Metaverse [and] Security

You probably heard the buzz around "metaverse". Some people believe that the metaverse is our inevitable future, some others believe that the metaverse is a bubble that will burst eventually... Regardless of which side of the arguments you are in, in this article, I would like to discuss about metaverse security.

In case you do not know yet (!), the term "metaverse" originally was coined in the 1992 novel of Neil Stephenson, Snow Crash, to describe a virtual world, 21st century dystopia. The number of definitions has just grown by then.

"Three-dimensional Internet that is populated with live people" — Philip Rosedale (creator of Second Life)

"The next platform and medium will be more immersive, an embodied Internet where you are in the experience, not just looking at it and we call this the metaverse" — Mark Zuckerberg

In order to understand the metaverse security, we first need to understand the intrinsic characteristics of metaverse:

• Immersiveness: Realistic to allow users to feel immersed
• Hyper spatiotemporality: Break of limitations of time and space
• Sustainability: Maintains a closed economic loop
• Interoperability: Move seamlessly across worlds
• Scalability: Handle many avatars and graphics
• Heterogeneity: Virtual spaces, physical spaces, devices

In metaverse, we will be interacting in a virtual world directed [possibly] by activities within a physical world. It is not actually real, but feels like real; to the point that you may not be able to tell the differences (immersive). Metaverse is supposed to be as sufficient as living in a real world, but in a virtual one. Metaverse is full of opportunities, providing smooth and multi modal interactions that may not even be possible in a real world.

All well! But what about "Security"?

Let's talk about the layers of metaverse first. We can separate metaverse into three main building blocks: Infrastructure (5G, WiFi, Cloud, Edge etc.), Human Interface (AR/VR, mobile, smart glasses) and Virtual World (and ecosystem around it). Each one of these provides an angle for an attacker to exploit.

Infrastructure security

This one probably is the one that we are most familiar with and has the tools to protect from attackers. In the context of infrastructure security, there are multiple entry points for the attackers. Obviously VR/AR is an integral part of metaverse and the security of these devices are critical. If one can successfully compromise AR/VR device then the rest will follow. For example, attackers can move the person from one virtual world to another. Attackers can potentially cause physical harm to the user by disorienting the person. Therefore, security of the AR/VR devices are critical, keeping them up to date regarding patches (OS and apps), hardening with security controls are just some of the first steps to secure the devices.

AR/VR security is obviously the starting point but then there is the security of the underlying physical infrastructure (cloud, edge, 5G etc.), integrity and the provenance of software that are running on them and so on...

What about identity?

Identity is probably the most important part of the metaverse security. How do we make sure that the avatar that you are interacting in metaverse is actually the one that is intended for (impersonation)? Would there be a central authority to provide such an identity service and verification of it (linkability)? If so, how would this work if we go from one metaverse to another (interoperability)?

There is a common belief that there will NOT be just one metaverse, but rather multiple of them. Hence, interoperability will be crucial for seamless operation and interaction. But decentralization comes with its own challenges regarding the identity and its consistency.

There are other identity related questions in metaverse: What if somebody steal my identity and operate on my behalf? How do we prevent/detect it?

What about my data?

Data privacy is another important aspect of metaverse security. Can somebody sneak into my room and listen my conversation (man in the room)? How can I make sure that my data is transmitted securely and nobody is tampering with it (unauthorized data access)? Obviously encryption of data "in place" and "in transit" are critical here.

Another part of the story is AI security. Since AI is one of the most prominent enablers of metaverse, how do we prevent false data injection which might eventually affect the downstream AI models?

How about ownership?

Ownership is another important component of the metaverse. Given the leap in blockchain technology, NFTs can be used in metaverse to prove ownership. Some of the questions are: How do I prove an ownership in metaverse? Can somebody steal from me? What if this is a fraud? How do I verify and make sure that I am not robbed or theft?

Societal Impacts

Given the penetration of technology in real life, we have been witnessing increased surveillance by the governments in all areas of our lives. How is the concept of "central authority" going to work in metaverse? If a fight broke up in metaverse, who is going to intervene? Do we have a central authority, like a government, who can provide this service? If so, how do we make sure that the central authority is not biased and fair to all parties? These are serious questions and should be considered well, as the societal implications can be foundational.

Conclusion

This article gives some starting points to think about metaverse security and its implication to our [new] world. As we see more adoption of AR/VR and more metaverse ecosystems, we will need to answer all of these questions to be able to securely operate in this new era.

References

• https://arxiv.org/pdf/2203.02662.pdf
• https://arxiv.org/pdf/2203.03854.pdf
• Microsoft Blog: Cornerstones for securing the metaverse
• Security Intelligence: Metaverse security challenges