What Happens When the Metaverse Enters Your Attack Surface?

Tenable polled 1,500 cybersecurity, IT and DevOps professionals about their top concerns in the nascent virtual reality worlds of the metaverse. Here's what we found out.

Here at Tenable, we often discuss the challenges faced by cybersecurity professionals as they grapple with protecting an ever-expanding attack surface that includes on-premises infrastructure as well as public and private clouds, identity and privilege management systems and web applications. Soon to be added to that mix: the metaverse.

It’s easy to think of “the metaverse” as one monolithic online world of virtual reality (VR) and augmented reality (AR) experiences. But such framing couldn’t be farther from the truth. The company formerly known as Facebook, which has rebranded itself as Meta, is just one of many organizations exploring the potential of the metaverse. There is the opportunity for unlimited metaverse instances to be built by various platform developers and vendors. The metaverse is calculated by Bloomberg to be an $800 billion market as early as 2024, driven by video gaming, live entertainment and sports content and social networking opportunities.

While that’s exciting news for businesses looking for creative and groundbreaking ways to engage customers online, it’s also alarming to those whose primary role is to keep organizations secure.

To fully understand how prepared organizations are to either create their own metaverse initiatives or participate in the worlds created by others, Tenable conducted an in-depth study across Australia, the United Kingdom and the United States. The study, “Measure Twice, Cut Once: Meta-curious Organizations Relay Cybersecurity Concerns Even as They Plunge Into Virtual Worlds,” was conducted by Opinion Matters on behalf of Tenable and surveyed 1,500 professionals representing roles in cybersecurity, DevOps and IT engineering.

Almost seven in 10 (68%) respondents stated that their organizations have plans to do business in the metaverse over the course of the next six to 36 months. A further 23% of all respondents have already begun developing initiatives in the metaverse in the past six months. Yet, many organizations are seriously concerned about the security associated with virtually hosted applications; four in 10 respondents (41%) indicated that security is the top consideration — even more than macroeconomic conditions — affecting their organization’s metaverse investment decisions.

Although many of the emerging technologies being used to access the metaverse (such as AR, VR and artificial intelligence) are familiar to security professionals today, the ability to secure them while operating in a shared virtual environment is not assured. Only 48% of respondents are very confident that existing cybersecurity measures in their organizations are sufficient to curb cyberthreats in the metaverse. Nine in 10 respondents agree that organizations need to adequately develop a cybersecurity framework prior to offering services in such a virtual environment.

Four key areas of cybersecurity concern

Respondents cited the following cybersecurity concerns about doing business in the metaverse:

1. Cloning of voice and facial features and hijacking video recordings using avatars. The vast majority of respondents (79%) say it is very likely or somewhat likely that the cloning of voice and facial features and the hijacking of video recordings using avatars will occur in the metaverse.
2. Invisible-avatar eavesdropping or 'man in the room' attacks. Vulnerabilities in VR software could open the door to “peeping Tom” scenarios, with (78%) of respondents saying such attacks are very likely or somewhat likely.
3. Conventional phishing, malware and ransomware attacks. The same cyberthreats that organizations currently contend with will also carry into various metaverses. The vast majority of respondents (81%) say it is likely or somewhat likely that conventional phishing, malware and ransomware attacks might occur in the metaverse.
4. Compromised machine identities and application programming interface (API) transactions. Almost four in five respondents (78%) think it is very likely or somewhat likely that compromised machine identities and API transactions might occur across metaverses.

Learn more

• To learn more about each of these concerns, as well as Tenable’s recommendations for how you can prepare your security posture to accommodate this brave new world, download the study “Measure Twice, Cut Once: Meta-curious Organizations Relay Cybersecurity Concerns Even as They Plunge Into Virtual Worlds.”
• For a quick snapshot of the findings, check out the infographic here.