Thousands of misconfigured 3D printers on interwebz run risk of sabotage

Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned.

Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and freelance cybersecurity consultant, found more than 3,700 3D printers directly connected to the internet.

"These printers are controlled using the open source software package 'OctoPrint' but it's likely there are other tools that are similarly affected. OctoPrint is not meant to be exposed in this way, and it explains in its documentation how to deploy the software in a safe way," Mertens explained.

OctoPrint is a web interface for 3D printers that allows users to control and monitor the printer. As things stand, many OctoPrint instances are not properly configured and do not enforce authentication, according to Martens. Once they have access to the printer, an attacker would be able to download the files that describe parts being printed.

Some of these G-code files may be proprietary, copyrighted or contain trade secrets. An attacker would also be able to swap out these files, replacing them with files that describe similar parts that are "weakened" to produce substandard or unsafe parts.

In response to questions from The Register, an OctoPrint dev emphasised the need for user education.

"This really has nothing to do with 'lack of security controls', the controls (e.g. ACL) are there, it's been recommended over and over again that users should NOT just port forward! The problem here is users going out of their way to expose internal services on the public net.

"There's no way to prevent people from exposing internal services on the net. I try to educate, I'm working on yet another prominent warning, but I can't force people to perform proper (and inconvenient) network security."

3D printers are used to make anything from toys to medical components so if a part's dimensions were meddled with, it could have serious safety implications.

"The problem is not related to the printer, rather if OctoPrint is incorrectly configured and left open on the internet," Mertens told El Reg. In addition, some printers do not have safety switches to prevent them from overheating, which means an attacker could attempt to start a fire by uploading a malicious file.

Mertens said both 3D printers and the files for parts being printed can be protected by ensuring network segmentation; enabling the security controls provided by the tool; and other access controls.

More on his thoughts on the subject can be found in an ISC blog post here. ®