The promise of metaverse platforms to enable private and secure interactions in virtual worlds is critically examined in a recent study by the CISPA Helmholtz Center for Information Security. The study highlights significant security gaps and risks posed by potential cyberattacks on these platform – an important aspect for the use of VR in business in and with China.
The research investigates how the WebXR API interface, which allows access to metaverse platforms via web browsers, serves as a vulnerability for cyberattacks. It identifies three platforms whose security mechanisms were analyzed using so-called memory snapshots. The findings reveal a lack of fundamental security measures: browser memory is easily accessible, making sensitive information such as avatar positions, camera settings, and movement patterns simple to extract. Furthermore, attacks such as covert control of cameras or eavesdropping on conversations in virtual rooms are possible due to inadequate platform programming.
The absence of a robust security architecture allows attackers to move undetected in virtual spaces, listen to conversations, or access camera recordings without users’ consent. The root cause lies in the excessive sharing of information with the client, which reduces server load but facilitates attacks. For instance, if every user’s browser in a virtual building contains comprehensive information about the environment, it becomes a potential entry point for cyberattacks.
The study underscores that current metaverse platforms do not provide sufficient security, exposing users to significant risks. To fulfill the promise of data protection and privacy, innovative approaches to improving security architecture are urgently needed.
Source: CISPA Helmholtz Center for Information Security
China Intellectual Property Blog 