Nov.30, 2013

Nowadays more and more people connect their 3D-printers to the internet, and many open-source and commercial projects tried to make 3D-printers more cloud friendly. But has anyone thought about network security? How easy would it be for someone to find a hole in those cloud-based solutions and connect to those boxes (e.g. Raspberry Pi running OctoPrint) to control your printers?

Florian Horsch, a long time maker and his colleagues at the highly-specialized IT-security company ERNW looked into the security of cloud-based solutions like OctoPrint. Florian's idea was to improve the overall security and to warn users about the potential of misuse. Here is what he wrote:

I asked my colleague Niklaus Schiess to look closer at the most popular project, called OctoPrint. The idea was to find some public-facing instances running in the Internet and see how far we can go from there. A day later he wrote back going into detail how port scans could do the job. Well, that's boring. More interestingly he mentioned that there's a quite elegant way to do it via Google hacking!

Gina Häußge, the inventor and main developer of OctoPrint, included the GitHub commit ID as a reference to troubleshoot problems of users more easily. Because plenty of newcomers are just happy to get it running on their machines they don't bother too much about enabling the access controls. What happens in the end: Unprotected and easily findable OctoPrint instances in the wild! Ouch

By collecting those publicly available commit version strings and searching for them with an intext command on Google you could find several instances.

Images credit: Florian Horsch

Funnily enough Niklaus didn't find just some random OctoPrint server running, but one of a 3D-printer fanatic I know personally from the community. With just one web search and the click of a button we were looking into my friend's living room.

By adding the Pi camera (or any other webcam) onto your Raspberry board you can get a live stream via OctoPrint to monitor your print. Even cooler: You can automatically create time-lapse videos of the printing process.

Besides that you can control everything you could do on the printer itself: Move axes, start and stop prints, run customs machine codes (e.g. manipulating the behavior of the firmware) and also setting the temperature of the print head.

Controlling the temperature of the print head isn't a feature you want to have publicly accessible! In case your 3D-printer vendor didn't set maximum temperature limits correctly, an unscrupulous attacker could dial in a temperature, which is higher than the melting point of Teflon (which is commonly used within print heads to prevent cold plastic to get sticky in the inside). Starting from just 300 °C (bear in mind that some common 3D-printing filaments are printed at up to 260 °C) toxic polymer fumes are emitted. Their effects (also known as Teflon flu) can lead to serious lung injuries within seconds.

Luckily enough Gina acted quickly and enforced access controls on all new versions of OctoPrint. Additionally she did some changes on the default robots.txt (to prevent indexing through Google), as well as preventing novice users to run OctoPrint as root user. But it's also recommended to use additional measures to further protect your printer from being accessed by unauthorized users. For example with the help of a proper .htaccess configuration and restrictive firewall settings on your home router. If this is above a 3D-printing beginners skill set, we should really ask ourselves (once again): Does every new gadget really need an Internet connection?

 

Posted in 3D Software

 

 

Maybe you also like:


 




Leave a comment:

Your Name:

 


Subscribe us to

3ders.org Feeds 3ders.org twitter 3ders.org facebook   

About 3Ders.org

3Ders.org provides the latest news about 3D printing technology and 3D printers. We are now six years old and have around 1.5 million unique visitors per month.

News Archive