The reality of the metaverse, where builders aim to create a shared, immersive and interactive digital world that combines virtual reality (VR) and augmented reality (AR) with avatars, digital twins and Internet of Things (IoT) devices, is only a few years away. With all the chatter about the metaverse, many are beginning to get an idea of what it might look like, but few understand the infrastructure behind its technology.

It would be unwise to assume that the cybersecurity threat landscape of Web3 will be simply a continuation of today’s common Web2 threats. The next-level complexity of hardware and software technologies that will make up the metaverse introduces countless attack surfaces and cybersecurity challenges. Here are few unique security concerns that the metaverse presents and how security leaders will need to reorient their approach to stay ahead of the next generation cyberattacker.

The metaverse’s near-infinite attack surface

The metaverse ecosystem has a wide attack surface made up of software, hardware and communication channels. Web3 will be all about greater user interaction, and that will mean more user data will be collected. Data can be acquired through AR/VR devices, sensors, cameras and other devices that are connected to the internet. Data can be stored in the metaverse in many ways, such as on servers, in databases on edge, fog or cloud-computing platforms. This is an enormous amount of potentially vulnerable user data, and cybercriminals will follow the money.

Compromised devices pose new threats 

While the metaverse is still vulnerable to the same threats of today’s Web2, the nature of its immersive and interactive technology adds identity and privacy threats. Rogue or compromised end-user devices present a significant risk of data breaches and malware invasions targeting the user’s monetary assets. In the Web3 world, the user’s identity goes well beyond a character’s avatar, including their private keys for cryptocurrencies, bank details, social relationships, and even images of their digital life history. Since NFTs could soon be used for various forms of identification, from insurance policy documentation and drivers’ licenses to event tickets, the loss or modification of any of these items can could constitute identity theft.

Identity theft on a whole new level

Interacting with an avatar in Web3 requires pervasive user profiling activities using multiple dimensions and high granularity for facial expressions, eye/hand movements, speech, biometric features and even brain wave patterns. Attackers can impersonate victims in the metaverse by exploiting the behavioral and biological data gathered by AR/VR devices to create a fake avatar for criminal use. Cybercriminals can inject erroneous data into the acquisition stream generated by wearable devices and use it to launch social engineering or other malicious applications. Hackers can learn a lot about a victim’s preferences and even recreate user actions and sensitive passwords for personal accounts by following the eye and finger movements associated with entering codes using a virtual keyboard. Bad actors can cause bodily harm by breaking into edge devices, such as haptic gloves, bodysuits and VR/AR headsets, and overdriving actuators to magnify the electrical forces.

Getting physical with cybersecurity strategies to secure the metaverse

There are practical measures that the security industry and individuals can and should take sooner than later to get ahead of securing the metaverse. Organizations should not only have software protection in place to secure their data, but also add robust defenses on hardware devices and communication channels to protect against identity theft and physical harm. Business and tech leaders entering the Web3 space in any manner should be relentless about education and awareness, since preventing human error can help reduce cybersecurity incidents.