Siemens Metaverse, a virtual space built to mirror real machines, factories, and other highly complex systems, has exposed sensitive data, including the company’s office plans and internet of things (IoT) devices.
While metaverse is no longer a buzzword, amid the sudden popularity of ChatGPT and similar AI tools, those virtual worlds are still here, presenting exciting opportunities for companies, users, and, unfortunately, threat actors.
Siemens, a German multinational with over $71 trillion in revenue and 300,000 employees worldwide, has also jumped on the metaverse bandwagon. In 2022, it partnered with NVidia, an American multinational technology company, to build the industrial metaverse.
Recently, the Cybernews research team has discovered that Siemens Metaverse – a platform that aims to create digital ‘twins’ of its factories and offices – was leaking sensitive information.
If attackers got to the exposed data, it could have had devastating consequences for the company and other big corporations using its services, including ransomware attacks.
Siemens, on the other hand, said it considered the issue to be non-critical and added that it had been mitigated.
Metaverse leak: what we discovered
On March 1, the Cybernews research team discovered an environment file hosted on a metaverse.siemens.com domain. It contained ComfyApp credentials and endpoints. It also discovered Siemens leaking four sets of WordPress users, and three sets of backend and authentication endpoint URLs on different endpoints of the affected systems.
The WordPress sets only exposed user names and avatar pictures, but all four Siemens WordPress-based subdomains were vulnerable to a flaw that WordPress itself fixed in 2017, leaving researchers wondering whether there are more severe vulnerabilities on these sites.
Backend and authentication endpoint URLs, used to verify users before giving them access, could lead to attackers testing them for vulnerabilities and exploiting them.
The most worrying discovery was that of exposed office management platform ComfyApp user credentials. The Siemens-owned app helps with workspace management, meaning it’s hungry for sensitive data including floor plans, information about internet of things (IoT) devices, employee calendars, and interior pictures.
We can’t say for sure how much of the aforementioned data could be accessed using the ComfyApp credentials alone.
“We sincerely hope that threat actors didn’t discover the leak before Siemens managed to fix it,” said Cybernews researchers. “Having access, they could exfiltrate a treasure trove of sensitive data, given that Siemens manufactures and maintains a lot of technologies and machines used by critical infrastructure.”
The Cybernews team added: “Siemens customers include multi-billion [dollar] companies, handling extremely sensitive data, and attackers would definitely find it very valuable.”
A highly attractive target
So what if someone logs in and takes a peek at your office plans and pictures, even your calendar? Employees are well aware they shouldn’t let a stranger into their office, so why would the rules be any different when it comes to the digital workplace?
“After snooping around the digital office, attackers could simply show up in the physical office as if they’ve worked there for years, knowing all the spaces and being familiar with office devices, such as smart air conditioners. That just makes it easier for attackers to break in,” Cybernews researchers said.
And they won’t break in just to steal a pen. More likely, they’ll plug in an infected USB drive that could eventually even lead to ransomware.
Since the metaverse is built in such a way that it should have up-to-date factory data, attackers could even extract some trade secrets like manufacturing techniques.
“There are a lot of opportunities for threat actors here. But since it's one of the first cases where the metaverse technologies are used in cases where they can leak sensitive real-world data, it is not very clear what methodologies would be adopted by threat actors to gain the most out of exploiting such issues,” the research team said.
Metaverse problems
At the peak of the metaverse hype, Mark Zuckerberg’s Facebook even rebranded to Meta to be a “metaverse-first, not Facebook-first” company. But without a doubt the most widely marketed metaverse project of them all keeps losing money, and the hype around the concept seems to be over.
Therefore, those doomsday scenarios elaborating on how crooks could abuse the metaverse remain theoretical rather than real-life threats.
So what were experts so worried about? Well, first of all, it’s a new Wild West of privacy issues and criminal concerns, since it represents an unprecedented digital and physical attack surface.
Metaverse’s early adopters have already reported harassment, bullying, hate speach, and well, even rape. Cyberattacks like phishing are likely to be harder to prevent since, in the metaverse, the attack vector expands to your brain.
Trend Micro researchers even predicted the rise of the darkverse – a sort of dark web in the metaverse where threat actors would thrive out of law enforcement's reach. And, if a user is robbed, bullied, or, god forbid, raped – where does one take their complaints?
The metaverse topic might be overshadowed by ChatGPT and its rivals, but the concept is not dead.
Seoul, the South Korean capital, recently became the world’s first major city to launch a metaverse platform for official business and entertainment.
Last year, Dubai launched an ambitious metaverse strategy aiming to create over 40,000 virtual jobs by 2030.
The European Union created its own youth-oriented metaverse-like digital venue for $400,000 to make youth more aware of what the EU does on the world stage.
These are just a couple of recent examples of the metaverse expansion. Maybe slower than some have anticipated, but definitely a significant one for the companies to start taking metaverse-focused cybersecurity seriously.
The metaverse market is expected to grow into a $760 billion one by 2026.
Your email address will not be published. Required fields are markedmarked