Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지
DOI QR코드

DOI QR Code

Analysis of Cybersecurity Threats and Vulnerabilities in Metaverse Environment

메타버스 환경에서 사이버보안 위협과 취약점 분석

  • 최진원 (상명대학교 전자정보시스템공학) ;
  • 권재우 (상명대학교 전자정보시스템공학) ;
  • 이세희 (상명대학교 전자정보시스템공학) ;
  • 박원형 (상명대학교 정보보안공학과) ;
  • 조태경 (상명대학교 정보보안공학과)
  • Received : 2022.07.15
  • Accepted : 2022.09.30
  • Published : 2022.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

Metaverse is a compound word of the English words 'meta', meaning 'virtual' and 'transcendence', and 'universe' meaning the universe. dimensional virtual world. Metaverse is a concept that has evolved one step further than virtual reality (VR, a cutting-edge technology that enables people to experience life-like experiences in a virtual world created by a computer). It has the characteristic of being able to engage in social and cultural activities similar to reality. However, there are many security issues related to this, and cybersecurity vulnerabilities may occur. This paper analyzes cybersecurity threats that may occur in the metaverse environment and checks vulnerabilities.

메타버스는 '가상', '초월' 등을 뜻하는 영어 단어 '메타'(Meta)와 우주를 뜻하는 '유니버스'(Universe)의 합성어로, 현실세계와 같은 사회·경제·문화 활동이 이뤄지는 3차원의 가상세계를 가리킨다. 메타버스는 가상현실(VR, 컴퓨터로 만들어 놓은 가상의 세계에서 사람이 실제와 같은 체험을 할 수 있도록 하는 최첨단 기술)보다 한 단계 더 진화한 개념으로, 아바타를 활용해 단지 게임이나 가상현실을 즐기는 데 그치지 않고 실제 현실과 같은 사회·문화적 활동을 할 수 있다는 특징이 있다. 하지만, 이에 대한 보안 이슈가 많아 발생하고 있어 사이버보안 안전성 여부를 확인할 필요가 있다. 본 논문은 메타버스 환경에서 발생할 수 있는 사이버보안의 위협과 취약점을 분석하여 안전성을 확인 한다.

Keywords

1. Introduction

Metaverse is a compound word of the English word meta meaning ‘virtual’ and universe meaning universe[1]. Metaverse, a three-dimensional virtual world that interacts with reality, is capable of social, economic, and cultural activities. Metaverse started service as a game in the early days, but now it has become established in our daily life. In the virtual world, social, economic, and cultural activities are possible just like in reality, and above all, the number of users of Metaverse, which was able to connect daily life through non-face-to-face daily life due to Corona 19, naturally increased rapidly. In line with the growing demand, the field of metaverse is expanding beyond games to entertainment, education, finance, and broadcasting. You can also experience the metaverse. Currently, various wearable devices such as rings and wristbands are being developed and released, so the future metaverse is getting more expectations. As such, the metaverse connecting the virtual world and the real world is attracting attention as a new space that contrasts with reality. It is necessary to pay attention to.

2. Related Works

2.1 The main threat to the metaverse

Metaverse expanded and developed into various industrial fields, and at the same time, the number of users increased. However, when using Metaverse, it is possible to understand the basic behavior of users online, so privacy-related issues may arise. In addition, creations or possessions in the virtual world (Non-Fungible-Token) can be realized as real-world financial profits through user-to-user transactions, which can affect real personal financial assets. As such, the metaverse is closely related to reality, so security threats in the metaverse can cause the same or greater damage than threats in the real world. Therefore, we analyze actual cases of security threats related to metaverse and study countermeasures. Advances in technology within the metaverse make virtual worlds very similar to reality. Therefore, physical attacks that cause fear through media such as AR or VR or realistically implement inappropriate content depending on the user occur. Due to the expansion of metaverse devices, voyeurs and wiretapping are possible through microphones and cameras attached to the equipment, and there are attacks such as stimulating the brain or injecting hallucinations through equipment hacking. This is accepted not only as a problem in the virtual world but also as a problem in the real world.

