back to article Burn baby burn, plastic inferno! Infosec researchers turn 3D printers into self-immolating suicide machines

Some 3D printers can be flashed with firmware updates downloaded directly from the internet – and an infosec research firm says it has discovered a way to spoof those updates and potentially make the printer catch fire. Research from the appropriately named Coalfire biz claimed printers from Chinese company Flashforge could be …

  1. heyrick Silver badge

    the real life physical dangers inherent in attaching all these home appliances to the internet

    And this is just the beginning.

    1. Smooth Newt Silver badge
      Happy

      Re: the real life physical dangers inherent in attaching all these home appliances to the internet

      It seems obvious that malicious firmware could cause all sorts of very spectacular problems, like planes falling out of the sky and cars crashing, without having to demonstrate it.

      1. bombastic bob Silver badge
        Meh

        Re: the real life physical dangers inherent in attaching all these home appliances to the internet

        It seems obvious that malicious firmware could cause all sorts of very spectacular problems

        maybe to El Reg readers, but apparently not to the makers of this particular 3D printer...

        (I doubt they did this negligently, most likely they just didn't know what could happen if the firmware were maliciously crafted)

    2. IceC0ld Silver badge
      Facepalm

      Re: the real life physical dangers inherent in attaching all these home appliances to the internet

      ah, the beginning, who here remembers the 'deadly' attack of the CD player drawer opening and closing ALL ON ITS OWN :o)

      I suppose it was only going to be a matter of time before someone managed to 'weaponise' a web connected device :o(

      waiting for Gen3

      where pressing the front door bell, starts the toaster on a meltdown .............................

      only half joking :o(

    3. iron Silver badge

      Re: the real life physical dangers inherent in attaching all these home appliances to the internet

      Since when is a 3D printer a HOME appliance?

      I'd have a lot more respect for "security researchers" if they didn't all act like Chicken Little.

      1. PassiveSmoking

        Since when is a 3D printer a HOME appliance?

        Since Aldi started selling them?

        1. NorthIowan

          Re: Since when is a 3D printer a HOME appliance?

          The UK Aldis seem to have more then the groceries my local US one has.

          1. John Brown (no body) Silver badge

            Re: Since when is a 3D printer a HOME appliance?

            Take a look at aldi.co.uk.

            FWIW, the middle aisle is all non-food. Range changes constantly. There's regular specials (Thurs and Sun) which often includes electricals/electronics, cycling gear, camping gear, hobby stuff, pretty much anything really, often seasonal related. I got my first breadmaker machine from there about 10 years ago. Cheap and cheerful, but usually good enough considering the price.

            Same applies to Lidl (if you have them over there too)

      2. PC Paul

        Re: the real life physical dangers inherent in attaching all these home appliances to the internet

        I'm at home. I have two. They aren't that unusual (or expensive) these days.

        1. Smooth Newt Silver badge
          Happy

          Re: the real life physical dangers inherent in attaching all these home appliances to the internet

          I'm at home. I have two. They aren't that unusual (or expensive) these days.

          And I'm sitting here looking at an oscilloscope and a programmable function generator. Whilst for me a "home appliance" is a device intended to assist with a domestic task like cooking, cleaning and food preservation, for other people it means "any device that someone owns in a private capacity and uses at home".

          I guess that would be anything except a nuclear reactor or a deep water oil drilling platform then.

          1. bpfh Silver badge

            Re: the real life physical dangers inherent in attaching all these home appliances to the internet

            David Hahn called and wants his reactor parts back....

            1. Smooth Newt Silver badge

              Re: the real life physical dangers inherent in attaching all these home appliances to the internet

              David Hahn called and wants his reactor parts back...

              Make that "except a licensed nuclear reactor"

          2. Sherrie Ludwig

            Re: the real life physical dangers inherent in attaching all these home appliances to the internet

            And I'm sitting here looking at an oscilloscope and a programmable function generator. Whilst for me a "home appliance" is a device intended to assist with a domestic task like cooking, cleaning and food preservation, for other people it means "any device that someone owns in a private capacity and uses at home".

