back to article Thousands of misconfigured 3D printers on interwebz run risk of sabotage

Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned. Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and freelance cybersecurity consultant, found more than 3,700 3D printers directly connected to …

  1. Paul Crawford Silver badge

    Alternatively...

    Some ne’er-do-wells could just upload files of penises in all imaginable (and some unimaginable) sizes and shapes just to the lutz

    Not that I, as an upstanding member of society, would suggest thrusting such a prank on an already suffering world.

  2. Prst. V.Jeltz Silver badge

    in the next exciting episode...

    Next Weeks security story :

    Internet-connected {Insert Gadget} are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned.

  3. Prst. V.Jeltz Silver badge
    Terminator

    This is going to be how skynet gets its foothold .....

    1. Paul Crawford Silver badge
      Terminator

      What, to 3D print penises in 12" size?

      How Pintsize sees himself =>

    2. short

      So Skynet's main weapon will be hairballs of slightly stinky plastic thread and the occasional penis?

      Suddenly, I feel less worried.

  4. ivan5

    Why

    Why are these printers ever connected to the internet in the first place?

    1. Chronos

      Re: Why

      Precisely this. It's not as if you're going to be able to do anything about it if the Octoprint camera shows filament spewing out in a big rats' nest that is going to jam the whole thing up imminently while you're miles away watching it over your mobe apart from hitting the reset button and hoping that it doesn't ignore the Z stop - again.

      Besides which, 3D printers shouldn't really be left unattended. Forcing plastic through a nozzle heated to ~200 degrees? What could possibly go wrong?

      Disclaimer: Mine has a WiFi connected serial port for use with Pronterface, which saves me having to bugger about with cables. Its MAC is firewalled off at the router and it gets a bogus default gateway. Security onion and all that...

    2. vtcodger Silver badge

      Re: Why

      Pretty obviously connecting your printer -- 3D, 2D or whatever -- to the Internet is likely not to be a wonderful idea. The problem is that the vast majority of computer users are quite incapable of configuring network enabled devices "safely". My guess is that maybe 4% think they can do so and that less than 1% actually can. I'm no stranger to networking, but I doubt my wireless printer or any other device I've set up is actually "safely configured". Personally, I consider myself lucky if I can manage to get the bloody box to work.

    3. Mark 85 Silver badge

      Re: Why

      Damn good question. Maybe further, why is any printer or other machinery connected to the internet? I know people with CNC mills, laser cutters, etc. that are connected... why?

      1. Anonymous Coward
        Anonymous Coward

        Re: Why

        Three reasons monitoring troubleshooting and updates.

        A printing job can take hours to print and a fail could cost a day or more. Being able to monitor means you can correct thinks quickly Obviously if you are 200 miles away that's not going to help, but 2 miles away is a different situation.

        Troubleshooting problems takes time and costs money being able to log in and have a look around will save time and costs. Perhaps even prevent an expensive service call. In general for CNC Equipment a service call will cost at least $500 and can easily be 10 times that.

        Updates can be sent remotely and can minimize support requirements.

        AC because I work in the industry.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why

          "Three reasons monitoring troubleshooting and updates."

          I've got a printer which I *could* attach directly to the GPIO pins of a Raspberry Pi running Octoprint. I don't do this, because it introduces more possible sources of error in the print process, and to be honest, I keep the 3D printer turned off when I'm not using it.

          I have to walk over to the printer to make sure the bed is cleaned with IPA or acetone or smeared in glue stick as appropriate and then turn it on to use it. At that point, I might as well set the bed and hotend preheating, and drop in an SD card containing the gcode of the thing I want to print. I like to watch the first layer (or two) printing, because that's when things are most likely to go wrong, and I'm not sure I'd want to do that through a webcam. I tend to print overnight, having kept a vague eye on things for an hour or two before bed time, so for my use case, there is no advantage at all to using Octoprint.

          On the other hand, pretty much all the things that can go wrong with a 3D print need to be got right *before* the print starts, but monitoring the print does at least allow you to stop wasting plastic on the occasions you got something wrong, so being able to remotely monitor a print could be useful if you're going to print during the day.

  5. K

    Thousands of misconfigured 3D printers on interwebz

    Finally, I can print the stuff I want,,,

    WIFE: WTF is this?

    ME: The printer, it must have been hacked! Why would I print a replica of Tori Black's marvellous bosoms?

  6. skyhisi
    Facepalm

    RTFM

    You can't blame OctoPrint for this, the first run wizard has a big warning when you disable the access controls.

    As it says in the manual:

    "Upon first start a configuration wizard is provided which allows configuration of the first administrator account or alternatively disabling Access Control (which is NOT recommended for systems that are directly accessible via the Internet!)."

  7. zapgadget

    Oh for &*^&*$£%^$%^ sake!

    Security warning. SSH can be installed on a system that has stupid usernames and passwords, rendering it insecure. That doesn't make it SSH's fault.

    In the case of Octoprint, you have to really go some to make it accessible.

  8. Gene Cash Silver badge

    Set 'em on fire

    Some of these cheap Chinese printers have the firmware's thermal protection disabled (Anet A8 for instance) so they have a distressing tendency to set themselves on fire.

    The next revision of the firmware makes it almost impossible to disable the thermal protection.

    1. Mark 85 Silver badge

      Re: Set 'em on fire

      The next revision of the firmware makes it almost impossible to disable the thermal protection.

      The catch is that this only helps if the firmware is upgraded by user. Most users haven't clue on how to update this stuff (or any hardware except for the Windows Updates that have been set to "auto").

      1. phuzz Silver badge

        Re: Set 'em on fire

        Most users haven't clue on how to update this stuff

        I suspect the sort of people who own 3D printers currently are more likely update their firmware than the average person. Especially if they're willing to set up Octoprint.

        Although perhaps not if they're going to set up Octoprint and leave it open to the internet, that sounds like the sort of person who would install any old firmware they come across if someone claimed it would 'print 10x faster!'.

  9. Anonymous Coward
    Anonymous Coward

    The real question is if you can get arrested if someone else prints a 3d gun with your insecure printer.

    1. Terry 6 Silver badge

      More real* Can you be arrested if your insecure 3d printer is hacked, badly misused by a script kiddie or equivalent, setting your property on fire and killing the people who live in the flat upstairs?

      *They would have to get physical access to the gun.

  10. AS1

    We're users not SECperts

    Outside security professionals who knows what ACL, port forwarding, network segmentation, etc. mean, let alone their effect?

    Most likely the user has no idea it's internet connected but "just turned it on and hooked it up to the network to get the license working / firmware updates."

    Given tech items need constant updates, practically have to be connected to the internet to even boot past the license and registration screens, and a user base that have little idea what security means beyond yet another email+password login, it's hardly surprising IoT is a cess-pit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021