SOBTCQ_2022_v22n3_19_2_f0001.png 이미지

<Figure 1> Elements of a Metaverse> [2]

Metaverse, which started as a game service, continues to grow as a game platform to this day. As a result, the influx of young people who wanted to use the game increased. According to a Nielsen Korea survey, 50.4% aged 7-12 and 20.6% aged 13-18, children and adolescents accounted for more than 70% of the total users [3]. The problem is that, as there are many youth users, a lot of crimes against juveniles started to occur on Metaverse. In fact, on April 8, 2022, sexual exploitation crimes against 11 children and adolescents occurred on the metaverse platform 'ZEPETO'. As such, adolescents are easily exposed to cybercrime.

When a user account (avatar) is stolen, not only assets in the virtual world but also sensitive information such as biometric information and location information in the real world are easily exposed. In Metaverse, since users use avatars to use services, authentication of users using a vatars is very important. If the user authenticates only once for the initial connection, a problem may arise in which someone other than the owner of the avatar uses the avatar. On April 1, 2012, the administrator account of 'ROBLOX ', an online metaverse game platform, was hacked, and there was an accident that abused ad ministrator privileges to delete user accounts or disrupt the currency system [4].

3. Countermeasures Against Major Threats in Metaverse

3.1 Threats Analysis of Metaverse

Even when personal information of users using Metaverse is entered, the data may not be safe due to attacks related to hacking. Therefore, it is necessary to establish a system that encrypts data in real time through an encryption system for personal information and does not collect information when users input personalinformation[6][7]. In addition, a lot of data is stored in the metaverse, which is created by combining technologies in various fields, and if you do not check the stored information, you can acquire the right to the storage. There will be. In Metaverse, user information, which is sensitive information of user accounts (avatars), is used by advertisers, ad marketers, and developers. When using personal information, it is necessary to manage it so that it is only used for scientific research or public record preservation. Even through de-identification of personal information that can delete some or all of personal information, it makes it difficult to combine with other information so that a specific individual cannot be identified. This allows the use of personal information while minimizing the possibility of personal information infringement.

SOBTCQ_2022_v22n3_19_4_f0001.png 이미지

<Figure 2> Security Models of Metaverse

It is also necessary to pay attention to supply chain attacks on metaverse platform access and devices. In the form of attacks that penetrate the supply chain and tamper with software or hardware delivered to users, the user's perception that the supply from the supplier is safe can be exposed to security threats. Therefore, it is necessary to find a way to detect forgery by maintaining the original state[8][9][10].

In the metaverse connected to the real world, digital finance and virtual currency transactions are realized, causing damage from phishing. Attackers disguise themselves as the administrator of the server or act as a user of the server and steal personal or financial information by inducing clicks on malicious links by forming intimacy with others. In the Metaverse platform, users need to be informed about precaution s related to this. Users should not leak personal information to other users, and should be careful about unverified links.

4. Cybersecurity Stability Analysis in Metaverse

In order to technically derive potential security threats in the metaverse market, it is prepared as shown in Table 1 in relation to the aforementioned technical components of the metaverse. Technical considerations are presented by adopting STRIDE threat modeling in terms of security such as confidentiality, integrity, availability, authentication, rights management, and non-repudiation.

(Table 1) Security threats in the metaverse[5]

SOBTCQ_2022_v22n3_19_3_t0001.png 이미지

(Table 2) Classification of security threats related to metaverse components

SOBTCQ_2022_v22n3_19_4_t0001.png 이미지

As the metaverse moves closer to us, so does the concern about cybersecurity. This is because all transactions, information exchange, and privacy protection that occur in the virtual environment are performed in the same way as in the real world. Therefore, various security systems should be prepared so that my avatar can safely manage assets while working in a virtual environment.

