Thousands Of 3D Printers and Files Exposed Online

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,532
The SANS Internet Storm Center (and me 10 months ago-pictured below) reports that over 3,759 Octoprint (OctoPrint is an open source web-based host for RepRap printers.) 3D Printers are available online and with unauthenticated access granted for any aspiring saboteurs and those dabbling in the arts of espionage. Espionage you say? Of course. But how and why good sir?

Tweet.

Well, in the case of Octoprint it's as simple as enumerating unauthenticated instances of Octoprint via Shodan and well... Just simply going to the indicated IP. It's that easy. Once access to the console has been obtained you have near full control of the printer on the other end. Want to download the G-Code used to print the object and be able to reproduce it yourself? Done. Want to adjust the parameters of the printer during a print job to "modify" the printed object? Easy peasy. Want to destroy the printer on the other end? Who cares about thermals.

The Bigger Picture is this. Defense and Aerospace companies across planet earth use 3D Printers to prototype virtually everything produced. It's how those companies test concepts to determine whether those will work or not in real world scenarios. Antenna, radomes, weapon systems, airframes, armor, casings, turbines, engines, vehicle modeling, etc., etc.
Virtually everything that hits a 3D Printer, gets tested, then revised, then hits a 3D Printer again. In some instances, the 3D Printer actually manufactures the product itself.

This data is extremely valuable... and guess what? It's all X and Y coordinates with Z thrown in to define a layer change. Easy data to rebuild into a useable part. Easy data to exfiltrate. Easy data to sell. Thanks to our in-house HardOCP security professional, who just happens to dabble a bit in the world of 3D printing; schtask, for this very informed post.
 
LOL. I have a 3d printer. But like the Battlestar Galactica, its host computer isn't networked. When I have a new .stl file to print, I take it over to it and copy the file via USB key or compact flash drive. These people are idiots.
I agree; not everyone is as informed, educated or intelligent as yourself.
I also think that during equipment intialization, all device (or iot thingamabobs, or connected software) logins and passwords need to be changed from the default at setup time. And this should be mandatory, and required for setup, on any device that connects to the web. Be it thermostat, software, wifi router or sexy toy.
 
Last edited:
I have two networked 3D printers, it is just a few steps to make them secure, unfortunately OctoPrint is not secure by default. Also you can prevent snooping at your firewall. You do have a firewall don't you?
 
Never allowed mine to be connected to outside networks either. Had enough eqiupment to create a firewalled internal LAN with no external access. I remember when most manufacturers included Ethernet and even WIFI and promoted their internet accessibility options. I thought to myself, how cute, yeah that's never getting enabled with mine. Read years ago how there's some STL files out there that can actually damage the printers. Know enough about g-code and your target machine and it's not that hard actually.
 
Damn, who leaves authentication at default?
I have 4 OctoPrint servers running, and they're all locked down.
 
Damn, who leaves authentication at default?
I have 4 OctoPrint servers running, and they're all locked down.

I'd guess the people that don't know much about computers. Or don't care / assume anonymity is security ("who would find my box").

I have a few and I lock them down. Even the camera feed is available only over the local network. I have a Python script that snaps a picture and sends me it via an email attachment.
 
If you don't secure your network, don't act surprised when folks outside the building access your stuff. The same organizations that leave printers open to the Internet at large are probably having stuff copied off servers as well. If your firewall doesn't have the default rule of <src ip = any> <dest ip = any> <action = deny>, you are doing it wrong. This applies to traffic in either direction.
 
And...this is why I have my homeassistant instance isolated from the internet. (In fact, it's not networked at the moment)

So, how long before a botnet spreads that just prints dildos on all the unsecured 3d printers?
 
And...this is why I have my homeassistant instance isolated from the internet. (In fact, it's not networked at the moment)

So, how long before a botnet spreads that just prints dildos on all the unsecured 3d printers?

Dickbutt dildos
 
I have octoprint port forwarded on http, it has 2 real issues, one you can reach and navigate a read only interface with no authentication or authorization, two, the interface and it's huge library of plugins is likely not very hardened to what ever malicious hacks are available ie code injection, redirection, poor user/session token handling, and the myriad of other attacks that are in a modern toolbox. This is problematic as it's maintained by one person and the plugins have no real oversight as long as they are not crashing the server causing user complaints.

I'm using a raspberry pi version of octoprint so it limits some of my attack surface, but it would take a swat style dbag to try to burn you down or worse yet corrupt your 80 hour infinity guantlet print.

Large scale hacking collectives and nation states would likely most prefer to stay undetected for ddns attacks and to mine crypto. Hacking my sesitive low poly Pikachu gcode just isn't gunna move the black hat needle.
 
I have octoprint port forwarded on http, it has 2 real issues, one you can reach and navigate a read only interface with no authentication or authorization, two, the interface and it's huge library of plugins is likely not very hardened to what ever malicious hacks are available ie code injection, redirection, poor user/session token handling, and the myriad of other attacks that are in a modern toolbox. This is problematic as it's maintained by one person and the plugins have no real oversight as long as they are not crashing the server causing user complaints.

I'm using a raspberry pi version of octoprint so it limits some of my attack surface, but it would take a swat style dbag to try to burn you down or worse yet corrupt your 80 hour infinity guantlet print.

Large scale hacking collectives and nation states would likely most prefer to stay undetected for ddns attacks and to mine crypto. Hacking my sesitive low poly Pikachu gcode just isn't gunna move the black hat needle.

This is true for most consumer grade printers for sure. Not true at all for commercial grade. Most service bureaus don't print giant dildos and infinity gauntlets. They print aerospace, automotive, gas and oil, infrastructure, robotics, and DoD related stuff. Defense companies do the same. DARPA does as well. How valuable do you think those models are? Extremely. There is a reason why Russian and Chinese military aircraft and equipment looks strikingly like our own.

And while commercial 3D printers don't use Octoprint...they are just as vulnerable. Win XP is probably the most used operating system to this day for commercial grade printers. Hell, the SLA 250 is still in service and it uses DOS. Some standard print functions use .bat files to operate. Not to mention the fact that in some cases the X / Y data being sent from the slicer to the printer is in clear text. Use Z as a delimter to define start / stop and BAM! Reconstructing a part is as easy as a python script.
 
Back
Top