If security and privacy are hard to maintain on the internet, how will the metaverse fare?
Mark Zuckerberg's latest brainchild, the metaverse, is envisioned as an all-encompassing digital world in which users can easily access information and share immersive experiences.
Based on an array of technologies from virtual reality (VR) and augmented reality (AR) to the internet of things (IoT), it promises consumers and businesses a parallel world for both work and pleasure.
By its very nature, though, the metaverse represents an unprecedented digital and physical attack surface. And there isn't just Meta's version to think about, with many different metaverses, both consumer and enterprise, currently under development.
In terms of hardware risks, it's VR headsets that are front and centre stage, with these devices likely to become as central to people's lives as smartphones already are.
And they're already vulnerable to hackers, with researchers at Rutgers University-New Brunswick demonstrating earlier this year that it's possible to exploit headsets with built-in motion sensors to record subtle, speech-associated facial dynamics - and steal sensitive information communicated via voice command.
More data than ever before
The amount of data this could reveal is extraordinary, ranging from travel histories, game preferences, and shopping preferences right up to credit card numbers, Social Security numbers, phone numbers, PIN numbers, transactions, birth dates, and passwords.
Indeed, the privacy issues of the metaverse are almost impossible to overstate. Platforms will be collecting data at a furious rate, aiming to monetize it through personalized advertising. With, for example, body-tracking necessary to create a user's avatar, it will be far easier for them to argue that broad forms of data collection are valid.
And with all this data recorded and potentially accessible to attackers, new forms of attack such as deepfakes come into play, making it hard to know who to trust.
The metaverse looks set to be a booming place for e-commerce – indeed, according to McKinsey, it could be worth a staggering $2 to $2.6 trillion by 2030.
And, says Trend Micro in a recent report, there's a high chance that the metaverse will bring with it a new digital economy that creates the opportunity for criminals to manipulate the market, carry out money laundering, and set up pump-and-dump schemes – all of which will be difficult to investigate and prosecute.
Trend Micro highlights NFTs as a major source of concern, threatened by phishing, ransom, fraud, and other attacks. Verified using blockchains, NFTs are obviously susceptible to blockchain hijacking attacks.
And so-called Sybil attacks, which involve creating multiple identities, may allow an attacker to gain control of more than half the peer nodes that verify transactions and manipulate NFT ownership verification.
Just as the internet has spawned the dark web, so too may the metaverse develop illegal marketplaces of its own, allowing criminals to meet one another and cooperate in illegal activity.
These could be impossible for police to infiltrate without the correct authentication tokens, or without being inside a designated physical location. Like the dark web, this could enable all sorts of crimes, from financial fraud and e-commerce scams to ransomware.
Can we regulate?
When it comes to regulation, the future is unclear. Already, for example, it's unclear how securities laws can be best applied to cryptocurrencies and tokens.
And in terms of data privacy, things get even murkier. Different jurisdictions have different requirements, based on everything from the physical location of organizations and their servers to the type of data involved and how, and by whom, it's being processed.
These issues are thorny enough in the internet world – data transfers between the EU and the US being a notable case in point – but in the 'seamless' metaverse will be even harder to police.
Mark Zuckerberg's attitude to progress is well-known – "Move fast and break things" – and it's a mantra that's worked well enough for him so far. However, having been once bitten, the world is likely to be twice shy. It may not be enough to simply hope that issues of both security and privacy work themselves out in practice this time.
More from Cybernews:
Subscribe to our newsletter