Welcome to the future of the internet, a space for our cyber and physical worlds to blur on one seamless platform – styled by Mark Zuckerberg as the “Metaverse”.

Launching Facebook’s rebrand as “Meta”, last week, the tech mogul provided a glimpse into what this new internet age would look like. We reflect on Facebook’s timing for the announcement and anticipate the key cybersecurity risks which will need to be addressed.

What Exactly Is The Metaverse?

“Meta” is the new name adopted by Facebook to reflect its ambitious dream to build what they are calling a “Metaverse”. It’s not completely clear what this “Metaverse” is, and that’s because it does not actually exist yet. But what we do know so far is that the Metaverse will be an internet concept based on virtual spaces, engaging both augmented and virtual reality technologies. 

Snippets from Zuckerberg’s launch video revealed a plethora of opportunities to merge physical with virtual in what is known as mixed reality: an artist can hang their virtual work around a physical city for other Meta users to find; work from home takes on a whole new meaning when your colleague’s holograms can sit next to you in a virtual meeting; your personal trainer can hologram themselves over to your lounge for a work out. 

Alongside this, Meta is releasing their own VR headset, which will be able to mimic real-time facial expressions, body language and movement. 

With Meta, it seems, our entire lives could theoretically become integrated on a single internet platform. That’s one overwhelming realisation, not least because history has shown us that, as technologies evolve and become an even bigger part of our lives, so too do the cyber threats risking our safety grow.

Smart Timing?

It is notable that Zuckerberg stated early on in his launch video that “privacy and safety need to be built into the Metaverse from day one”. Is this privacy-focused approach to product development an attempt to nip any more allegations in the bud without making an attempt to resolve them, or a genuine attempt to learn from past mistakes?

Sceptics might speculate that the Facebook rebranding has come at a convenient time. The social media giant has faced a firestorm of bad press in recent years over, for example, political advertising manipulation (namely, during the 2016 US Presidential Elections and the 2018 Cambridge Analytica Scandal), incitement of genocide in Myanmar and other indisputable violations of user privacy. Most recently, whistleblower reports have drawn attention to a litany of societal, economic and political harm caused by Zuckerberg’s empire. A new corporate structure and name may deflect from some negative associations, but Facebook’s original problems will seep through the cracks if not adequately dealt with. 

But, even more concerning than a possible PR stunt, is Facebook’s potential shift away from social media and towards virtual reality, when existing laws and regulations governing the use of this technology are wholly inadequate. Courts are still grappling with the ethical and legal dilemmas which arise from the advent of these technologies, forced to apply century-old laws and legal principles to products and businesses far bigger and more impactful than most would have ever believed possible. AR and VR collect substantially more information about their users than social media networks or other technologies. Can Facebook be a trustworthy custodian of a new virtual reality without a regulatory framework to hold it to account?

The Top 3 Cyber Risks We Will Be Looking Out For on the Metaverse:

As always, with the dawn of new technology, the potential to exploit vulnerabilities and successfully execute attacks increases. Despite our limited knowledge of Zuckerberg’s vision for the metaverse, cyber experts have already been able to spot some possible areas of weakness for attack. This is especially the case given the current vulnerabilities present in VR and AR technologies. 

Let’s unpick some of the key foreseeable cyber threats.

Denial of service

In this kind of cyber attack, an attacker hacks into an AR system and cuts off the user from the information stream they are receiving. If we immerse ourselves further and further into the metaverse, how would basic elements needed for modern society function? Zuckerberg appeared excited to announce the possibility of taking on the metaverse in a work environment – quoting a number of surprising industries which could still make use of this cutting-edge tech. But how could a surgeon protect themselves from losing vital access to real-time information on their AR glasses in the middle of an operation, for example?

Deepfakes and Social Engineering:

The Meta headset will possess increased sensors which will enable avatars to make natural eye contact and reflect their user’s facial expressions in real time. As staggering as this technology is, there is a significant risk associated with having a completely authentic sense of who you are, how you feel, behave, and express yourself on the internet. A cyber attacker that accesses this motion-tracking system can create digital replicas (known as deepfakes) and undermine VR security by carrying out a social engineering attack (the art of manipulating someone to give up confidential information). For example, those living on the metaverse will be able to invite their trusted holographic friends round to their virtual home to hangout and talk – what if that trusted friend was actually deepfake or what if their account has been hacked? 

Credential Theft

Cybercriminals may be able to steal important personal information such as credit card details, pin numbers and other identifying information by accessing AR and VR eye-tracking and finger-tracking technologies. Some headsets track eye movements, which can provide valuable data for hackers as they can recreate user actions to guide themselves around online bank accounts, homes, passwords and much more. The same goes for hand gestures, which VR users can make in the same way that they would in the real world. From a cybersecurity standpoint, this means that a hacker could follow the finger movements used to tap in a code on a virtual keypad, or hack the system that records it. Once a hacker captures this data, they can recreate sensitive passwords for a range of personal accounts.



Although the launch of Meta marks an exciting time for the internet, the myriad of security issues overshadowing the Facebook empire has left cyber experts apprehensive. And, quite frankly, the enormous impact that the metaverse could have on every aspect of our lives is nothing short of terrifying, especially with Facebook’s privacy track record in mind. The next few years are set to be transformational for the digital world; cyber insurance professionals will have to keep on their toes to ensure their decisions are the right ones.