In particular, the virtual environment requires more consideration than the real world. There will be fakes in the virtual environment, and even the ‘fake characters’ may act as if they were the real me. Therefore, how to respond to such virtual infringement will be the biggest issue. In addition, the system may be stopped due to software bugs, and digital assets may be hacked. And the most worrisome part is that the virtual environment created with Metaverse is the domain of a specific conglomerate, not the country. What if the company does not fulfill its social responsibilities and obligations and pursues only profit and profit? Then there is the problem of how to define the rights and responsibilities of avatars living in the virtual environment.

(Table 3) security vulnerabilities of Metaverse

SOBTCQ_2022_v22n3_19_5_t0001.png 이미지

After all, the core foundation of Metaverse is ‘block chain’ and ‘safety of non-fungible tokens’. So far, we have recognized that these technologies are used in cryptocurrencies to disrupt the money market and create a breeding ground for speculation. But soon, the era of the metaverse will open. From now on, we will have to prepare cybersecurity measures suitable for the metaverse.

5. Conclusion

Unlike other web services that have been previously provided, Metaverse approaches our daily life much more closely. Starting with game content-based metaverses such as ROBLOX and Minecraft, which are based on game content among young people, it continues to expand and develop into life, communication, finance, and work platforms. As a result, the metaverse platform engine has been widely applied to all industries and social fields, and there are many opinions that the expansion of the metaverse's influence is just the beginning. Due to the nature of the metaverse platform, leading companies around the world are rapidly expanding their business fields by transplanting their intellectual property (IP) to the metaverse platform. On the other hand, some view the metaverse as a part of the game. If the metaverse is viewed as game content, the rating system under the Game Industry Promotion Act is applied, which can become a major obstacle to the development of the metaverse industry. Such unilateral regulation can hinder the development of the met averse industry, so it is important to find a compromise between development and regulation in consideration of technological development and circumstances. Since the avatar in the metaverse refers to the real 'I', cyber attacks in the metaverse can affect reality, and hacking in the metaverse can also cause financial damage to users in the real world. It can be seen that user-centered security is essential to safely perform threats that may occur while using the metaverse as described above.

References

  1. Brown, Dalvin. "What is the 'metaverse'? Facebook says it's the future of the Internet". Washington Post. 2021.08.
  2. Elements of a Metaverse, What is a metaverse?, "https://www.gartner.com/en/articles/what-is-a-metaverse", 2022.01.
  3. Hankyoreh, "Stalking and similar sexual acts… 'New type' metaverse child sex crime, is it punishable", https://www.hani.co.kr/arti/society/society_general/1012415.html.
  4. Hyungyeong Kim, and Hyungwon Kwon."A study on the analysis of security vulnerabilities in metaverse." Proceedings of the Korean Telecommunications Society Conference, 1454-1455, 2021.
  5. Y. Wang, Z. Su, N. Zhang, D. Liu, R. Xing, T. Hao Luan and X. S. Shen, "A Survey on Metaverse: Fundamentals, Security, and Privacy," arXiv preprintarXiv:203.0262, 2022.
  6. Electronic newspaper, "Metaverse and cyber security strategy to protect personal information must come together", https://www.etnews.com/20220315000153, 2022.
  7. Seunghwan Lee, "Metaverse begins: 5Major Issues and Forecast" SPRi Analysis Issue Report, IS-116, Apr, 2021.
  8. Turner, M. J. Matrix methods of Structural Analysis, 1st Ed., Vol. 1, Macmillan, New York, pp.203~206, 1974.
  9. Park, D., Kim, S., Lee, Y., and Kim, C., Performance Evaluation of Propeller for Electrically Powered HALE UAV; Part II. Computational Analysis, 2021.
  10. Ahn, S. W., Cho, J. Y., and Kim, S. J., "An Alternative Computing Algorithm of the Penalized Weighted Residual Method for the Structural Dynamics," Journal of the Energy Convergence Society, Vol. 25, No. 6, pp. 83~92, 1999.