A 3D printer remote monitoring company accidentally exposed users' printers to each other after a cloud reconfiguration snafu.
Just over 70 of The Spaghetti Detective's users were able to control others' devices as a result – something the service said it doesn't normally allow to happen.
"I made a stupid mistake last night," wrote the founder of the platform, Kenneth Jiang, in an analysis of what went wrong.
"When I went through the load-balancer reconfiguration, I made a mistake by missing a configuration to let the load balancer pass the public IP address of the connecting client to the backend TSD server. Instead, the load-balancer would just pass its own IP address to the server," he said.
"As a result, the server got the same IP address for the users who happened to be connecting their printer to TSD at the same time. The server thought they were on the same local network, and hence allowed them to link each other's printer!"
Jiang added that his team had been "notified of a case in which a user started a print on someone else's printer" – and linked through to a Reddit post where someone had used a stranger's printer to print the words: "TSD is not secure/ I randomly connected /sorry had to inform u."
Seventy-three users tried to link their printers to The Spaghetti Detective accounts during the lifetime of the config error. The service works through an auto-discovery feature for linking printers to accounts, which Jiang explained as working by detecting printers that have the same IP address as the user. This procedure appears to serve as an authentication measure, a design feature that seems unwise. Spoofing IP addresses is an attack technique as old as the hills.
Affected users were informed by TSD, said Jiang, who added that secure tokens for their printers had been disabled so that "only the people who have physical access to that printer" can start to remotely control it again. An update was pushed within six hours of the load-balancer config snafu first happening, 90 minutes after someone noticed other users' printers were visible in his account.
- Another 3D printer? Oh, stop it, you're killing us. Perhaps literally: Fears over ultrafine dust
- Buy a household 3D printer, it'll pay for itself in months!
- Scottish rocketeers Orbex commission Europe's largest industrial 3D printer to crank out 35 engines a year
- Burn baby burn, plastic inferno! Infosec researchers turn 3D printers into self-immolating suicide machines
The Spaghetti Detective is a platform that gives 3D printer owners peace of mind by, so it says, using "AI" to "intervene and catch failures early" during the 3D printing process. Its name refers to a side-effect of 3D printing going wrong, where a time-consuming print may result in random strands and tendrils of plastic filament ending up splurged over the project.
A 3D-printing craftsman told The Register the scope for mischief with a 3D printer would be "fairly limited" as the devices "tend to be fairly safe."
"The most dangerous thing is the potential for fire," he said. "There are temperature sensors that built in for regulation, and these will cause the printer's software to shut down the heaters if they overtemp."
Separately, last year, the appropriately named infosec biz Coalfire discovered a way of tampering with Flashforge 3D printer firmware updates to bypass thermal limits. Among other issues Coalfire pointed out was the apparent lack of signing for firmware updates, meaning anyone could install any binary to the device. ®