advantage of users, steal their money, and capture their digital assets.
- Privacy issues: Privacy issues will become a major concern in the metaverse. Metaverse publishers will control all aspects of their meta spaces, collect vast amounts of user data, and monetize the collected data. Even if there are open-source metaverse worlds that users can host, the publisher who hosts them will still be able to collect and monetize user data.
- Cyber-physical threats: The metaverse is going to be an interactive application layer for the Spatial Web. The Spatial Web is a computing environment that exists in 3D space — a twinning of real and virtual realities enabled via billions of connected devices and accessed through VR / AR / MR / XR interfaces. The integration of IoT and cyber worlds could give rise to cyber-physical threats.
- Virtual / augmented / mixed / extended reality threats: The metaverse is going to exist as both a VR and an MR world — user interactions will occur inside the 3D virtual worlds, or with 3D objects augmented in the real world. VR metaverse-like spaces will arrive within two to three years, while AR / MR metaverse spaces are at least four to five years away.
- Social engineering: Social engineering uses psychological manipulation to trick users into making security mistakes or give away sensitive information. For example, deep fakes can be leveraged to commit crime, criminals can infiltrate a metaverse to impersonate companies, providers, officials, etc.
- Traditional IT attacks: Since metaverse worlds will run on regular IT hardware, they are susceptible to these IT attacks. Current IT threat scenarios will very likely keep happening in the metaverse: distributed denial of service (DDoS), API attacks, ransomware, etc.
Miscellaneous threats and issues: Some of the metaverse threats and security concerns Trend Micro analyzed did not fit neatly into any of previous categories. Miscellaneous threats and issues may include:
- law enforcement agencies may struggle intercepting crimes and criminals in the metaverse
- environmental impact of the metaverse. Bitcoin mining, for example, uses huge amounts of electricity
- network partitioning due to uplink or power failures need to be handled securely
- the metaverse can hardly be disassociated from large tech companies
- policies and enforcement of copyright infringements
- ethics, responsibilities, and accountability of interacting with bots, or artificial intelligence
- moderation of speech and activities within the metaverse (fake news, hate, extremism, racism, bullying, harassment, etc.)
The report underscores the urgency for tech companies to start developing new security models to protect applications designed for the metaverse. For the full report, which includes a number of security concerns and scenarios for each threat category, visit www.trendmicro.com.