3D printers being left open to the web

SANS researcher warns that 3D printers can easily be accessed by unauthorised users

Tags: 3D printingSANS Institute (www.sans.org)
  • E-Mail
3D printers being left open to the web 3D printers could be hijacked to burnout or create flawed components.
By  Mark Sutton Published  September 5, 2018

Many 3D printers are being left open to the internet, creating a possible security risk.

According to a blog post by Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and a freelance cyber security consultant, a large number of print interfaces for 3D printers are web facing, but are being left open without any access control.

Mertens said that a simple search showed 3,700 instances of the popular OctoPrint 3D printing web interface exposed without access control or authentication requirements. Octoprint controls all aspects of monitoring and output of a 3D printer.

The owners of these 3D printers could face bad consequences, Mertens added. One of the most common file formats for 3D objects is G Code, which is not encrypted. Mertens said this could mean a hacker with access to an unsecured 3D printer could easily download and ‘steal' the IP contained in a G Code file. This is particularly important considering that many 3D printers are used to create prototype devices by R&D departments.

Other possible abuses of G Code files include unauthorized uploading of malicious files that have been designed to push a 3D printer past its safe temperature limits, or using G Code files that have been amended to create deliberately-flawed 3D parts with the aim of causing a malfunction of the device. With 3D printed parts increasingly used in the workplace and in uses like drones, the potential for malfunction

Mertens points out that access control is available in OctoPrint, but is commonly switched off, adding that 3D printer owners need to be more careful of their devices.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code