            Have 3d printed knobs for said appliances, a gizmo to push elevator buttons, etc. in these infective times, so yes it is a home appliance here.

  2. Dwarf Silver badge

    Is this really news ?

    I'm sitting here with a 3D printer printing right now ... ahh the lovely smell of the flowers from the garden ... at least I hope that's what I'm smelling

    Seriously though, even official 3D printer firmware has had this issue, check out the Teaching Tech video.

    Is this any different to any computer controlled widget though - your toaster, coffee maker, fridge or TV set ?

    Any control output, if reconfigured by malicious software could do nasty things. How about defrosting your fridge and freezer and turning your audio system up to maximum when you are on holiday.

    There are also those unfortunate situations where bad places doing things with centrifuges to make nukes seem to suffer from a higher than normal failure rates as their control systems make them self destruct... or so I've heard..

    So, this is not just a 3D printer issue.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this really news ?

      > So, this is not just a 3D printer issue.

      The researcher says in the article...

      > "We wanted to do a project showing the real life physical dangers inherent in attaching all these home appliances to the internet," Coalfire senior researcher Dan McInerney told The Register.

      1. Smooth Newt Silver badge
        Meh

        Re: Is this really news ?

        "We wanted to do a project showing the real life physical dangers inherent in attaching all these home appliances to the internet," Coalfire senior researcher Dan McInerney told The Register.

        Whilst it is an interesting enough project, it might have been better to have used a home appliance then, such as a cooker or a washing machine.

        A 3-D printer is not a home appliance, any more than a small CNC lathe or industrial robot is.

        1. Anonymous Coward
          Anonymous Coward

          Re: A 3-D printer is not a home appliance, any more than a small CNC lathe or industrial robot is.

          Well, it seems to me that your home is in dire need of an upgrade, then [1] :-)

          .

          .

          [1] As is mine :-(

        2. Adrian 4 Silver badge

          Re: Is this really news ?

          That's a bizarre argument.

          The cheap ones commonly sold at places liker Amazon or Aldi clearly aren't meant for industrial or eductional uses. So if they're not meant for homes, what are they meant for ?

          I'll grant you that not every home - by a long way - will have one. But that's purely a function of the homeowners interests, as with any device. You could say the same about home computers, sewing machines, or footballs. To some people they're essential. To others, not so much.

        3. PassiveSmoking

          Re: Is this really news ?

          > A 3-D printer is not a home appliance, any more than a small CNC lathe or industrial robot is.

          Speak for yourself. No home is complete without its own minifacturing workshop

    2. John Brown (no body) Silver badge

      Re: Is this really news ?

      "So, this is not just a 3D printer issue."

      Not so long ago, many homes had internet connected CRT devices, ie computer monitors. Malicious software could play with the frequencies and set them on fire too, so no, it's not new at all. I never heard of anyone who did it though.

  3. Peter Mount
    Flame

    Not really new

    Any 3d printer can catch fire, which is why they shouldn't be left unattended.

    Remember, 3D printers run at high temperatures, I'm usually running the extruder anywhere between 180C & 200C

    All you need is either a head crash or the filament to fail to extrude so it builds up as a blob around the nozzle & it will overheat. I've seen pics of print heads encased in a plastic cocoon which effectively needed them replacing, but if left longer could have been more serious.

    Whenever I use my printer I'm always around & can literally pull the plug if things get serious.

    1. Chris G Silver badge

      Re: Not really new

      Looks like a good reason to have an old fashioned thermostat that prevents the software from allowing the the operating temperature to go beyond a certain threshold.

      Too much equipment relies on software for safety critical systems without physical redundancy, some scrote hundreds or thousands of miles away can't hack a physical thermostat.

      1. FeepingCreature

        Re: Not really new

        They do have that, but there's issues where it comes loose from the print head and then the printer underestimates the temperature.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not really new

          One of the ways the software detects thermal runaway is by noticing a discrepancy between the heat requested and the measurement coming back from the printer. Greater than a few percent and it'll shut the power to the print head off I've had it happen when a fan failed.

          1. gobaskof

            Re: Not really new

            I regularly run prints for well over a day. I go out, I go to sleep. As said above, decent printers have thermal runaway detection in the firmware. Besides when it goes bad and embeds the head in plastic the plastic does not set fire, you just end up cocooning the olson block in plastic, annoying to remove (best avoided with a silicone sock).

          2. FeepingCreature

            Re: Not really new

            Here's the sad part. Most cheap chinese printers use a variation of the opensource Marlin firmware. Marlin has a check for this (THERMAL_PROTECTION_HOTENDS).

            It's often turned off. Why? Cause the sensor is so bad or badly-tuned that it triggers in normal operation.

            And that's why your first step on getting a new printer is "open it up and reflash the firmware with a manual build."

  4. PassiveSmoking

    Hardware failsafes?

    Why are there no hardware fail-safes that are physically hardwired into these things? Like a thermistor hardwired to a relay that cuts the power to the print head if it exceeds, say, 270c? Or a physical fuse that blows when it draws too many amps?

    Come on guys, this is undergrad stuff. Literally. My computer science BSc included a module on engineering ethics, wherein we covered the infamous Therac-25 radiotherapy machines where wonky software allowed them to operate in modes that cooked the patient with high-energy electron beams. Previous machines had included hardware interlocks and fuses which blew when the machine was activated in a dangerous configuration, but they'd been removed in the 25 which was dependant entirely on software for safety. Said software was full of bugs that the previous machine's hardware interlocks had covered up, but those interlocks no longer existed, and people died as a result.

    1. Adrian 4 Silver badge

      Re: Hardware failsafes?

      You know the answer to that : it's the old favourite, cost. And, to some extent, practicality. What use would a 270C limit be when paper ignites (famously) at 232C (451F) ?

      1. Emir Al Weeq

        Re: Hardware failsafes?

        Paper? In a 3D printer?

        1. John Brown (no body) Silver badge
          Coat

          Re: Hardware failsafes?

          You've not the new Origami printers?

      2. ProfessorLarry

        Re: Hardware failsafes?

        Autoignition temp of ordinary paper is actually around 480F. But "Fahrenheit 451" is a cooler (ha ha) book title.

    2. Fruit and Nutcase Silver badge

      Re: Hardware failsafes?

      a module on engineering ethics

      Boeing 737 Max MCAS taking input from a single AOA sensor...?

  5. Mike 137 Silver badge

    For want of a nail (thermal cutout actually)

    "While there was code preventing the printer head from exceeding 261°C (501.8°F), Coalfire claimed it was able to bypass it"

    Relying on a software controlled thermostat alone seems fragile. When I was designing and building high temperature equipment, we always built in at least one bimetallic thermal cut-out so everything would shut down before anything caught fire. They cost no more than a couple of dollars in one-off quantities (much less in bulk). Obviously the makers didn't think of this.

    1. bombastic bob Silver badge
      Devil

      Re: For want of a nail (thermal cutout actually)

      Relying on a software controlled thermostat alone seems fragile

      In a device that has SO little hardware because the CPU is doing the job of discrete electronic components, this isn't surprising. It's cheaper just to assume nothing will go wrong, etc.

      Perhaps for regulations like CE and underwriter labs like UL, and for other such "safety rating" lists, an IOT or "internet download upgradeable" device should demonstrate that it has sufficient safety features in the design to prevent a firmware image from causing things _like_ "halt and catch fire"

    2. John Brown (no body) Silver badge

      Re: For want of a nail (thermal cutout actually)

      "They cost no more than a couple of dollars in one-off quantities (much less in bulk). Obviously the makers didn't think of this."

      The software thermal cut off probably cost 10s of $ at most for a one off and then can be replicated for free in every model ever produced. I suspect the makers very much did think about this.

      1. Withdrawn

        Re: For want of a nail (thermal cutout actually)

        The solution here is obvious. Someone needs to come up with a hardware failsafe that can be 3d printed, then the plans can be distributed with the machines.

  6. tony2heads
    Flame

    same old

    just a new version of 'lp0 on fire'

    Icon: obvious

  7. FeepingCreature

    Hey! Not fair!

    I put a *lot of work* into making my printer be flashable over the internet! Opened it up and ran wires to a Raspi and everything! And those people just get it by default? Unfair, I say!

    If someone gets at your printer's control interface you are pretty much fucked regardless. You can't lock that down and still run halfway customizable hardware. Personally I'd much rather have chips be flashable than not. At least that way you actually need to break into my home net and not, say, into some Chinese company's semi-secure cloud.

  8. Bitsminer

    old story is new again

    Wayyy back in the 1980s, there was a computer manufacturer, Digital E---something-something. They sold a very novel thing at the time, a "laser" printer. Not a laser sword, laser scanner or laser CD-player, but a printer.

    Turns out the laser printer used a drum and powder combination to print a whole page of text in one go. This was much better than character-at-a-time wheel or dot-matrix units.

    This unit used a heated drum to fuse the powder pattern onto ordinary bond paper, thus achieving "printing". Well, as long as the drum and the paper didn't get too close to each other for too long.

    Alas, one day, the paper stuck, the drum stuck, the heater behind the drum kept on heating. The said paper began to smo(u)lder, then smoke, then halt and catch fire. Well, it was already halted, but you know what I mean.

    We unplugged it. We had to explain, oh, about 200 times how the paper was not ignited by the laser, but by a heater. Ooooh, suuuure.

    DEC LN01. Good times^h^h^h^h^hold days.

    1. J. Cook Silver badge

      Re: old story is new again

      Pretty much any modern laser printer that uses toner also has a fuser to melt the toner into the paper. Now, normally the hot roller in the fuser assembly is coated with something like teflon to keep the paper and toner from sticking to it, but paper's really freaking abrasive over time, and the teflon wears out. (which is why you'll get repeat defects of a certain size when the fuser's old and needs replacement.)

      One thing that I had to do a number of years ago was to crack open a brand new color laser printer, because some chucklehead ran a sheet of printable iron-on transfer paper through the printer, thinking it was for an inkjet.

      Narrator voice: It wasn't.

      The iron on transfer melted to itself and wrapped around the fuser. I was able to fix it, but still....

      Also, laser printer do have a thermal cutout (or should!) for the fuser, although I've never seen one trip.

      Getting back on topic: I have a couple 3d printers; both are powered off until I'm ready to use them, and I also don't leave the house while they are running, because fire hazard. (also, cats.)

      1. bpfh Silver badge

        Re: old story is new again

        IBM 4317 laser printer- got a call for a paper jam, found about 9 pages of paper stuck into the hot roll starting to smoulder, as the heating lamp did not turn off for some reason once the printer reported the jam... all on standard firmware...

        1. John Brown (no body) Silver badge

          Re: old story is new again

          Ditto, never actually on fire, but paper wrapped around the fuser all brown and crispy and flaking into bits that had to be cleaned out. Also, once had to throw away a fuser when dipstick tried to print onto an A4 OHP sheet not rated for laser/photocopier use.

    2. Anonymous Coward
      Anonymous Coward

      Re: old story is new again

      LOL. Xerox beat DEC to it. We had a printer do exactly that, and were told by Legal not to say 'fire', but 'smoulder' instead.

      I'll go you one better. We had printers dump the entire powder reservoir into the cooling fan, dusting our customer’s office with toner. Lovely.

  9. MachDiamond Silver badge

    I'm intrigued

    The phrase "Some 3D printers can be flashed with firmware updates downloaded directly from the internet". Is this opposed to having to get the update in the post on a thumb drive? Should it only be available through a gatekeeper like Apple or Google? Or, is the printer connected to the internet and left to download anything it wants?

    I'm one of those weirdos that likes to get updates directly from the manufacturer's/author's website. I also don't want anything to download and install an update without my approval. I have old software that I've never updated because it does the job I bought it for and I don't want to purchase a brand new computer that runs on an even more bloated operating system to use it. Some things are the pinnacle of perfection for what they are and updates are usually the company bolting on window dressing to make people spend more money with them. /rant

  10. HildyJ Silver badge
    WTF?

    Infosec researchers

    Articles with Infosec researchers in the title seem to be more and more like click bait. They tend to describe scenarios that would be extremely difficult to accomplish with no explanation of why anyone would try to accomplish them.

    I assume a similar attack could change the firmware in my TV so that it could only tune to Fox News.

    Would I care? Yes. Would I worry? No.

    1. Cheerios

      Re: Infosec researchers

      Exactly, attempted murder that's really just mischief at best can be carried out far more easily and effectively.

  11. Blackjack Silver badge

    The Internet of break things strikes again!

    Quick, unplug the Internet cable before the Death Star self destructs!

  12. Claptrap314 Silver badge

    Yeah, but...

    "McInerney suggested that manufacturers should look at signing their firmware." Also, that they not have their customers playing in the middle of the highway.

  13. Inkey
    IT Angle

    I'd be more worried about...

    The dodgy conectors to the driver boards and PS connecters ... they may as well be made of chocolate ... well some any way.. had to appese ms 1nky with fancy co fire alarm and a all pupose fire extingwisher( kept away from printer so you can get to it) after a connection to the board wiggeld a bit loose and started “smouldering" ... properly soldered connection fixed that right up... and i have seen/heard of printers catch fire and damage homes because of subpar connectors...

    Honestly unless you doing prints that take more than 10 hours why would you leave it on and why would need it connected to the big blue.

    There are platforms that can cope with multiple machines on a network and have pretty good security.... yocto is foss...

    Also if you need acces to the network to get the compromise to stick why not just use a molotove cocktail way more efficient....

  14. Unicornpiss Silver badge
    Flame

    (non) 3D printers

    Years ago, in another IT life, I worked on POS equipment (in both senses of the acronym) We had many thermal NCR receipt printers. These printers would last forever and print millions of lines with no trouble. Except... I was called upon to replace one that had caught fire. Either a logic fault or short in the final drive for the printhead caused it to turn on its heating element continually. The printer burned (with visible flames) until someone noticed it and hurriedly unplugged it and put it out. It was rather melted when I came upon it. These printers were on all the time, so probably fortunate the business was open when it malfunctioned.

  15. Richard 12 Silver badge

    Required physical access

    So it's a non-story.

    If someone can physically get to the printer, they could do literally anything. That's why we have locks on our doors.

    Though quite why they would install dangerous firmware as opposed to stealing all my stuff is beyond me.

  16. whitepines Silver badge
    Thumb Down

    Just Say No

    McInerney suggested that manufacturers should look at signing their firmware.

    Did he also suggest that the manufacturer support the device for the lifetime of it's (quite possibly corporate) owner? With a hard, financially backed guarantee of design file security and privacy? This is just recommending a 3DPaaS scheme with you providing the electricity, space, replacement parts, and maintenance labor for free, with a nice big helping of post-sale monetization and forced obsolescence on the side. Sweet deal for the vendor, not so much for you.

    I specifically avoid anything with signed firmware because I'm far more likely to be screwed over by the vendor than some random hacker (see Netgear, though I've always avoided their tat like the plague). Besides, Marlin does everything I could ever want for 3D printing and then some -- and without an Ethernet connection, you'd have to hack the host it's connected to before anything bad could even possibly happen.

    Even with the potential for a firmware hack, how is that significantly different than a thermistor failing or a heater drive FET shorting out? Why not add a 1p thermal fuse on the printhead for protection against all of these failure modes?

    Or, try not storing your 3D printer plugged in next to petrol containers if you're worried about this kind of thing.

  17. Danny Boyd

    Whatever a man can build...

    ... another man can screw up.

    (Is it a derivative of Murphy's Law?)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020