3D Printers in The Wild, What Can Go Wrong?
Written by Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and Freelance Cyber Security Consultant
Richard wrote a quick diary yesterday about an interesting information that we received from one of our readers. It’s about a huge amount of OctoPrint interfaces that are publicly facing the Internet. Octoprint is a web interface for 3D printers that allows to control and monitor all features of the printer. They are thousands of Octoprint instances accessible without any authentication reported by Shodan:
Here is an example of a publicly open interface connected to an online printer (status is “operational”):
So, what can go wrong with this kind of interface? It’s just another unauthenticated access to an online device. Sure, but the printer owners could face very bad situations.
The interface allows downloading the 3D objects loaded in the printer. Those objects are in G-code format. To make it simple, G-code is a language in which people tell computerized machine tools how to make something. G-code files are simple text files and are not encrypted:We are facing here the first issue: G-code files can be downloaded and lead to potentially trade secret data leak. Indeed, many companies R&D departments are using 3D printers to develop and test some pieces of their future product. Here is an example of G-code file rendered via an online tool:If the authentication is completely disabled, it is possible to upload G-code files and… print them! What if an anonymous person sends a malicious G-code file to the printer and instructs to print it while nobody is around? There were bad stories of low-cost 3D printers which simply burned!. Here is one found busy to print an object. Did you see the temperature?
Worse, what if the attacker downloads a G-code file, alters it and re-upload it. Be changing the G-code instructions, you will instruct the device to print the object but the altered one won’t have the same physical capabilities and could be a potential danger once used. Think about 3D-printer guns but also 3D-printed objects used in drones. Drone owners are big fans of self-printed hardware.
Finally, OctoPrint offers a monitoring feature based on an embedded webcam which can affect the remote user privacy. On this screenshot, the operator was preparing his printer but we can also see some details behind the printer.
How to protect your OctoPrint instance? The documentation says about access control: “When Access Control is enabled, anonymous users (not logged in) will only see the read-only parts of the UI which are the following” (followed by a long list of features). Most critical is accessing to the webcam and downloading G-code files. As suggests the documentation: “If you plan to have your OctoPrint instance accessible over the internet, always enable Access Control“.
Note: The blog was originally published, here.
62 Comments