SoS Musings #66 - Metaverse Security and Privacy

SoS Musings #66 -

Metaverse Security and Privacy

The metaverse is defined as "a virtual reality space in which users can interact with an environment generated by computer and with other users.” It promises a highly immersive virtual world experience using Virtual Reality (VR), Augmented Reality (AR), Mixed Reality (MR), and Extended Reality (XR) technologies, allowing users to further escape reality. It provides a place opposite the physical world where users can hang out with friends, shop for real or virtual products, play games, buy real estate, and more. In 2021, the global metaverse market was expected to be $38.85 billion. From 2022 to 2030, it is expected to grow at a Compound Annual Growth Rate (CAGR) of 39.4 percent, reaching $678.8 billion. However, there are security and privacy concerns amid the buzz surrounding the metaverse. The growing availability of digital experiences via immersive headsets and related technologies is raising concerns about the data collected on those who use the devices and how to protect it from malicious threat actors. Metaverse-related devices are also raising concerns regarding the safety of users, as hackers can infiltrate such devices to potentially trigger seizures.

Research has shed light on the metaverse's unique privacy and security risks. A study conducted by researchers at the University of California, Berkeley titled, "Exploring the Unprecedented Privacy Risks of the Metaverse," examined an "escape room" VR game to gain insight into how much data a potential attacker could access. The researchers developed a framework to assess and analyze potential privacy threats based on a 30-person study of VR usage. They were able to identify more than 25 examples of private data attributes that potential attackers could obtain, some of which would be difficult or impossible to gain access to through traditional mobile or web applications. The potential private data points identified by the researchers include geospatial telemetry, device specifications, network observations, behavioral observations, and more. These data points specifically include height, arm length, device refresh rate specifications, room width, network bandwidth, fitness, and other private information. Various inferences can be drawn about a VR participant's gender, wealth, ethnicity, age, and disabilities based on these metrics. The researchers demonstrated how VR attackers could steal dozens of personal data attributes from seemingly anonymous users of popular metaverse applications such as VRChat. According to the researchers, these attackers can be other VR users with no special privileges.

A study conducted by researchers at the University of Denver titled, "Security and Privacy Evaluation of Popular Augmented and Virtual Reality Technologies," also emphasizes metaverse security and privacy issues. Hololens, Oculus, Google Glass, Valve Index, HTC Vive, Raptor AR, Psious (Amelia), Magic Leap, Epson Moverio, and IKEA Place AR were among the ten most widely available AR and VR devices and applications gathered by the researchers. The devices and their associated platforms were then evaluated for security and privacy, with a focus on device authentication, user profiling, access control, database security, and other factors. Their findings shed light on the limitations of these identified devices and applications, as well as areas where improvements can be made to provide users with a better, more secure, and privacy-preserving experience. The examination of these technologies revealed that the web pages for these devices contain Common Vulnerabilities and Exposures (CVEs) that could result in unauthorized access by attackers. They discovered that all the devices collect information such as the user's technical system information, account data, transaction and payment data, information sent through chat, voice interactions, IP address, system activity, and more. It was also discovered that the majority of these devices or applications do not provide users with Multi-Factor Authentication (MFA). There are typically no direct ways for users to remove their profiles from these devices or applications. Furthermore, the researchers discovered that most privacy policies are flawed because there is no clarity about the data shared with third parties. Only a few of these devices allow users to customize the data being accessed.

In analyzing the nature of metaverse technology and taking into account the current cybercriminal landscape, researchers at Trend Micro were able to conceptualize several critical threats against and within the metaverse. According to Trend Micro's report titled, "Metaverse or Metaworse? Cybersecurity Threats Against the Internet of Experiences," the metaverse poses threats to specialists operating Industrial Internet of Things (IIoT) machinery virtually, virtual art collectors, virtual art sellers, and gamers. As industrial equipment connects and becomes accessible via custom metaverse space interfaces, it can be operated by specialists thousands of miles away. This operation invites cyber-physical threats such as Man-in-the-Middle (MITM) attacks between industrial equipment and remote operators, as well as traditional IT attacks in which vulnerability exploits are used to gain access to industrial equipment. Trend Micro researchers point out that the metaverse's connected nature makes lateral movement possible after initial entry. With the use of VR, AR, MR, and XR technologies, criminals can use an industrial facility's digital twin to plan physical attacks ahead of time. The researchers highlighted the lack of physical laws in the metaverse that exist in the real world, which will ignite Non-Fungible Token (NFT) threats in which an owner is blocked from accessing their NFT assets if NFT data files are encrypted in a ransomware attack. In regard to VR, AR, MR, and XR threats, it is possible for scammers to put up fake metaverse galleries and sell counterfeit art. According to Trend Micro researchers, part of the metaverse experience will involve bodysuits, which will allow users to physically feel and interact with different things within the metaverse, such as games. Users should beware of possible hacking that could cause bodysuits to malfunction and potentially inflict harm. For example, bodysuit hacking could lead to stroboscopic light effects inside the headset display, potentially causing seizures. In addition, users' privacy is at risk if criminals gain access to bodysuits and start monitoring user actions. Furthermore, Trend Micro researchers say significant privacy concerns will arise since these suits will have access to biometric data that could be misused by malicious actors.

It is essential to continue anticipating threats and taking action early to protect metaverse-like applications and the metaverse against attacks and abuse. Europol's Innovation Lab recently released a new report titled, "Policing in the Metaverse: What Law Enforcement Needs to Know," providing a detailed overview of the potential for criminal activity within the metaverse, as well as the opportunities and best practices for building police presence online. Metaverse-native crimes, or the metaverse version of cybercrime, remain an area of research that calls for further attention, as emphasized by Europol's Innovation Lab. It is certain that the development of the metaverse, much like the development of the Internet, will open up new opportunities for criminal activity. According to last year's Check Point Q4 2021 brand phishing report, Roblox ranked eighth as the most imitated brand in phishing attempts, indicating that metaverse applications have piqued the interest of criminals. Knowing that 67 percent of Roblox users are under the age of 16 makes this even more concerning. Ransomware-style attacks on metaverse devices may be especially effective. Given the increased importance of digital assets in the metaverse, losing access to them could be disastrous for buyers. Europol emphasizes that legislation for modern cybercrime and online interactions is already lacking. As new types of metaverse experiences and possibilities emerge, legislation will be even more inadequate for the metaverse. Therefore, it will be critical to raise awareness among legislators about possible security and privacy threats posed by the metaverse, as well as the tools and resources that law enforcement will require to carry out their duties in these new virtual worlds.

The work conducted by researchers at the University of Denver, the University of California, Berkeley, and Trend Micro should also inspire other security and privacy practitioners to pursue research at the intersection of security and privacy and metaverse applications and technologies, particularly to propose countermeasures for new and existing attacks in the metaverse.