Inside the metaverse

Emerging Risks talks to Satnam Narang of cyber security specialist Tenable about the risks associated with the growth of the metaverse.

What is the metaverse?

The metaverse is really interesting, because there are a number of different metaverses. When you talk about the internet, everyone understands what the internet is. You access the internet through different portals, whether that is your ISP, on your home device or computer, and everyone is accessing a singular point of entry. But when we talk about the metaverse, it’s broadly discussing a number of different metaverse experiences being offered by companies. These are virtual experiences where people can go in and create an avatar to reflect their personality, or make their avatar look like themselves. 

There are very popular commercial metaverses that we know about such as Fortnite or Roblox, which a lot of the kids use nowadays, but there are also companies such as Meta (or Facebook) who are launching metaverses, or are in the process of doing so. And Microsoft is also getting into the same realm, trying to offer businesses opportunities to have collaboration within the metaverse, especially over these past few years with the pandemic and more people working from home. The metaverse provides that virtual environment where folks can interact with one another.

At the moment there is a significant degree of interest in investing in this sector?

Absolutely. Organisations do see the metaverse as an opportunity for interacting and collaborating with one another, specifically in the UK. [In our recent survey] 42% of UK respondents said that enhancing customer engagement is one of the key reasons why they view the metaverse as an opportunity for collaboration. Improving remote working was also a reason from 40% of respondents. Also, there is the opportunity for new revenue streams, which is why you see companies such as Facebook and Microsoft looking at the metaverse very closely. Facebook pivoting its name to Meta is a pretty bold step.

Is this predominately about the leisure space?

Right now it’s very consumer-orientated and gaming-orientated, which has been the pioneering element of these metaverse experiences. But you have business also looking at the metaverse as an opportunity for new revenue streams – Adidas has been launching its own metaverse experiences, for example. And you will see a company like Apple get into the augmented reality experience, I’m sure. 

The potential is clearly huge- but what are the risks?

Security concerns [were flagged in our survey], especially in the UK, where 47% of respondents indicated that security was their top consideration affecting their organisation’s investment decisions in the metaverse. Because the metaverse is uncharted territory in some may ways- there are a lot of competing metaverses that are being developed. Comparing, say, a Roblox or Fortnite, the threats that are posed there differ from the threats that are posed on the metaverse experience associated with the blockchain. 

Challenges associated with Roblox and Fortnite are phishing and compromised accounts, or selling fake or faulty goods within the metaverse, claiming you buy certain cool items if you fill in a survey or provide particular personal information. Whereas on the blockchain, targeting these companies that develop in the blockchain space using code that may not have been validated or vetted, and finding vulnerabilities there that enable people to steal money, is the goal there. So there are certainly a lot of challenges when it comes to securing the metaverse. 

What about the potential for the US plaintiff bat to become involved, claiming for example that a particular metaverse has psychologically damaged a whole group of people? Is this something that could happen and that we should be concerned about?

The thing about the metaverse that creates a lot of challenges is that there are a lot of unknowns out there. We don’t know what the experiences are going to be like five or ten years from now. How immersed will we be? Clearly the popularity of some of the current ones indicates that there is the potential for addiction. 

But we see other potential risks- respondents mentioned cloning a person’s voice and facial features, or hijacking video recordings using an avatar. These are the new types of threats. And my research into new and emerging social networks suggests that a lot of the bad actors do follow users onto these new platforms, and are experimenting and trying to get a better understanding of how these platforms work to then figure out how they can pivot and leverage the existing functionality. As an example, look at an app like Tik Tok. As it grew in popularity, the cyber criminals started following and started to figure out what some of the native functionality and features within it are that they could leverage… creating fake ad campaigns. 

But there is always going to be risk in whatever you do. We use the internet… which has become an understandable risk that we take. As we get through this process, organisations that develop their metaverses will figure out how to secure their users, and as business will do the due diligence and figure out how they can limit and reduce their exposure.

Satnam Narang is Senior Staff Research Engineer, Security Response at Tenable