Sep 5, 2018 | By Thomas
Nearly 3,800 3D printers are being left open without any access control or authentication requirements, according to a blog post by Xavier Mertens and Richard Porter, two security researchers from the SANS Internet Storm Center (ISC).
The exposed 3D printers are using an open-source project named OctoPrint. It is a web interface for 3D printers that allows you to easily control and monitor your 3D printer and 3D print jobs from virtually any browser on your network. The software has offered makers everywhere an effective way to keep track of their prints, whether or not they are standing in front of their 3D printers. It can read G-code files, view the webcam feed, see the printer status and the terminal output, etc. But, without the need of authentication, it means that random attackers can also modify a printer's settings.
Attackers can download the unencrypted G-code project files, which tell the printer what to print. "G-code files can be downloaded and lead to potentially trade secret data leak," wrote the researchers. "Indeed, many companies R&D departments are using 3D printers to develop and test some pieces of their future product.”
Porter and Mertens also argue that an anonymous person could send a malicious G-code file to the printer and instruct to print it while nobody is around and potentially cause fires. Other possible abuses of G-code files include unauthorized access to a 3D printer's webcam which can affect the remote user privacy, or using G-code files that have been modified to sabotage the final products or cause a malfunction of the 3D printer.
“By changing the G-code instructions, you will instruct the device to print the object but the altered one won’t have the same physical capabilities and could be a potential danger once used,” they wrote. “Think about 3D-printed guns but also 3D-printed objects used in drones. Drone owners are big fans of self-printed hardware.”
A Shodan search reveals over 3,700 instances of OctoPrint interfaces are available online, including nearly 1,600 in the United States.
SANS ISC researchers advise users to enable the Access Control feature in OctoPrint. A warning in OctoPrint’s documentation reads: “If you plan to have your OctoPrint instance accessible over the internet, always enable Access Control and ideally don’t make it accessible to everyone over the internet but instead use a VPN or at the very least HTTP basic authentication on a layer above OctoPrint.”
In the wake of the ISC blog post, OctoPrint published a guide to safe remote access of Octoprint.
“Putting OctoPrint on the internet is nothing short of dangerous. If you must do this, take advantage of the ACL system built into OctoPrint, and even better, put another form of authentication in front. Even if it seems like extra work to setup a plugin, or a VPN/reverse proxy, it’s worth it,” they noted.
“Anything with the potential to burn down your house should be treated with the utmost care. It may seem more convenient to cut corners… but is it really worth it?”
Posted in 3D Printing Technology
Maybe you also like:
- 3D printed tool uses smartphone to detect disease-carrying mosquitoes, Wolbachia
- GKN Aerospace to 3D print rocket engine turbines for Ariane Prometheus engines
- Titomic & TAUV debut Australia’s first metal 3D printed soldier-enabled drones
- Harvard researchers use soundwaves to assist 3D printing with viscous liquids
- Metamolds: Creating ideal 3D printed silicone molds faster and cheaper
- PwC creates digital skills program to train employees on 3D printing, drone, blockchain
- Shining 3D, EXO-L want to scan your ankle & 3D print you custom ankle braces
- This $200, 3D printed PFIbox is a game-changer for antibiotics discovery
- MIT researchers 3D print colloidal crystals through direct-write colloidal assembly
- US Army Research Lab explore nanomaterials for futuristic armor using atom probe