The technical details of what may end up being the largest cryptocurrency hack to date should set off alarm bells for companies thinking about setting up shop in the emerging digital world known as the metaverse.
In late March, North Korean hackers allegedly exploited a weakness in a method used to validate transactions on the metaverse to steal more than $615 million worth of ether cryptocurrency and the stablecoin USDC of the “play-to-earn” game Axie Infinity. The game is built on a blockchain, a Web3 technology powering the metaverse that relies on a decentralized digital ledger to record transactions widely across the internet.
Given the crash in cryptocurrency prices and the hackers’ difficulty in fencing the purloined coins, the theft may not end up as profitable as it initially seemed. But the fact that hackers targeted a metaverse enterprise so early in the ecosystem’s development suggests more serious cybercrimes are on the way. And that should trouble any executive hoping to securely conduct transactions or hold meetings using the metaverse.
“This is likely just the start of many successful metaverse attacks to come,” says Caroline Wong, chief strategy officer for Cobalt, a penetration-testing service provider. “As the metaverse gains popularity and ubiquity, the potential gains for malicious hackers
Metaverse investment rising
While definitions vary, the metaverse is typically thought of as a shared virtual space that blends the physical and digital worlds. Often, it uses virtual reality (VR), augmented reality (AR), cameras, sensors, and other technologies to enable immersive 3D experiences shared with others. Once inside this digital realm, people adopt avatars who gather to play, socialize, and conduct business.
That description may seem like something out of The Matrix. But it is real, and some argue that consumers and businesses alike are already using the metaverse whether they know it or not. Mixed reality games such as Fortnite, Roblox, and Minecraft are leading the way. Companies like Accenture, Microsoft, and the World Economic Forum, as well as marketers like the Starr Conspiracy, are communicating, collaborating, and meeting in the metaverse. Apparel brands like Ralph Lauren and Nike are already offering virtual shopping experiences, and the carmaker BMW is building digital twins of factories it can experiment in.
Indeed, the metaverse has the potential to become a big business. Citi predicts that digital transactions, devices, and other economic activity related to the metaverse could reach $13 trillion in value by 2030, with a population of about 5 billion users. And tech giants from the appropriately renamed Meta to Microsoft, Google, Adobe Systems, Snap, and Nvidia are investing heavily in the tech platforms, tools, and services needed to power it.
“The metaverse presents a huge, positive potential to create new economies of scale and connect with people from all over the world in meaningful ways,” says Wong.
Rich targets abound
Of course, when money flows to anything digital, cybercriminals
are quick to follow. And in the metaverse, juicy targets are abundant
The amount of personal information we’re going to generate…in the metaverse becomes an incredibly attractive target for bad actors.
Commerce, for example, is increasingly being conducted using digital currencies. Many gaming, entertainment, and retail sites are dedicated to creating, trading, and selling nonfungible tokens (NFTs), which are certificates verifying ownership of unique digital items, such as art, sports collectibles, songs, games, or films. Digital wallets used to make purchases in the metaverse can become targets as well.
“The amount of personal information we’re going to generate and have to manage in the metaverse becomes an incredibly attractive target for bad actors,” says Sean Spradling, a senior analyst for Wainhouse Research. “Someone will need to take a big step forward and lead the effort to secure all of this.”
The methods cybercriminals use to penetrate, seize control of, and make off with metaverse data and wealth will not necessarily be sophisticated. At least not in the beginning.
Hermes Frangoudis, director of developer relations at Agora, a metaverse platform provider, says hackers will use many of the same techniques they use today on the Web. They will go after individuals who are not paying close attention and launch phishing or social engineering scams to gain entry.
“Attacking individuals will be low-hanging fruit, much like most bandits in the Wild West went after people instead of robbing banks.” Frangoudis says. “Sure, the banks and exchanges will be targeted. But those attacks won’t happen as often, and they will involve more sophisticated cybercriminals.”
