RSA CONFERENCE 2023 – San Francisco – As the metaverse takes shape over the coming years, many of the security issues afflicting cyberspace will begin to spill over into virtual space as well.

One of the biggest of these threats will be the emergence of a new "darkverse," where criminals will be able to operate with greater impunity and more dangerously than they are able to do now on the Dark Web, two researchers from Trend Micro said at an RSA Conference 2023 session in San Francisco, April 26.

The metaverse is a somewhat loosely used term to describe a virtual space where people can interact with other individuals and organizations in a computer-generated version of the physical world. Just like how massive multiplayer online games allow individuals to create digital avatars of themselves and interact with other gamers in fantasy worlds, a full-fledged metaverse will allow individuals to shop, work, socialize and do other activities in a virtual replica of the physical world.

The same phenomenon will happen in the cybercrime underground, the researchers warned. Just like the Dark Web exists on an unindexed deep Web, the darkverse will operate within an unindexed "deepverse" that law enforcement will find hard to penetrate, they noted: The space will offer a safe haven for criminal spaces, extremist spaces, purveyors of child pornography, and those seeking to harass others.

Numaan Huq and Philippe Lin, senior threat researchers at Trend Micro, were two authors of a report last year on how security and privacy threats will likely emerge and evolve in the metaverse as more people begin to use it. Among the threats they identified in the report were amplified versions of some existing issues such as social engineering, financial fraud, and privacy risks, and some new ones such as risks related to NFTs, cyber-physical threats, and more.

A Nearly Impenetrable 'Darkverse'

The threats are a distance away from materializing, Huq and Linn said in a conversation with Dark Reading before their talk. "But the bad guys are already talking about how to make a profit in the metaverse," cautions Lin. "If [organizations] just ignore the threat and don't invest in trying to address them soon, they could lose more in future," he notes.

Trend Micro itself describes the metaverse as a "cloud distributed, multi-vendor, immersive, interactive operating environment that users can access through different categories of connected device." The metaverse will leverage Web 2.0 and Web 3.0 technologies to provide an interactive layer on top of the current Internet. "As proposed, it's an open platform for working and playing inside an extended reality environment, and it will also be a communications layer for smart city devices," according to Trend Micro.

The darkverse is a space that will exist within this world that, like today's Dark Web, will offer a safe space for free speech and expression against oppressive entities and governments. It will equally be a place for illegal and criminal activities with marketplaces that cater to a wide criminal audience. 

What will make the darkverse a distinctly more dangerous place is the difficulty law enforcement entities will have in trying to infiltrate the criminal activities taking place on it, Huq says. He expects criminals will use authentication tokens to control access to their spaces on the metaverse. They could make it almost impossible for defenders to get these tokens by requiring that users be inside a designated physical location in a specific time frame to receive a token. 

Criminals could also implement location based and proximity-based restrictions for accessing metaverse spaces. Such measures could make it significantly harder for law-enforcement authorities to take these activities down, compared to sinkholing a server or blocking URLs, Huq says.

New Technologies & Protocols Introduce New Threats

The darkverse will be a major threat, but not the only one that organizations will need to deal with in the metaverse. Huq and Lin expect that companies over the next several years will begin leveraging the metaverse for different use cases. As one example, Huq points to an operator of critical infrastructure that might create a digital twin of an OT or ICS environment. This would allow an engineer working for that company in New York to troubleshoot and address support issues at an ICS facility in Arizona almost like that engineer was physically present at that facility, he says. Similarly, a retailer could create digital stores where customers could shop in an immersive manner like they were at a physical location.

As such use cases proliferate, so too will the threats. Huq and Lin expect that attackers will look for and find ways to infiltrate and poison these environments to spy, steal, and create other havoc. They expect some of the attacks to target the servers, endpoints, and infrastructure on which the metaverse will run, while others will target metaverse-specific elements like the headsets people will use to access the virtual world, or the objects that exist within.

Huq and Lin, like other researchers also are concerned about the massive harvesting of personal data that is almost inevitably going to happen as more people begin using the metaverse in their personal and work lives.

"The metaverse will introduce in a very short span of time, a lot of new technologies," Huq says. Users will find themselves having to constantly interact with digital objects from a Facebook metaverse, a Google metaverse, a Microsoft metaverse, and other multiple other metaverses. That means having to deal with code being transported from one environment to the other in a very fluid manner. "When you execute a radical new technology, you are definitely going to start having security issues whether cyber, or procedural."