Jaeson Schultz is a technical leader for Cisco’s Talos Security Intelligence & Research Group, one of the largest commercial threat intelligence teams in the world. Schultz, along with other expert researchers, analysts and engineers, spend their days working to make the internet safer for everyone. Lately, he’s been thinking a lot about the metaverse, and what it will take to make that safer, too. Here, he shares his insights on a topic bound to affect us all in the future.
The internet you know today is gradually going the way of the original web. Those of us old enough will remember web 1.0–that clunky world of screeching modems where companies essentially created online brochures and Amazon made its debut as “the world’s largest bookstore.” Then came web 2.0, with everything-as-a-service delivered by centralized applications and social apps hosted by cloud giants.
At some point in the future, we’ll regard web 2.0 in the same way we think of those ancient dial-up days. That’s because the internet is already changing into an online world of decentralized applications and file storage, known as web 3.0 or simply web3.
The aspect of web3 that’s most exciting–and most concerning to cybersecurity wonks like me–is the metaverse, an immersive 3D experience where people can explore, shop, play games, spend time with distant friends, attend a concert, or hold a business meeting. The metaverse is what bold virtual reality pioneers envisioned way back in the ‘90s when most people lacked the compute power, storage, or network bandwidth to make it real.
Think of the metaverse as the next iteration of social media. It’s a place where internet users will increasingly spend hours and money engaging with friends, content, goods, and services.
To enable this, metaverse users and platforms are relying on cryptocurrency and its underlying blockchain technology. Cryptocurrency in particular is playing a huge role in both making metaverse experiences possible–it’s largely how people pay for goods and services in virtual worlds–and in presenting uniquely vexing cybersecurity challenges.
How the crypto crash may help us
For one thing, cryptocurrency itself can be staggeringly risky, as millions of crypto investors recently learned the hard way. Since late 2021, $2 trillion in cryptocurrency wealth has vanished. After investors witnessed both currencies and established crypto exchanges crash and burn, the FOMO that prompted millions to buy Bitcoin, Ethereum and the rest when crypto values were on the rise appears to have evaporated to some degree. A recent survey found that 60% of cryptocurrency investors expect Bitcoin’s value to continue to decline.
As it turns out, a lot of people seem to have decided they aren’t ready to act as their own banks, which essentially is what cryptocurrency requires today. And while they wait for the crypto winter to thaw, those of us with an eye on the security implications of crypto-funded metaverse experiences see this as a golden opportunity.
We can use this break to build a more secure metaverse.
Sizing up the risks of the metaverse
The metaverse today is already experiencing security growing pains. Much of this has to do with the use of cryptocurrency blockchains, which function as a distributed public ledger of all historical transactions. Armed with the hash of a transaction, or the address of a cryptocurrency wallet, anyone can examine any of the transactions that have previously occurred.
This is great for transparency, which is one of the big selling points of cryptocurrency. But it also means everyone has access to all the information available on that blockchain. And not everyone can be trusted. Here are five areas where the metaverse presents security risks.
- Cryptocurrency wallets as metaverse identities. Identity in the metaverse is directly tied to your cryptocurrency wallet–a virtual or physical cache of currency, collectibles, in-world progress, and more. While connecting to metaverse experiences via crypto wallets doesn’t intrinsically result in security issues, it can invite them. Bad actors, for instance, can in some cases track wallet addresses to unearth a wallet holder’s real-world identity. But that’s just the beginning.
- Smart contracts, both buggy and malevolent. In addition to wallet addresses, you might find cryptocurrency addresses belonging to “smart contracts.” A smart contract is a computer program deployed on a blockchain; most are deployed on the Ethereum blockchain. Smart contracts enable users to interact with the blockchain ecosystem, including making purchases with cryptocurrency to unlock metaverse experiences like gaming, or to purchase non-fungible tokens (NFTs), which we’ll cover below. These digital contracts are trustless, autonomous, decentralized, and transparent; they’re also usually irreversible and unmodifiable once deployed. This can be a problem if they’re written by nefarious parties who have no intention of interacting honestly with wallet holders. It also can be a problem when bugs in even legitimate smart contracts are exploited by hackers.
- ENS squatting. Now comes the Ethereum Naming Service (ENS), a kind of blockchain version of the internet’s domain name system. Except that instead of a friendly name like cisco.com which points to an Internet IP address, ENS names are friendly names that point to cryptocurrency wallet addresses. Anyone can register any name, and owing to the blockchain, that name cannot be taken away once registered. As a consequence, some names, such as cisco.eth, may not actually be owned by the legal owner of that trademark. Who would squat on an ENS name? Bad actors might. And if those bad actors do their work well, wallet holders could conduct transactions with a metaverse experience built solely to scam them.
- Non-fungible tokens (NFTs). NFTs are unique digital tokens works that represent ownership over various items that users take with them into the metaverse. These items may take the form of monkey or cat drawings created by NFT artists, or even wearables for your avatar, or images and other content from brands like Disney and Pixar. NFTs can even be dangerous when the smart contract governing them is malicious. They invite additional security problems because they’re often in such high demand among a certain set of collectors—and when people really want something, they’ll sometimes take risks to get it. Which leads me to…
- Seed phrase scams. Seed phrases are a kind of last-resort, backdoor password for crypto wallet holders to gain access to their wallets if they lose their primary passwords. Users are advised never to share their seed phrase with anyone. Numerous different social engineering scams are designed to trick users into giving up their seed phrase, including posing as technical support reps or other legitimate personnel from some project. Some metaverse scams post notices on otherwise legitimate forums like Discord announcing the free availability of a limited number of new NFTs expected to be worth hundreds or even thousands of dollars; all users have to do to receive one is to is sign up using their seed phrase. Once that information is shared with attackers, the wallet is effectively theirs.
There are other risks, but these should give you an idea of how this new world is breeding new security concerns.
Building a safer metaverse
Now is the time we should be thinking about, and acting on, new measures to secure the metaverse.
To begin with, metaverse platform and service providers must step up. They and their constituents have a lot to lose which, let’s be honest, is the primary incentive for bolstering cybersecurity protections no matter where you go. They need to examine how they interact with users, and where the security gaps are. They must understand their vulnerabilities and take a risk-based approach to addressing them. They must invest in security resilience, because cybercriminals are evolving as rapidly as the techniques defenders use to combat them.
Some platform providers are already taking action. Crypto marketplace OpenSea recently announced it will hide fraudulent transactions from users to protect them from scammers. This is a good start, and in a way it serves as a kind of model for other platforms. At Cisco Talos, we know from experience how algorithms driven by machine learning are enormously helpful in identifying potential and active threats. That same kind of technology can be deployed to help gaming, shopping, trading, and other platforms find and eliminate threats for their users.
There’s still time for further protections, such as systems that create abstraction layers between users’ wallet identities and their metaverse presence. As the metaverse evolves, we must take a feature-by-feature approach to locking down the web3 experience. After all, that’s how internet security evolved in the first place.
And because the metaverse is likely to become a fully integrated and open environment, one in which a virtual good purchased on one platform could be worn or used on another, we must take the same approach to security. Proprietary solutions will have no place here. The very ethos of web3 demands it. At Cisco, we’re already creating that open, integrated environment for the multi-cloud future every business is adopting. It’s a perfect fit for the metaverse.
Eventually, the crypto winter will end, so we can’t waste this opportunity to build a safer metaverse before the insanity returns. Security industry leaders should take this moment to map out a secure future for this next generation of the internet.