Wong, of Cobalt, says “screen overlay attacks” could become a common hacking method. These are similar to the digital skimmers that cybercriminals put on ATM machines to steal credit card information. Only in the metaverse, an attacker creates a replica of a login screen that sits on top of the real one and tries to trick a mobile or desktop user into divulging private or sensitive data. Worse, if a user happens to be wearing a VR or AR headset at the time, the technique could become a virtual weapon with physical implications in the real world.
“Cybercriminals could use an overlay attack to lead a user down an actual set of stairs, cause them to step into the middle of the street, or show them disturbing images or sounds,” she warns.
Another new and problematic attack vector could be metaverse hardware itself. AR and VR gear, cameras, sensors, cables, endpoint devices—anything people use to connect to virtual worlds could put user security and privacy at risk of account takeovers, “man-in-the middle” attacks, and other exploits.
Research has shown, for example, that if a hacker were to digitally monitor a person wearing a VR headset, all of their specific physicality—their eye movements, hand waving, head bobbing, and other behavioral characteristics—could correctly identify 95% of individuals in five minutes or less. Theoretically, a hacker could use such biometric data to access smartphone wallets or websites.
Frangoudis believes hardware vendors could build switches or other shutoff mechanisms to disable or limit the functionality of devices that could be hacked, much as cellphone mute buttons work. But, he notes, these tools and techniques will take time to develop. And until they become common, users should exercise caution.
“As a consumer, you have to understand that these devices make it possible to collect a lot of data about you,” he says. “Before using them, you should know what kinds of data they’re collecting about you and the environment around you. You should know how that data is stored and if it’s securely encrypted.”
Beyond common exploits, the biggest fear is that cybercriminals will eventually find new and unforeseen ways to take advantage of unsuspecting metaverse participants. There’s the potential for online mayhem ranging from deep fakes of your friends and colleagues to bots that trick you into divulging your personal and financial data. Identity theft could become as simple as replicating your avatar.
Making metaverse security a priority
The metaverse is an evolving, distributed, and open architecture. It lacks regulatory oversight, and underlying industry standards have yet to emerge. But companies and users can prepare for the metaverse by taking a few precautions, such as the following.
- Exercise good cyber hygiene. Companies in the sprawling metaverse need the usual strategies of patching regularly, installing antivirus updates, and enforcing multifactor authentication (MFA) in addition to passwords. They should also regularly perform penetration tests and audits to assess the resiliency of digital defenses and minimize the risk of code backdoors and other vulnerabilities.
- Ensure robust endpoint protection. Laptops, tablets, and smartphones are often used to access the metaverse, so it will be vital for enterprises to be able to see, manage, and secure all endpoints. Endpoint protection platforms (EPPs) can help many organizations get a grip on this rapidly expanding virtual world.
- Encrypt key data. Frangoudis of Agora says tech vendors bear responsibility for building safeguards into their platforms and products to ensure that data is transmitted securely. But, for an even stronger defense, he advises IT security organizations to encrypt all data and communications before they enter virtual worlds. “You have to ensure that the connection between the end device and your server is valid and nobody is packet-sniffing your URLs or playing middleman [in the data transfer],” he says. Other experts recommend that enterprise metaverses, in particular, store data on the device and restrict access and data flow to non-approved platforms.
- Implement zero trust. Not trusting anyone inside or outside a network until they prove their identity is relevant in the existing centralized Web2 world, and limiting access through zero-trust policies and procedures is even more critical in the emerging decentralized Web3 world of the metaverse.
- Increase education and awareness. “The guiding principles of what we know to be true in security should be our anchors in the metaverse,” says Wong of Cobalt. Cybersecurity awareness, education, and proactivity are the first steps to preventing hacks.” Employees and consumers need constant guidance about how to recognize suspicious activity and report it.
“At the end of the day, people and organizations have to protect themselves in the metaverse,” says Frangoudis. “It really is the Wild West, and you’re going to have to be your own sheriff.”