Pierluigi Paganini
April 15, 2023
While metaverse is no longer a buzzword, amid the sudden popularity of ChatGPT and similar AI tools, those virtual worlds are still here, presenting exciting opportunities for companies, users, and, unfortunately, threat actors.
Siemens, a German multinational with over $71 trillion in revenue and 300,000 employees worldwide, has also jumped on the metaverse bandwagon. In 2022, it partnered with NVidia, an American multinational technology company, to build the industrial metaverse.
Recently, the Cybernews research team has discovered that Siemens Metaverse – a platform that aims to create digital ‘twins’ of its factories and offices – was leaking sensitive information.
If attackers got to the exposed data, it could have had devastating consequences for the company and other big corporations using its services, including ransomware attacks.
Siemens, on the other hand, said it considered the issue to be non-critical and added that it had been mitigated.
Metaverse leak: what we discovered
On March 1, the Cybernews research team discovered an environment file hosted on a metaverse.siemens.com domain. It contained ComfyApp credentials and endpoints. It also discovered Siemens leaking four sets of WordPress users, and three sets of backend and authentication endpoint URLs on different endpoints of the affected systems.
The WordPress sets only exposed user names and avatar pictures, but all four Siemens WordPress-based subdomains were vulnerable to a flaw that WordPress itself fixed in 2017, leaving researchers wondering whether there are more severe vulnerabilities on these sites.
Backend and authentication endpoint URLs, used to verify users before giving them access, could lead to attackers testing them for vulnerabilities and exploiting them.
The most worrying discovery was that of exposed office management platform ComfyApp user credentials. The Siemens-owned app helps with workspace management, meaning it’s hungry for sensitive data including floor plans, information about internet of things (IoT) devices, employee calendars, and interior pictures.
We can’t say for sure how much of the aforementioned data could be accessed using the ComfyApp credentials alone.
“We sincerely hope that threat actors didn’t discover the leak before Siemens managed to fix it,” said Cybernews researchers. “Having access, they could exfiltrate a treasure trove of sensitive data, given that Siemens manufactures and maintains a lot of technologies and machines used by critical infrastructure.”
The Cybernews team added: “Siemens customers include multi-billion [dollar] companies, handling extremely sensitive data, and attackers would definitely find it very valuable.”
A highly attractive target
So what if someone logs in and takes a peek at your office plans and pictures, even your calendar? Employees are well aware they shouldn’t let a stranger into their office, so why would the rules be any different when it comes to the digital workplace?
“After snooping around the digital office, attackers could simply show up in the physical office as if they’ve worked there for years, knowing all the spaces and being familiar with office devices, such as smart air conditioners. That just makes it easier for attackers to break in,” Cybernews researchers said.
And they won’t break in just to steal a pen. More likely, they’ll plug in an infected USB drive that could eventually even lead to ransomware.
Since the metaverse is built in such a way that it should have up-to-date factory data, attackers could even extract some trade secrets like manufacturing techniques.
“There are a lot of opportunities for threat actors here. But since it’s one of the first cases where the metaverse technologies are used in cases where they can leak sensitive real-world data, it is not very clear what methodologies would be adopted by threat actors to gain the most out of exploiting such issues,” the research team said.
If you want to have more info on Metaverse problems, give a look at the original post at https://cybernews.com/security/siemens-metaverse-data-leak/
About the author: Jurgita Lapienytė, Chief Editor at CyberNews
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Siemens Metaverse)
