Thousands of unsecured 3D printers discovered online

You’ve installed an exciting new 3D printer in the office and decide you want to access it remotely because – heck – that sounds convenient… now what do you do?

According to an alert put out by the SANS Internet Storm Center (ISC), for 3,759 owners using an open-source monitoring utility called OctoPrint, the answer was to hook up their expensive 3D printer to the internet without bothering with the nuisance of authentication.

This is a bad idea because it’s trivially easy for someone with malicious intentions to spot the unsecured printer using Shodan (a search engine for internet-connected devices). In fact, the ISC was tipped off about the issue by someone who’d done just that.

The great thing about OctoPrint is how easy it makes it for an owner to control their complex 3D printer, but that applies to any other internet user connecting to it when access control is turned off.

In this state a hacker could steal valuable IP by downloading previous print job files in the unencrypted G-code format or, worse, try to damage the printer by uploading specially-crafted print files. Because most 3D printers have a built-in webcam for print monitoring, they could even watch their malicious print handiwork from afar.

A blog response by OctoPrint’s developers to the ISC warning was incredulous:

OctoPrint is connected to a printer, complete with motors and heaters. If some hacker somewhere wanted to do some damage, they could.

Open access could even be used to compromise the firmware, it said, but “catastrophic failure” was the main risk.

The Shodan trawl showed that the worst offenders were in the US, which accounted for 1,585 printers, ahead of Germany on 357, France on 303, the UK on 211, and Canada on 162.

This only covers OctoPrint, of course, which raises the possibility that owners using other 3D printer monitoring software might be making the same mistake.

What to do?

This is a problem caused by bad configuration and not the OctoPrint software, which clearly warns against enabling access without access control. Any owner exposing their printer to the internet without this must have chosen to do so.

However, even with this turned on anyone will be able to view read-only data, which is not something an owner is likely to want to allow. To avoid this, OctoPrint’s developers recommend that users consider an alternative means of remote access – such as via a plug-in like OctoPrint Anywhere or Polar Cloud, a VPN, or an Apache or Nginx reverse proxy.