Securing the Metaverse


If and when the concept of the metaverse becomes common use it will likely have security challenges associated with it. Regardless of we may think of the metaverse concept either positively or negatively because it such early days we do not know what the end product will be so there is no real harm in discussing ponytail problems and we may be able to solve them. In futurism and science fiction, the metaverse is a hypothetical iteration of the Internet as a single, universal and immersive virtual world that is facilitated by the use of virtual reality (VR) and augmented reality (AR) headsets. Often today, a metaverse is a network of 3D virtual worlds focused on social connection.

The term "metaverse" originated in the 1992 science fiction novel Snow Crash by Neal Stephenson , as a portmanteau of "meta" and "universe". Metaverse development is often linked to advancing virtual reality technology due to increasing demands for immersion. In my personal opinion there is unlikely to be a single metaverse but multiple ones tied to specific companies and purposes. e.g Facebook (social network), Microsoft (gaming space and office tools),etc.

This blog post will cover cybersecurity, data protection and privacy and potential types of unique attacks which may target users of the metaverse. These will depend on the chosen device for example VR (virtual reality), AR (Augmented reality), XR (extended reality) headsets the user makes use of.

Cybersecurity Challenges 

Some of the cybersecurity challenges in Metaverse will be similar to what businesses and government organisations are already familiar with on the internet. The persistent rise of cyber-attacks over the past years and during the COVID-19 pandemic has displayed just how worthwhile it can be for cybercriminals to hack into an enterprise or an individual’s online accounts. However, along with the standard phishing, malware, and ransomware attacks that are familiar. The Metaverse will probably bring completely new cybercrimes because of its infrastructure. The dependency on hardware to experience Metaverse is another challenge. The Metaverse relies upon external devices like VR headsets that can be targeted by cyber-criminals if left unprotected. Data captured via these devices will likely be traded on the dark web. Personal data can be used as blackmailing threats or helpful to perform social engineering attacks which cybercriminals can use on spear-phishing attacks targeting particular individuals or companies. Currently, there is no one solution for how to make the Metaverse a secure place. In the Metaverse, a certain level of anonymity will probably still exist that will help cybercriminals get away with attacks such as phishing, cyberstalking, and online harassment. Security awareness training will be vital to train and educate people and businesses how to stay secure on the internet and the Metaverse in the future. People should understand the risks in this new phase of the internet so that the right cybersecurity resources should be deployed to protect individuals and organisations. 

Data  Protection Challenges

Within the Metaverse there is a strong connection between ordinary physical reality and augmented virtual reality. This leads to the duplication of identities when individuals join the Metaverse and create their own avatars. This inevitably entails the processing of a wide range of personal data, such as:
    • Identification details which are required for creating the avatar;
    • Location data;
    • Data relating to habits, interests, preferences, and opinions; and
    • Data relating to users’ psychophysical sphere, including behavioural data (e.g., emotional responses and social interactions) and body movement data (e.g., users’ posture, gaze, gestures, facial expressions, and interpersonal distancing).
            Data relating to users’ psychophysical sphere take on key importance in the Metaverse in two specific ways. On the one hand, there is the (i) univocal identification of individuals, and on the other hand, with the previously acquired users’ psychophysical dataset, there is (ii) the possibility of considering such data as a source of “further” inferable information relating to users.

            With respect to the univocal identification of individuals, emotional reactions and body movements are externalised by the avatar through the use of special technologies. This facilitates the individual’s identification within ordinary reality. It entails behavioural and body movement-related elements which, in VR, become an information asset univocally referred to as the human being. What this could mean, in the Metaverse, such information may covered by EU GDPR. In fact, unlike what happens with physical reality, movements and gestures may fall under the concept of personal data as defined in Article 4(1) of the GDPR and be processed (Article 4(2) of the GDPR) by the data controller.

            Regarding the possibility to consider data processed in the context of the Metaverse as a source of “further” inferable information relating to users, once translated into the Metaverse, specific movements and/or behaviours may easily “reveal” sensitive details about the individual, such as medical diseases, physical disabilities or previously experienced traumas. Furthermore, data which may be further obtained by analyzing human characteristics is known as “inferred data” as per the GDPR provisions. Should these data reveal sensitive information, including data concerning health, the applicable legal framework would be the one set out in Article 9 of the GDPR with the relevant restrictions and conditions of processing.

            This means there is minimal regulatory gaps in respect to the metaverse though at the moment there is a lack of guidance in applying GDPR to metaverse projects. Also, recent  and upcoming EU/EC legislative projects, including the AI Act, the E-Privacy Regulation, the Data Act, the Digital Markets Act (DMA), the Digital Services Act (DSA), and the Data Governance Act (DGA). With the right form of supporting guidance may also prevent any regulatory gaps in meeting the data protection challenges of the metaverse. 

            Privacy Challenges

            One aspect of the metaverse that raises privacy concerns is the vast amount of personal data that may be collected on participating individuals. Compared to traditional social media, metaverse platforms can track individuals in a much more intimate manner. Companies can monitor physiological responses and biometric data such as facial expressions, vocal inflections, and vital signs in real time while participants are in their metaverse. This depth of information allows companies to gain a deeper understanding of users’ behaviour, which in turn can be used to tailor advertising campaigns in an exceptionally targeted way. Additionally, the legal implications on using artificial intelligence (AI) will be another aspect to consider given its prevalence in biometric technologies.

