Hacking the metaverse: Why Meta wants you to find the flaws in its newest headsets - ZDNet

1 year ago 61

Close-up of a young, blonde pistillate wearing a Meta Quest 2 VR headset

When immoderate caller exertion emerges, cyber criminals and fraudsters volition astir instantly person a look to spot what's successful it for them.

The internet, smartphones and the Internet of Things person progressively go portion of however we unrecorded our lives -- and each of these technologies are targeted by malicious hackers looking to bargain passwords, personal information, bank details, and more.

So, arsenic the metaverse and virtual world emerge arsenic a caller mode to live, enactment and unbend connected the internet, these platforms volition besides rapidly go the people for cyber criminals, keen to find and exploit vulnerabilities successful hardware and bundle oregon possibly to usage the exertion to enactment their scams.

Now Facebook proprietor Meta, which is ploughing immense sums into its metaverse-building projects, wants to get up of the hackers by asking information researchers to place vulnerabilities and issues successful metaverse-related products, specified as Meta Quest, Meta Quest Pro and the Meta Quest Touch Pro, with genuine disclosures rewarded with bug bounty payments that perchance magnitude to hundreds of thousands of dollars.

Facebook has operated a bug bounty programme for its web applications since 2011, but contempt the metaverse being a key pillar of Meta's concern strategy, the institution is inactive comparatively caller to processing hardware.

Also: The metaverse is coming and the information threats person already arrived

However, by encouraging cybersecurity experts from extracurricular Meta to hack the metaverse, the company's looking to amended the information of products for everyone.

"One of our priorities is to further integrate the outer probe assemblage with america connected our travel to unafraid the metaverse. Because this is simply a comparatively caller abstraction for many, we're moving to marque the exertion much accessible to bug hunters and to assistance them taxable valid reports faster," says Neta Oren, information expert manager and bug bounty pb astatine Meta.

Part of the strategy down this enactment involves getting Meta's virtual world headsets retired determination successful beforehand of information researchers and hackers, achieving this with Meta BountyCon, a information conferenced focused astir bug bounties that allows hunters to get hands-on with products.

The astir caller lawsuit saw a absorption connected emerging threats successful the VR space, thing Oren describes arsenic an intentional determination towards "the extremity of making the full manufacture safer".

Meta has updated its bug bounty presumption to item that its latest products, Meta Quest Pro and the Meta Quest Touch Pro controllers, are eligible for the bug bounty program, and has added caller payout guidelines for VR technology, including bugs circumstantial to Meta Quest Pro.

And for those who find information vulnerabilities successful Meta's virtual world and metaverse technology, determination are fiscal rewards for bug bounties of perchance hundreds of thousands of dollars.

Among different things, the payout guidelines item however payments for discovering mobile distant codification execution bugs -- vulnerabilities that could let an attacker to execute malware oregon instrumentality power of a instrumentality -- could beryllium up to $300,000, portion researchers who uncover relationship takeover vulnerabilities could beryllium rewarded with up to $130,000.

The fiscal rewards are precocious due to the fact that Meta wants to promote hardware hackers who whitethorn not person looked astatine the company's virtual world offerings before.

"We privation to assistance researchers prioritise their efforts and absorption connected immoderate of the astir impactful areas crossed our platform," says Oren.

The bug bounty strategy has already resulted successful the disclosure of respective antecedently undiscovered vulnerabilities.

Also: Accidental teleports and virtual high-fives: What I've learned astir VR meetings

A disclosure submitted astatine BountyCon recovered an contented successful Meta Quest's oAuth travel -- an unfastened modular utilized to assistance websites oregon applications entree to user's accusation connected different websites, which could person led to an attacker gaining power of a user's entree token, and power of their account, with conscionable 2 clicks

"We fixed this issue, and our probe recovered nary grounds of maltreatment and we rewarded this study a full of $44,250, which reflects the interaction of the vulnerability," says Oren.

Another researcher was awarded $27,200 aft uncovering a vulnerability that could person allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting contented to brute unit the verification pin required to corroborate someone's telephone number. The vulnerability was besides fixed aft disclosure.

These vulnerabilities mightiness not person been uncovered -- astatine slightest not arsenic rapidly -- without the bug bounty scheme, which is why, for Meta, it's important to proceed to grow it.

"We invited immoderate publication from the outer assemblage to get arsenic galore eyes connected the codification arsenic possible, continuing to trial our products, and marque them much secure," says Oren.

The bug bounty programme for the metaverse follows successful the footsteps of Meta's different bug bounty schemes, immoderate of which person been moving for a decennary -- and the institution besides has a scope of accusation information teams to assistance guarantee that the metaverse and Meta's different platforms are arsenic unafraid against cyber threats arsenic possible.

They see information reviews of products, a threat-modelling team, a reddish squad moving penetration tests against the company, and more, which is each successful summation to the bug bounty program. All of this effort fits unneurotic for Meta to guarantee that immoderate merchandise released is arsenic unafraid against arsenic galore threats arsenic possible.

"These are each things we've learned implicit the years that we use erstwhile we physique caller products, truthful the caller products already person each these embedded into them," says Oren.

Also: Cybersecurity: These are the caller things to interest astir successful 2023

After caller vulnerabilities, which are disclosed arsenic portion of the bug bounty scheme, person been investigated and mitigated, information updates are rolled retired to the products. To guarantee that the information updates that hole vulnerabilities are applied, Meta's VR products automatically cheque for updates astatine motorboat and past use them.

"We are sharing these bugs publically to marque definite everyone successful the manufacture tin larn from us. It's communal that erstwhile 1 large institution publishes these types of things, different companies volition look internally for thing similar," Oren explains.

And due to the fact that extracurricular researchers aren't constricted to looking astatine Meta products, if they find thing successful Meta Quest Pro oregon different Meta device, they're besides apt to look astatine akin products built by others.

"We cognize that our researchers don't lone hunt connected Meta. So, if they find a bug with us, they mightiness past spell and look for it successful our competitors and they volition study it to them arsenic well," says Oren.

"That's wherefore we deliberation acquisition is truthful important due to the fact that the researchers, immoderate they larn with us, they'll instrumentality for different companies portion they hunt," she says.