English | EN 
To quote Mark Zuckerberg’s favorite slogan: “The metaverse may be virtual, but the impact will be real”. While Meta uses this catch phrase to let us dream about all its potential applications in education, healthcare, etc., the quote holds true for the other side of the coin as well: while the metaverse may be virtual, any negative impact will also be very real.
Though security is already a major component of the IT landscape today, its relevance and importance will only rise when talking about the metaverse. Some focus areas of security testing are similar between ‘the metaverse’ and traditional IT:
- Network and infrastructure security
To make the metaverse run smoothly and continuously for the end user, it is important that the infrastructure is adequately protected against malicious intent, such as cyber attacks or hacking attempts. Additionally, the physical infrastructure itself needs to be secured against threats such as robbery or destruction, but also against natural events such as earthquakes or floods. - Application security
Application security needs to be guaranteed, not only to make sure that the applications and the virtual world continues to run smoothly, but to avoid exposing users to risks or vulnerabilities as well. - Authentication and access control
Testing the security of the systems and processes that are used to verify user identities will help prevent unauthorized access and protect against identity theft and other forms of online crime. - Data security
Apart from physically protection the data storage location, it is necessary to also secure the way data is transmitted, processed, and stored, to make sure it is not accessed or used by unauthorized parties.
In addition to standard security practices, some areas in the metaverse deserve some special attention:
- Financial data and cryptocurrencies
No matter which direction the metaverse evolves towards, part of it will always have a marketplace function, meaning there will be the need for smooth and secure transactions. With the fragmentation of the financial landscape, any metaverse space hoster will need to juggle and integrate various payment options, combining traditional payment means (credit card, debit card, postponed payment) with a variety of cryptocurrencies and wallet solutions. Integrating all these options and technologies inherently carries a risk that needs to be addressed accordingly. - Personal data and biometrics
It is self-evident that personal data such as name, gender, address, phone number, etc., need to be protected and kept safe to avoid any malicious intent.
With the added peripherals we have and will have in the metaverse, other sensitive data will become available as well.- VR goggles today already utilise eye tracking software for optimal performance. If we go a step further, it is not unthinkable that we will have features such as retinal scans or facial features scanning. Obtaining the data on someones retinal scan could pose a serious security threat.
- Additionally, if someone were to get a hold of a scan of your facial features, and combine it with voice sample data, speech patterns, and small idiosyncracies, it would be relatively easy to create a realistic deepfake of you.
- Beyond malicious intent, there are also ‘commercial’ threats. Let us assume a metaverse user is wearing VR glasses, a smartwatch, and a connected phone. This means the application potentially has acces to: fingerprint scan data, biometric data such as bloodpressure, body temperature and heartrate, physical activity and geograhpical info, etc. With info like this, how hard would it be to created targetted ads for runners or cyclists? Admittedly, that doesn’t sound like the worst, right? But what if your medical data is illegitimately obtained, and somehow makes you ineligible for affordable health insurance?
- Safeguarding digital assets
In the physical world, protecting your assets is straightforward: you install smoke detectors to warn you for a fire, you install locks and alarms to protect you from theft, and you insure your property in case anything unexpected happens. In the virtual realm, things don’t quite work the same. Any metaverse space is built out of digital assets, some of which may hold real life value (e.g. Roblox, Decentraland, etc.). That means it is important that there are ways to keep your digital assets safe. Not only do there need to be preventive actions, i.e. using the application to make sure certain actions are not possible, there need to be restore options as well in case something went wrong. Simply put: you don not want to give the user the option to burn down a house – and if someone does manage to burn down your virtual house, ideally there are disaster recovery procedures that allow you to restore it through a backup. - Avoiding unwanted user behavior
Building on the concept of restricting certain actions to prevent asset damage, the same is needed to avoid unwanted behavior. As the physical and virtual worlds collide, boundaries are fading, creating opportunities for users to misbehave. This article by the NYT describes users engaging in sexually inappropriate behaviour through their digital avatars. Actions like these not only have a severe impact on the end users, but could generate sizeable brand or reputation damage as well. From a security perspective, these actions would ideally be prevented instead of detected, or reported by end users.
Any IT organisation or software developer needs an ironclad security strategy these days, but companies engaging in metaverse activities will need to add these specificities in their approach. As QA professionals, we will need to adapt our way of thinking when it comes to security testing and be creative when searching for vulnerabilities or exploits. The success of a potential metaverse will hinge on its reliability and security, making a sound security strategy all the more important.
* https://www.nytimes.com/2021/12/30/technology/metaverse-harassment-assaults.html
