In the metaverse, the attack surface expands to your brain - interview

Many businesses picture the metaverse as a financial opportunity rather than a living and breathing new reality. But stories like the first rape in the metaverse raise concerns about who will police this new reality to ensure our safety and wellbeing.

In December, Nina Jane Patel shared her experience of sexual harassment on Facebook/Meta’s Venues.

“Within 60 seconds of joining, I was verbally and sexually harassed. 3–4 male avatars with male voices virtually gang-raped my avatar and took photos. As I tried to get away, they yelled: “don’t pretend you didn’t love it” and “go rub yourself off to the photo,” she recalled.

Patel, Co-Founder and the vice president of Metaverse Research at Kabuni, explained that virtual reality has essentially been designed so the mind and body can’t differentiate virtual/digital experiences from real. “In some capacity, my physiological and psychological response was as though it happened in reality,” she said.

Stories like this suffocate the enthusiasm that is building around the metaverse. Companies are eager to dip their toes in the ocean of (financial) opportunities that the digital realm presents. But are they anxious to protect our privacy, security, and even physical wellbeing?

I sat down with Daniel Cohen, cybersecurity company Radware’s vice president, closely following the developing metaverses, to discuss the most pressing issues that this new reality creates.

Is the metaverse going to be something that we already have with web 2.0, only a sort of 3D version, or something completely different? How do you picture it?

Everybody pictures it differently. It depends on what Hollywood movie you've seen. The film that I watched, and what I think the metaverse will turn out to be, it's Ready Player One, the Spielberg movie. It's not a clone of the physical world. Its elements will be the clone of the physical world, but I think the nice thing about the digital world is that there are no boundaries, and you can take the metaverse anywhere you want.

As we think about the metaverse and the different users of the metaverse, that's also an element of, you know, who is going to use the metaverse. Are we going to use the metaverse? Are our parents, our kids going to be in the metaverse? Depending on who the user is, the experience of the metaverse is potentially going to change.

From mimicking real life, you look at what's happening in the metaverse, and you have travel companies that are now starting to build your virtual getaway. You'll pay to put your headset on and look at a nice view in Cancun. That will be the clone of the physical world. There will be elements of cloning and features that let your imagination run wild.

It seems that at least at the beginning, the metaverse communities will be limited. You will have to join it, because, for example, your company will ask you to, or you will want to hang out there with your friends. But some people, I guess, will be left behind. Do you think that at some point we all will be totally immersed in the metaverse and it will become our life? Will the metaverse be the way of doing things?

To me, this is a concern. Are we going to wake in the morning in the physical world, put on our headsets, spend the next 12-18 hours in the digital world, and then log out to go back to sleep? I know people today that spend their days in the metaverse. They have an office with a nice view. They live in small apartments but spend their life somewhere else.

You have Decentraland, where everything is popping up, and everyone can visit it, their casinos, and JPMorgan. There will be these public spaces, and then you and I can set up a community and invite only certain people. But there's going to be a global public world, and it raises a bunch of issues around jurisdiction and regulation.

Daniel Cohen
Daniel Cohen and the metaverse. Images from personal archive and Shutterstock

At the moment, privacy is a growing concern. Will the metaverse change our perception, making us open our virtual homes to everyone because we will want to show off some expensive pieces or digital art or furniture?

Privacy is in the eye of the beholder. I define my levels of privacy, what I'm comfortable with. When we think about privacy in the metaverse, it is beyond what you feel private or not. I have a cybersecurity concern: how do I know that I am talking to you in this digital world? How do I know that you are a legitimate person? Have you been hacked? Has your data been leaked?

Even today, you don't know what data is being collected. Your Alexa is listening to you, and your browser is tracking you. Whatever it is, the regulators are trying to enforce some privacy laws. But the metaverse will exacerbate the problem because there's going to be so much data being collected for the metaverse to operate successfully. And that's where, I think, the privacy concerns arise.

I spent the decade fighting phishing attacks. It's the number one consumer cybercrime because we are easy to trick. Think about the metaverse. You put on these goggles and your headset, and that's it. I put them on and climbed to the top of the building, like a 50-story building, and my exercise was to step off the roof. You can't do it - your mind is absolutely sure that you are standing on the top.

If we are so easy to trick in today's world, if I can fool you with a web page with some bank's logo, think what tricking you is going to look like in the metaverse.

The metaverse is moving so quickly, and it's not being secured appropriately. The privacy concern is amplified significantly.

Is there a significant difference when it comes to privacy between the metaverses? For example, the one that Meta controls and the ones that Decentraland and Sandbox is developing?

When we talk about blockchain and crypto, to me, it's just a way of storing data. Instead of keeping it in some central server that belongs to someone, you are holding it on a decentralized blockchain. But the data still exists.

I want to come back to that root problem – if I can trick you, I can get into that data. So privacy is going to be a very key concern. That link between the physical and digital realms that we haven't managed to solve even with simple web pages will be even more tricky in the metaverse because you will be immersed in the digital world.

At least in the physical world, there are signals that we are accustomed to. There are just so many sensory signals in a physical world – you walk into a bank, a building with a logo, and people working at their desks. You know that you are in a legitimate bank. As we moved to online banking, what are the sensory signals? It's a logo. In the metaverse, it's this mix - it is all digital, but you feel very physical. You walk into JPMorgan in the metaverse. How do you know that you are in the actual bank?

If I manage to hack your device, I can show you something else. You can be seeing something that I intend you to see. Crazy. The attack service now expands to your brain as well.

So the amount of data companies collect on us will only increase?

One of the significant challenges is going to be a jurisdictional challenge. A lady reported being raped in the metaverse. Three avatars attacked her physically/digitally, calling her names, attacking her avatar. In this situation, who investigates this? Where are the avatars from? Where are they physically from, where are their servers located, how do the police now investigate this digital rape case? The decentralization of data becomes an issue. Who regulates and governs this digital world? The whole concept of decentralization means that no government owns my identity. Who has jurisdiction over this digital thing? Where is it happening?

We are accustomed to specific digital experiences. On the other hand, these digital experiences are becoming very physical. We have to find a way to secure this.

How will metaverse companies address this issue?

Right now, there isn't enough being addressed. When people look at the metaverse today, it's mostly a financial opportunity more than anything else. You can buy food in the metaverse, try out outfits, and it's all very financially driven, which is ok. But as this is happening, are the metaverse companies thinking about how they will protect their users, regulate actions that occur in the metaverse, who's going to regulate that, who's going to govern, police it?

I don't know who's going to do it. Is it going to be the companies that own metaverse infrastructure? Is it going to be the people developing applications in the metaverse? I don't know who will be the central entity that we are going to come knocking on the door and say, why haven't you governed this or made sure to take care of this.

To begin with, I would put the onus on the application developers, all these companies that are rushing to the metaverse to start something. A concert hall, a restaurant, a fashion store. They should provide basic security, take care of my identity, take care of my privacy and data, make sure they can't be hacked, and protect you from the different types of attacks.

As the metaverse becomes more mainstream, and there's no doubt it's going to become mainstream, that's when, I think, we are going to see more centralized regulation.

You and I will create some land out there. Who will tell me what's allowed and not in my digital world? There will be a lot of challenges once the space grows and evolves.

More from Cybernews:

Russian, Chinese, and Belarusian actors increasingly exploit Ukrainian tragedy for phishing

As tech giants decide to remain in Russia, their employees get eager to protest

Hive ransom gang hacks major US health group

Hidden agenda: Microsoft and Google users targeted by threat actors on free calendar app

How much are you willing to spend not to be homeless in the metaverse?

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked