the real life physical dangers inherent in attaching all these home appliances to the internet
And this is just the beginning.
Some 3D printers can be flashed with firmware updates downloaded directly from the internet – and an infosec research firm says it has discovered a way to spoof those updates and potentially make the printer catch fire. Research from the appropriately named Coalfire biz claimed printers from Chinese company Flashforge could be …
It seems obvious that malicious firmware could cause all sorts of very spectacular problems
maybe to El Reg readers, but apparently not to the makers of this particular 3D printer...
(I doubt they did this negligently, most likely they just didn't know what could happen if the firmware were maliciously crafted)
ah, the beginning, who here remembers the 'deadly' attack of the CD player drawer opening and closing ALL ON ITS OWN :o)
I suppose it was only going to be a matter of time before someone managed to 'weaponise' a web connected device :o(
waiting for Gen3
where pressing the front door bell, starts the toaster on a meltdown .............................
only half joking :o(
Take a look at aldi.co.uk.
FWIW, the middle aisle is all non-food. Range changes constantly. There's regular specials (Thurs and Sun) which often includes electricals/electronics, cycling gear, camping gear, hobby stuff, pretty much anything really, often seasonal related. I got my first breadmaker machine from there about 10 years ago. Cheap and cheerful, but usually good enough considering the price.
Same applies to Lidl (if you have them over there too)
I'm at home. I have two. They aren't that unusual (or expensive) these days.
And I'm sitting here looking at an oscilloscope and a programmable function generator. Whilst for me a "home appliance" is a device intended to assist with a domestic task like cooking, cleaning and food preservation, for other people it means "any device that someone owns in a private capacity and uses at home".
I guess that would be anything except a nuclear reactor or a deep water oil drilling platform then.
And I'm sitting here looking at an oscilloscope and a programmable function generator. Whilst for me a "home appliance" is a device intended to assist with a domestic task like cooking, cleaning and food preservation, for other people it means "any device that someone owns in a private capacity and uses at home".
Have 3d printed knobs for said appliances, a gizmo to push elevator buttons, etc. in these infective times, so yes it is a home appliance here.
I'm sitting here with a 3D printer printing right now ... ahh the lovely smell of the flowers from the garden ... at least I hope that's what I'm smelling
Seriously though, even official 3D printer firmware has had this issue, check out the Teaching Tech video.
Is this any different to any computer controlled widget though - your toaster, coffee maker, fridge or TV set ?
Any control output, if reconfigured by malicious software could do nasty things. How about defrosting your fridge and freezer and turning your audio system up to maximum when you are on holiday.
There are also those unfortunate situations where bad places doing things with centrifuges to make nukes seem to suffer from a higher than normal failure rates as their control systems make them self destruct... or so I've heard..
So, this is not just a 3D printer issue.
> So, this is not just a 3D printer issue.
The researcher says in the article...
> "We wanted to do a project showing the real life physical dangers inherent in attaching all these home appliances to the internet," Coalfire senior researcher Dan McInerney told The Register.
"We wanted to do a project showing the real life physical dangers inherent in attaching all these home appliances to the internet," Coalfire senior researcher Dan McInerney told The Register.
Whilst it is an interesting enough project, it might have been better to have used a home appliance then, such as a cooker or a washing machine.
A 3-D printer is not a home appliance, any more than a small CNC lathe or industrial robot is.
That's a bizarre argument.
The cheap ones commonly sold at places liker Amazon or Aldi clearly aren't meant for industrial or eductional uses. So if they're not meant for homes, what are they meant for ?
I'll grant you that not every home - by a long way - will have one. But that's purely a function of the homeowners interests, as with any device. You could say the same about home computers, sewing machines, or footballs. To some people they're essential. To others, not so much.
"So, this is not just a 3D printer issue."
Not so long ago, many homes had internet connected CRT devices, ie computer monitors. Malicious software could play with the frequencies and set them on fire too, so no, it's not new at all. I never heard of anyone who did it though.
Any 3d printer can catch fire, which is why they shouldn't be left unattended.
Remember, 3D printers run at high temperatures, I'm usually running the extruder anywhere between 180C & 200C
All you need is either a head crash or the filament to fail to extrude so it builds up as a blob around the nozzle & it will overheat. I've seen pics of print heads encased in a plastic cocoon which effectively needed them replacing, but if left longer could have been more serious.
Whenever I use my printer I'm always around & can literally pull the plug if things get serious.
Looks like a good reason to have an old fashioned thermostat that prevents the software from allowing the the operating temperature to go beyond a certain threshold.
Too much equipment relies on software for safety critical systems without physical redundancy, some scrote hundreds or thousands of miles away can't hack a physical thermostat.
I regularly run prints for well over a day. I go out, I go to sleep. As said above, decent printers have thermal runaway detection in the firmware. Besides when it goes bad and embeds the head in plastic the plastic does not set fire, you just end up cocooning the olson block in plastic, annoying to remove (best avoided with a silicone sock).
Here's the sad part. Most cheap chinese printers use a variation of the opensource Marlin firmware. Marlin has a check for this (THERMAL_PROTECTION_HOTENDS).
It's often turned off. Why? Cause the sensor is so bad or badly-tuned that it triggers in normal operation.
And that's why your first step on getting a new printer is "open it up and reflash the firmware with a manual build."
Why are there no hardware fail-safes that are physically hardwired into these things? Like a thermistor hardwired to a relay that cuts the power to the print head if it exceeds, say, 270c? Or a physical fuse that blows when it draws too many amps?
Come on guys, this is undergrad stuff. Literally. My computer science BSc included a module on engineering ethics, wherein we covered the infamous Therac-25 radiotherapy machines where wonky software allowed them to operate in modes that cooked the patient with high-energy electron beams. Previous machines had included hardware interlocks and fuses which blew when the machine was activated in a dangerous configuration, but they'd been removed in the 25 which was dependant entirely on software for safety. Said software was full of bugs that the previous machine's hardware interlocks had covered up, but those interlocks no longer existed, and people died as a result.
"While there was code preventing the printer head from exceeding 261°C (501.8°F), Coalfire claimed it was able to bypass it"
Relying on a software controlled thermostat alone seems fragile. When I was designing and building high temperature equipment, we always built in at least one bimetallic thermal cut-out so everything would shut down before anything caught fire. They cost no more than a couple of dollars in one-off quantities (much less in bulk). Obviously the makers didn't think of this.
Relying on a software controlled thermostat alone seems fragile
In a device that has SO little hardware because the CPU is doing the job of discrete electronic components, this isn't surprising. It's cheaper just to assume nothing will go wrong, etc.
Perhaps for regulations like CE and underwriter labs like UL, and for other such "safety rating" lists, an IOT or "internet download upgradeable" device should demonstrate that it has sufficient safety features in the design to prevent a firmware image from causing things _like_ "halt and catch fire"
"They cost no more than a couple of dollars in one-off quantities (much less in bulk). Obviously the makers didn't think of this."
The software thermal cut off probably cost 10s of $ at most for a one off and then can be replicated for free in every model ever produced. I suspect the makers very much did think about this.
I put a *lot of work* into making my printer be flashable over the internet! Opened it up and ran wires to a Raspi and everything! And those people just get it by default? Unfair, I say!
If someone gets at your printer's control interface you are pretty much fucked regardless. You can't lock that down and still run halfway customizable hardware. Personally I'd much rather have chips be flashable than not. At least that way you actually need to break into my home net and not, say, into some Chinese company's semi-secure cloud.
Wayyy back in the 1980s, there was a computer manufacturer, Digital E---something-something. They sold a very novel thing at the time, a "laser" printer. Not a laser sword, laser scanner or laser CD-player, but a printer.
Turns out the laser printer used a drum and powder combination to print a whole page of text in one go. This was much better than character-at-a-time wheel or dot-matrix units.
This unit used a heated drum to fuse the powder pattern onto ordinary bond paper, thus achieving "printing". Well, as long as the drum and the paper didn't get too close to each other for too long.
Alas, one day, the paper stuck, the drum stuck, the heater behind the drum kept on heating. The said paper began to smo(u)lder, then smoke, then halt and catch fire. Well, it was already halted, but you know what I mean.
We unplugged it. We had to explain, oh, about 200 times how the paper was not ignited by the laser, but by a heater. Ooooh, suuuure.
DEC LN01. Good times^h^h^h^h^hold days.
Pretty much any modern laser printer that uses toner also has a fuser to melt the toner into the paper. Now, normally the hot roller in the fuser assembly is coated with something like teflon to keep the paper and toner from sticking to it, but paper's really freaking abrasive over time, and the teflon wears out. (which is why you'll get repeat defects of a certain size when the fuser's old and needs replacement.)
One thing that I had to do a number of years ago was to crack open a brand new color laser printer, because some chucklehead ran a sheet of printable iron-on transfer paper through the printer, thinking it was for an inkjet.
Narrator voice: It wasn't.
The iron on transfer melted to itself and wrapped around the fuser. I was able to fix it, but still....
Also, laser printer do have a thermal cutout (or should!) for the fuser, although I've never seen one trip.
Getting back on topic: I have a couple 3d printers; both are powered off until I'm ready to use them, and I also don't leave the house while they are running, because fire hazard. (also, cats.)
LOL. Xerox beat DEC to it. We had a printer do exactly that, and were told by Legal not to say 'fire', but 'smoulder' instead.
I'll go you one better. We had printers dump the entire powder reservoir into the cooling fan, dusting our customer’s office with toner. Lovely.
The phrase "Some 3D printers can be flashed with firmware updates downloaded directly from the internet". Is this opposed to having to get the update in the post on a thumb drive? Should it only be available through a gatekeeper like Apple or Google? Or, is the printer connected to the internet and left to download anything it wants?
I'm one of those weirdos that likes to get updates directly from the manufacturer's/author's website. I also don't want anything to download and install an update without my approval. I have old software that I've never updated because it does the job I bought it for and I don't want to purchase a brand new computer that runs on an even more bloated operating system to use it. Some things are the pinnacle of perfection for what they are and updates are usually the company bolting on window dressing to make people spend more money with them. /rant
Articles with Infosec researchers in the title seem to be more and more like click bait. They tend to describe scenarios that would be extremely difficult to accomplish with no explanation of why anyone would try to accomplish them.
I assume a similar attack could change the firmware in my TV so that it could only tune to Fox News.
Would I care? Yes. Would I worry? No.
The dodgy conectors to the driver boards and PS connecters ... they may as well be made of chocolate ... well some any way.. had to appese ms 1nky with fancy co fire alarm and a all pupose fire extingwisher( kept away from printer so you can get to it) after a connection to the board wiggeld a bit loose and started “smouldering" ... properly soldered connection fixed that right up... and i have seen/heard of printers catch fire and damage homes because of subpar connectors...
Honestly unless you doing prints that take more than 10 hours why would you leave it on and why would need it connected to the big blue.
There are platforms that can cope with multiple machines on a network and have pretty good security.... yocto is foss...
Also if you need acces to the network to get the compromise to stick why not just use a molotove cocktail way more efficient....
Years ago, in another IT life, I worked on POS equipment (in both senses of the acronym) We had many thermal NCR receipt printers. These printers would last forever and print millions of lines with no trouble. Except... I was called upon to replace one that had caught fire. Either a logic fault or short in the final drive for the printhead caused it to turn on its heating element continually. The printer burned (with visible flames) until someone noticed it and hurriedly unplugged it and put it out. It was rather melted when I came upon it. These printers were on all the time, so probably fortunate the business was open when it malfunctioned.
McInerney suggested that manufacturers should look at signing their firmware.
Did he also suggest that the manufacturer support the device for the lifetime of it's (quite possibly corporate) owner? With a hard, financially backed guarantee of design file security and privacy? This is just recommending a 3DPaaS scheme with you providing the electricity, space, replacement parts, and maintenance labor for free, with a nice big helping of post-sale monetization and forced obsolescence on the side. Sweet deal for the vendor, not so much for you.
I specifically avoid anything with signed firmware because I'm far more likely to be screwed over by the vendor than some random hacker (see Netgear, though I've always avoided their tat like the plague). Besides, Marlin does everything I could ever want for 3D printing and then some -- and without an Ethernet connection, you'd have to hack the host it's connected to before anything bad could even possibly happen.
Even with the potential for a firmware hack, how is that significantly different than a thermistor failing or a heater drive FET shorting out? Why not add a 1p thermal fuse on the printhead for protection against all of these failure modes?
Or, try not storing your 3D printer plugged in next to petrol containers if you're worried about this kind of thing.