Security experts have identified thousands of instances in which owners of 3D printers have made their devices available online and without the need for authentication. That certainly makes remote access to 3D printers convenient, but wow, what an awful idea given the tremendous potential for abuse.
SANS Internet Storm Center (ISC) has issued an alert for users of OctoPrint, an open-source web interface for 3D printers. This product gives users remote access to their 3D printers, allowing them to control and monitor all features of their printer from afar, so long as they have access to the internet.
It’s super convenient, but the ISC has discovered at least 3,759 instances in which users have deliberately set up their 3D printers to be accessible via the internet without the need for authentication (i.e. logging in with a username and password). The bulk of these users (42 per cent) are in the United States, the others being in Germany, France, the UK, and Canada. Detecting unsecured printers, or any unsecured device for that matter, is relatively easy thanks to tools like Shodan, a search engine for internet-connected devices. Which is precisely how the ISC detected these 3,759 unsecured machines.
“So, what can go wrong with this kind of interface? It’s just another unauthenticated access to an online device,” writes the ISC in its alert. “Sure, but the printer owners could face very bad situations.”
Bad situations, indeed. Insecure 3D printers introduce a host of tantalising possibilities for the unscrupulous hacker.
For example, the OctoPrint interface can be used to download the print instructions loaded inside a 3D printer, which is in unencrypted G-code format. This means sensitive print instructions and trade secrets could be easily stolen. Also, with authentication completely disabled, a hacker could upload a G-code file to a printer and, assuming the machine is loaded and ready to go, print a desired 3D object. Imagine waking up in the morning to find that your 3D printer was used to produce a gun or a sex toy.
But this is no joke—the problem with vulnerable 3D printers is actually much more serious. Writing in response to the ISC alert, the developers of OctoPrint had this to say:
Putting OctoPrint onto the public internet is a terrible idea, and I really can’t emphasise that enough. Let’s think about this for a moment, or two, or even three. OctoPrint is connected to a printer, complete with motors and heaters. If some hacker somewhere wanted to do some damage, they could. Most printers can have their firmware flashed over USB. So as soon as the box hosting OctoPrint is compromised, there go any fail safes built into the firmware. All one would have to do, is flash a new, malicious firmware with no safeguards, over USB, and then tell the printer to keep heating, leading to catastrophic failure. Of course there are other reasons to not have an OctoPrint instance available on the public internet, such as sensitive data theft, but catastrophic failure is by far the worst case scenario here.
Actually, there are even worse scenarios to consider.
Because the G-code file can be downloaded, it could be adjusted and uploaded back into the same printer. The modified instructions could result in different physical parameters for the printed object, compromising the integrity and safety of the final product. Once again, 3D guns come to mind, but also pieces for drones or any other mechanical device requiring stable, reliable parts.
This is an issue of bad configuration on the part of the user, and not a fault of the OctoPrint software (though a strong argument can be made that users shouldn’t have the option of making OctoPrint available on the public internet without authentication). The company actually warns its users against enabling access without authentication; this level of unsecured access is not the default mode, requiring the user to have specifically chosen it.
But even in cases where access control is enabled, anonymous users can still see the read-only parts of the user interface, which isn’t ideal. Instead, OctoPrint’s developers recommend that users consider a different form of remote access, like the OctoPrint Anywhere plug-in, Polar Cloud, VPNs, and other solutions.
“This only covers OctoPrint, of course, which raises the possibility that owners using other 3D printer monitoring software might be making the same mistake,” John E. Dunn, a writer at Naked Security, aptly points out.
No doubt, the current situation with exposed 3D printers may be a lot worse than these 3,759 instances, and with more and more stuff getting connected to the internet, it’s clear that users need to get their act together when it comes to securing their devices. But developers have a role to play in this, too, by educating their consumers and eliminating dangerous security settings.
Failure to do so could result in some serious problems, both now and in the future. Imagine, in a horrific hypothetical example, a scenario in which thousands of unsecured 3D bioprinters were hacked and made to produce deadly transmissible viruses, sparking a global pandemic.
Like I said, this is no joke.
[Via Naked Security]