The metaverse(s), whatever it will be, may be essential to our near digital future. It is sometimes referred to as the next iteration of the Internet. As Web 2.0 has many security issues, without a doubt, we can forecast that the Web 3.0/metaverse(s) will have as many, and most probably more, risks. Thus, it is interesting to analyze some potential threats even if the metaverse(s) is not yet here.
Europol (The European Union Agency for Law Enforcement Cooperation) is the law enforcement agency of the European Union. Therefore, Europol is knowledgeable about crime. Their innovation laboratory published an interesting report: “Policing in the metaverse.”
The report does not define precisely what metaverse is. It gives a relatively good idea of what it may be. It does not only tackle the visible part of the metaverse (AR, VR, XR). It also describes the foreseen underlying infrastructure with decentralized networks and blockchains.
The report explores seven topics related to crime in the metaverse
- Identity: A large focus is put on the collection and reuse of additional biometric information.
With more advanced ways to interact with the system by using different sensors, eye tracking, face tracking and haptics for instance, there will be far more detailed biometric information about individual users. That information will allow criminals to even more convincingly impersonate and steal someone’s identity. Moreover, this information may be used to manipulate users in a far more nuanced, but far more effective way than is possible at present on the Internet
It will become difficult to trust the identity or the avatars. Impersonation of virtual personas will be an interesting threat.
The more detailed that data becomes and the more closely that avatar resembles and represents the actual user, the more this becomes a question of who owns the user’s identity, the biometric and spatial information that the user provides to the system.
The more detailed that data becomes and the more closely that avatar resembles and represents the actual user, the more this becomes a question of who owns the user’s identity, the biometric and spatial information that the user provides to the system.
- Financial money laundering, scams: the current state of cryptocurrencies and NFTs paints a scary picture of the future.
- Harassment
- Terrorism: Europol foresees that terrorist organizations will use it as recruiting services and a training playground.
- Mis- and disinformation
- Feasibility of monitoring and logging evidence: This will be a challenging task.
- Impact in the physical world. This will be an extraordinary playground for attackers. Device manufacturers will have to put countermeasures from the start.
An immersive XR experience provides an opportunity to influence a user in the physical world through the manipulation of the virtual environment. Users can be tricked into hitting objects and walls, or being moved to another physical location, through what is called a ‘Human Joystick Attack’. A perhaps simpler way is to alter the boundaries of a user’s virtual world through a ‘Chaperone Attack’. A third attack type is the ‘Overlay Attack’, in which the attacker takes complete control over the user’s virtual environment and provides their own overlay – the input which defines what users see and perceive in a virtual environment.
The report highlighted the need of moderation. It explained that the challenge will be larger than the current one for Web 2.0
It will not just be a matter of moderating vastly more content, but also of behaviour, which is both ephemeral in nature and even more context-dependent than the content we are currently used to
This report is a must-read for anyone interested in security for Web 3.0 and the metaverse(s). It is not technical and provides a long list of worrying issues. The mere fact that Europol publishes on the topic is already a good indicator that this matter will be critical in the future.