            Though as it is still early days in the development of the metaverse existing and upcoming legislation/regulation may minimise or prevent gaps though as the same with data protection new guidance tailored to the metaverse may need to created to ensure application of privacy protection requirements, methods and tools are applied correctly. 

            Potential Types of Attacks

            Part of the design choice of the metaverse is its potential immersive nature which could see users targeted by malicious actors and attackers in new ways we might not be prepared for. Presented here are types of attacks which could happen. 

            Subliminal MessagingSubliminal messaging is any messaging that exists at or below the threshold of consciousness. Sensory hijacking is the very core of virtual reality immersion. It’s what VR does and how it does it. This is a good thing, of course, if the VR tricking your subconscious mind is doing so for educational, empathic, therapeutic or even entertainment purposes. as long as the relationship is mutually beneficial and has both people’s best interests at heart. Without any unknown exploitation,  this is consensual manipulation.

            But if it’s used to manipulate the user into believing something or buying something, it will be dangerous. It’s parasitism. As researchers have discussed that subliminal messages might gain their potential influence and power from the fact that they may be able to circumvent the critical functions of the conscious mind.

            A way to address could be through greater awareness of consent in VR, AR and other emerging technologies that conceivably can utilise powerful subliminal ads. Subliminal messaging, that sidestepping of the conscious filter, is inherently non-consensual. But detecting the presence of subliminal ads and messaging is inherently difficult. It’s costly and technically difficult. Just finding the offensive content is tricky, too. As it is something that was intentionally designed to be processed on a level below a person's awareness.

            Ideally, we will through research, regulation, guidance and standards get ahead of this problem before it comes a problem as once a genie is out of the bottle it becomes difficult, but not impossible, to get it back in. 

            Purposely Induced Motion Sickness: As VR headsets began arriving in large numbers though mid 2010s for all their promise across a wide range of application areas including medicine, education, art, and especially gaming there were users who experienced severe 3D motion sickness which put many of the users who experience off idea of VR. The industry learned was that the 3D motion sickness was being caused by a severe mismatch of information between the motion sensed by the user’s eyes and what was being sensed by the user’s inner-ear vestibular system involved with controlling balance. This was nothing new—a user having to adapt to their body being stationary while the visual sensor system perceived movement. The new wrinkle introduced by the 3D HMDs was the giant field of view in which a user was totally immersed. Furthermore, the discomfort could be exacerbated by factors such as image resolution, cursor delay, and content not being rendered quickly enough (for example, when a user turns their head from one direction to another). While later generations of headsets have taken positive steps to solve these issues and SDOs such as IEEE 3079 Cybersickness Reduction Working Group have drafts standards in development which will seek to provide industry references to tackle issues such as latency and synchronisation in VR. 

            So why could this be problem if industry is working to solve this. If it happens because of design flaws or problems there is potential for someone taken advantage of vulnerability in the software or hardware to affect or manipulates the factors that cause motion sickness in a manner to cause harm. If the user is lucky they react quickly enough to remove the headset but if they don't the environment people user VR in is not always ideal especially in the home environment and if they happen to stumble/fall over there is the real risk of head or bodily injury which can range from a sore head, to concussions or even death if they strike an object. When a user has a VR headset on they are vulnerable as they lose the awareness of their actual surroundings so from a design perspective a VR headset should have measures in place to prevent that user vulnerable from becoming a harmful risk.  

            Audio/Eavesdropping attacks: Voice command features on VR headsets pose vulnerabilities and could lead to major privacy eavesdropping attacks, researchers have found. The research shows hackers could use popular AR/VR headsets with built in motion sensors to record subtle, speech-associated facial dynamics to steal sensitive information communicated via voice-command, including credit card data and passwords. Although vendors usually have policies regarding utilising the voice access function in headset microphones, research has found that built-in motion sensors, such as an accelerometer and gyroscope within a VR headset, may not require any permission to access. This security vulnerability can be exploited by malicious actors intent on committing eavesdropping attacks. The eavesdropping attackers can derive simple speech content, including digits and words, to infer sensitive information, such as credit card numbers, Social Security numbers, phone numbers, PIN numbers, transactions, birth dates and passwords. Exposing such information could lead to identity theft, credit card fraud and confidential and health care information leakage.

            Once a user has been identified by a hacker, an eavesdropping attack can lead to further exposure of user’s sensitive information and lifestyle, such as AR/VR histories, game/video preferences and shopping preferences. To reduce the risk of audio/eavesdropping attack manufacturers of VR headsets could consider additional security measures, such as adding ductile materials in the foam replacement cover and the headband, which may attenuate the speech-associated facial vibrations that would be captured by the built-accelerometer or gyroscope.


            Even if the metaverse doesn't take off as envisioned. In the end it is unlikely this work would we be wasted it will be applied in some form as in an evermore connected world will require solutions which can meet the challenges of securing the growing number of IoT devices, smart systems/services from homes to cities, connected vehicles/transport on land, air and sea. Regardless of how we will interact with them. 


            [October 2022] Poster "A Non-intrusive and Adaptive Speaker De-Identification Scheme Using Adversarial Examples"  The 28th Annual International Conference on Mobile Computing And Networking (MobiCom 2022).


            Popular posts

            Balancing functionality, usability and security in design

            Personal Interest - Unbuilt fleets of the Royal Navy

            Personal Interest - RAF Unbuilt Projects