XRSI’s CEO, Kavya Pearlman, on “Why the fate of the metaverse could hang on its security” (VentureBeat)

Founded in 2006, VentureBeat is one of the leading sources for transformative tech news.

In January 2022, they started a special series of articles, dedicated to the present and the future of the Metaverse.

XRSI’s founder and CEO, Kavya Pearlman, has been interviewed by the reporter Kyle Alspach, who covered the security-related aspects of the next iteration of the Internet. “Cyberattacks old and new – explained – will inevitably find their way into the metaverse, highlighting a requirement for immersive virtual worlds to provide strong security from their inception.”

Kyle asked Kavya to cover two specific aspects of the challenges posed by the immersive tech: attack surface and physical threats.

Metaverse knowns and unknowns

It’s not yet apparent exactly what the attack surface will look like in the metaverse. But there’s still a lot we can know about the potential security risks of the coming virtual world, experts told VentureBeat. Existing issues around web, application, and identity security are expected to crop up quickly on metaverse platforms — as attackers seize opportunities for fraud, theft, and disruption.

Meanwhile, malicious cyber activity that’s only possible in an immersive virtual setting — such as invisible eavesdropping and manipulating users into actual physical harm — have been pinpointed by researchers as possible threats in the metaverse as well.

Kavya Pearlman, formerly the information security director for Linden Lab and its Second Life online virtual world, said that “extended reality” platforms such as the forthcoming metaverse are a different story when it comes to cybersecurity. Pearlman has been working to raise awareness about the issue as the founder and CEO of the Extended Reality Safety Initiative (XRSI), a nonprofit focused on privacy, security, and safety in virtual worlds.

“You can use [this technology] for the greatest good. But you can also use it to really hurt humanity,” Pearlman said.

For 2D digital platforms, she said, “The attack surface has remained limited to nodes, networks, and servers.” But with the metaverse, “The attack surface is now our brain.”

Physical safety risks

Researchers say a number of novel security risks in the metaverse environment can be anticipated as well, some with a potential for real-world, physical consequences.

The arrival of immersive virtual environments changes things a lot for attackers, victims, and defenders, according to researchers. In the metaverse, “a cyberattack isn’t necessarily malicious code,” XRSI’s Pearlman said. “It could be an exploit that disables your safety boundary.”

Ibrahim Baggili, a professor of computer science at the University of New Haven, and a board member at XRSI, is among the researchers who have spent years investigating the potential risks of extended reality platforms for users. In a nutshell, what he and his collaborators have found is that “the security and privacy risks are huge,” Baggili said in an email.

“Right now, we look at screens. With the metaverse, the screens are so close to our eyes that it makes us feel that we are inside of it,” he said. “If we can control the world someone is in, then we can essentially control the person inside of it.”

One potential form of attack, identified by Baggili and other University of New Haven researchers, is what they call the “human joystick” attack. Studied using VR systems, the researchers found that it’s possible to “control immersed users and move them to a location in physical space without their knowledge,” according to their 2019 paper on the subject.

In the event of a malicious attack of this type, the “chances of physical harm are heightened,” Baggili told VentureBeat.

Likewise, a related threat identified by the researchers is the “chaperone attack,” which involves modifying the boundaries of a user’s virtual environment. This could also be used to physically harm a user, the researchers have said.

“The whole point of these immersive experiences is that they completely take over what you can see and what you can hear,” said Cobalt’s Wong, who has followed the work of XRSI and security researchers in the XR space. “If that is being controlled by someone, then there’s absolutely the possibility that they could trick you into falling down an actual set of stairs, walking out of an actual door, or walking into an actual fireplace.”

Additional potential threats identified by the University of New Haven researchers include an “overlay attack” (which displays undesired content onto a user’s view) and a “disorientation attack” (for confusing/disorienting a user).

At the end of the article, Kavya is asked about the need to proactively protecting users.

Ultimately, securing the metaverse will not only present new issues, but also new complications to old issues. The metaverse will involve the creation of massive quantities of data that would need to be monitored to detect attacks and proactively protect users, according to Pearlman.

“It’s a very complex thing to tackle,” said Pearlman, whose past work has also included advising Facebook about third-party security risk. “We’re definitely going to need a new understanding for how to tackle these cyberattacks in the metaverse.”