This is our chance to secure the metaverse – TechCrunch

Jason Schultz is a technical lead for Cisco’s Talos Security Intelligence & Research Group, one of the largest commercial threat intelligence teams in the world. Schultz, along with other expert researchers, analysts, and engineers, spend their days working to make the internet safer for everyone. Lately he’s been thinking a lot about the metaverse and what it would take to make it more secure as well. Here he shares his thoughts on a topic that will affect us all in the future.

The internet you know today is gradually taking over from the original web. Those of us old enough will remember Web 1.0 – that clunky world of screaming modems where companies basically created online brochures and Amazon made its debut as “the largest bookstore in the world”. Then came web 2.0, with everything as a service provided by centralized apps and social apps hosted by cloud giants.

At some point in the future, we will think of Web 2.0 the same way we think of those old days of remote access. Indeed, the Internet is already transforming into an online world of decentralized applications and file storage, known as Web 3.0 or simply Web3.

The aspect of web3 that is most exciting – and most worrisome for cybersecurity buffs like me – is the metaverse, an immersive 3D experience where people can explore, shop, play games, hang out with distant friends, attend a concert, or hold a business meeting. The Metaverse is what bold VR pioneers envisioned in the 90s, when most people lacked the computing power, storage, or network bandwidth to make it real.

Think of the metaverse as the next iteration of social media. It’s a place where people will spend more and more time and money interacting with friends, content, goods and services.

To do this, metaverse users and platforms rely on cryptocurrency and its underlying blockchain technology. Cryptocurrency, in particular, plays a huge role both in creating metaverse experiences – it’s largely how people pay for goods and services in virtual worlds – and in presenting particularly vexing cybersecurity challenges.

For one thing, cryptocurrency itself can be extremely risky, as millions of crypto investors have recently learned the hard way. Since the end of 2021, $2 trillion in cryptocurrency wealth has disappeared. After investors saw the currencies and established crypto exchanges crash and burn, the FOMO that prompted millions to buy Bitcoin, Ethereum and the rest when crypto values ​​were on the rise seems to have evaporated to some degree. A recent survey revealed that 60% of cryptocurrency investors expect The value of bitcoin continues to fall.

It turns out that a lot of people seem to have decided that they weren’t ready to act like their own banks, which is essentially what cryptocurrency demands today. And while they wait crypto winter to unfreeze, those of us with an eye for the security implications of crypto-funded metaverse experiments see this as a golden opportunity.

We can use this break to create a more secure metaverse.

Today, the metaverse is already experiencing growing security challenges. Much of this is related to the use of cryptocurrency blockchains, which function as a distributed public ledger of all historical transactions. Armed with the hash of a transaction or the address of a cryptocurrency wallet, anyone can review any of the transactions that have taken place previously.

This is great for transparency, which is one of the biggest selling points of cryptocurrency. But it also means that everyone has access to all the information available on this blockchain. And not everyone is trustworthy. Here are five areas where the metaverse presents security risks.

  • Cryptocurrency wallets as metaverse identities. Identity in the metaverse is tied directly to your cryptocurrency wallet – a virtual or physical cache of currencies, collectibles, world progress, and more. While connecting to metaverse experiences via crypto wallets does not inherently cause security issues, it can invite them. Bad actors, for example, can in some cases track wallet addresses to uncover the real identity of a wallet holder. But this is only the beginning.
  • Smart contracts, both buggy and malicious. In addition to wallet addresses, you can find cryptocurrency addresses belonging to “smart contracts”. A smart contract is a computer program deployed on a blockchain; most are deployed on the Ethereum blockchain. Smart contracts allow users to interact with the blockchain ecosystem, including making purchases with cryptocurrency to unlock metaverse experiences like games, or to buy non-fungible tokens (NFTs), which we’ll cover. below. These digital contracts are trustless, autonomous, decentralized and transparent; they are also usually irreversible and unmodifiable once deployed. This can be a problem if they are written by nefarious parties who have no intention of interacting honestly with wallet holders. It can also be a problem when bugs, even in legitimate smart contracts, are exploited by hackers.
  • ENS crouching. Now comes the Ethereum Naming Service (ENS), a sort of blockchain version of the Internet’s domain name system. Except that instead of a friendly name like that points to an Internet IP address, ENS names are friendly names that point to cryptocurrency wallet addresses. Anyone can register any name, and thanks to the blockchain, that name cannot be removed once registered. Therefore, some names, such as cisco.eth, may not belong to the legal owner of that trademark. Who would squat an ENS name? Bad actors might. And if these bad actors do their job well, wallet holders could transact with a metaverse experience designed solely to scam them.
  • Non-fungible tokens (NFT). NFTs are works of unique digital tokens that represent ownership of various items that users take with them into the metaverse. These elements can be in the form of drawings of monkeys or cats created by NFT artists, or even clothing for your avatar, or images and other content from brands such as Disney and Pixar. NFTs can even be dangerous when the smart contract that governs them is malicious. They invite additional security concerns because they are often in high demand by a certain group of collectors – and when people really want something, they sometimes take risks to get it. Which brings me to…
  • Scams at the start phrase. Seed phrases are a kind of last resort password and backdoor allowing crypto wallet holders to access their wallets if they lose their master passwords. Users are advised never to share their seed phrase with anyone. Many different social engineering scams are designed to trick users into dropping their seed phrase, including posing as tech support representatives or other legitimate members of a project’s staff. Some metaverse scams post reviews otherwise legit forums like Discord announcing the free availability of a limited number of new NFTs that are expected to be worth hundreds or even thousands of dollars; all users need to do to receive one is sign up using their seed phrase. Once this information is shared with the attackers, the wallet effectively belongs to them.

There are other risks, but these should give you an idea of ​​how this new world brings new security issues.

Now is the time to reflect and act on new measures to secure the metaverse.

For starters, metaverse platform and service providers need to step up. They and their constituents have a lot to lose, which, let’s be honest, is the main incentive to strengthen cybersecurity protections wherever you go. They need to consider how they interact with users and where the security holes are. They need to understand their vulnerabilities and take a risk-based approach to addressing them. They must invest in security resiliencebecause cybercriminals evolve as quickly as the techniques defenders use to fight them.

Some platform providers are already taking action. Crypto market OpenSea recently announced that it hide fraudulent transactions users to protect them from scammers. It’s a good start, and in a way it kind of serves as a template for other platforms. At Cisco Talos, we know from experience how extremely useful machine learning-driven algorithms are in identifying potential and active threats. This same type of technology can be deployed to help gaming, shopping, commerce, and other platforms find and eliminate threats to their users.

There is still time for other protections, such as systems that create layers of abstraction between users’ wallet identities and their presence in the metaverse. As the metaverse evolves, we need to take a feature-by-feature approach to locking down the Web3 experience. After all, that’s how internet security evolved in the first place.

And because the metaverse is likely to become a fully integrated and open environment, where virtual good purchased on one platform could be ported or used on another, we need to take the same approach to security. Proprietary solutions will have no place here. The very philosophy of web3 demands it. At Cisco, we are already creating this open and integrated environment for the multicloud future every company adopts. It’s a perfect fit for the Metaverse.

Eventually, the crypto winter will end, so we can’t waste this opportunity to build a safer metaverse before the madness returns. Security industry leaders should use this moment to chart a secure future for this next generation of the Internet.


Comments are closed.