Sep 5, 2018 | By Thomas

Nearly 3,800 3D printers are being left open without any access control or authentication requirements, according to a blog post by Xavier Mertens and Richard Porter, two security researchers from the SANS Internet Storm Center (ISC).

The exposed 3D printers are using an open-source project named OctoPrint. It is a web interface for 3D printers that allows you to easily control and monitor your 3D printer and 3D print jobs from virtually any browser on your network. The software has offered makers everywhere an effective way to keep track of their prints, whether or not they are standing in front of their 3D printers. It can read G-code files, view the webcam feed, see the printer status and the terminal output, etc. But, without the need of authentication, it means that random attackers can also modify a printer's settings.

Attackers can download the unencrypted G-code project files, which tell the printer what to print. "G-code files can be downloaded and lead to potentially trade secret data leak," wrote the researchers. "Indeed, many companies R&D departments are using 3D printers to develop and test some pieces of their future product.”

Porter and Mertens also argue that an anonymous person could send a malicious G-code file to the printer and instruct to print it while nobody is around and potentially cause fires. Other possible abuses of G-code files include unauthorized access to a 3D printer's webcam which can affect the remote user privacy, or using G-code files that have been modified to sabotage the final products or cause a malfunction of the 3D printer.

“By changing the G-code instructions, you will instruct the device to print the object but the altered one won’t have the same physical capabilities and could be a potential danger once used,” they wrote. “Think about 3D-printed guns but also 3D-printed objects used in drones. Drone owners are big fans of self-printed hardware.”

A Shodan search reveals over 3,700 instances of OctoPrint interfaces are available online, including nearly 1,600 in the United States.

SANS ISC researchers advise users to enable the Access Control feature in OctoPrint. A warning in OctoPrint’s documentation reads: “If you plan to have your OctoPrint instance accessible over the internet, always enable Access Control and ideally don’t make it accessible to everyone over the internet but instead use a VPN or at the very least HTTP basic authentication on a layer above OctoPrint.”

In the wake of the ISC blog post, OctoPrint published a guide to safe remote access of Octoprint.

“Putting OctoPrint on the internet is nothing short of dangerous. If you must do this, take advantage of the ACL system built into OctoPrint, and even better, put another form of authentication in front. Even if it seems like extra work to setup a plugin, or a VPN/reverse proxy, it’s worth it,” they noted.

“Anything with the potential to burn down your house should be treated with the utmost care. It may seem more convenient to cut corners… but is it really worth it?”



Posted in 3D Printing Technology



Maybe you also like:


Leave a comment:

Your Name:


Subscribe us to Feeds twitter facebook   

About provides the latest news about 3D printing technology and 3D printers. We are now seven years old and have around 1.5 million unique visitors per month.

News Archive