It’s always fun when you can mix your personal hobbies and interests with your profession, and often the passion you carry for the things you love can lead to valuable and productive insights for your vocation as well. Let’s hope that theory proves true as this 20-year information security professional, and recent 3D printing enthusiast, considers the potential cybersecurity risks with additive manufacturing.
If I threw you for a second there with my “fancy words,” additive manufacturing (AM) is just the erudite term for 3D printing, a process where a computer-controlled device fuses various types of materials together to create three-dimensional objects from CAD or 3D models. 3D printing technology has revolutionized manufacturing, improving companies’ ability to create rapid prototypes inexpensively and test our engineering ideas. Furthermore, 3D printer evangelists envision a future where every home has one, which would transform the way we consume and recycle products. Finally, 3D printing is just tons of fun.
There are many types of 3D printers; from the common fused deposit modeling (FDM) type that melts spools of plastic filament into new objects, to Stereolithography (SLA) ones that use light to cure special liquids into solids, to the selective laser sintering (SLS) printers that use a laser to melt powdered material into objects layer-by-layer. There are also many different levels of printers, from DIY hobbyist ones that you can get for around $100 to professional production ones that cost in the hundreds of thousands of dollars.
While these individual printers may differ in many ways, they also share many similar attributes that make them vulnerable to cyber-attacks, not the least of which is the fact that they’re computer-controlled. In this article, I’ll talk about four cyber risks the 3D printing industry needs to address before these devices become too engrained into our lives.
All embedded computers can have software vulnerabilities
The one thing all 3D printers share, whether proprietary or open source, is that they are computer-controlled. Those computers run software, which may be prone to development errors that result in security vulnerabilities. Let’s explore a specific example.
As a hobbyist, I have an inexpensive, though relatively popular, DIY FDM printer based on the open source RepRap project. Unlike many 3Dprinters, this one has no network connection (though you can add one, which I’ll talk about later). It’s a simple stand-alone printer that prints things from an SD card. However, even this simple printer was vulnerable to a significant security vulnerability and could hide even more issues.
These simple RepRap printers often use a fantastic open source firmware called Marlin. Just last June, an external researcher found a significant buffer overflow vulnerability in the Marlin firmware. Without going into technical detail, if an attacker can trick a printer owner into loading a malicious 3D printing file (I’ll talk about G-code later), they could exploit this flaw to execute arbitrary code on your printer. Theoretically, attackers could leverage this type of flaw to load a malicious process, or perhaps install some sort of “trojanized” firmware. The good news is no one has tried to weaponize a 3D printer firmware exploit yet.
In short, 3D printers include computers and run software that could be vulnerable to security issues that bad actors can take advantage of. To mitigate this issue, 3D printing vendors need to make secure coding and design a core part of their development process. Printer owners should also consider hardening their devices when possible and consider the security of their production chain.
Networked printers or printer hosts expose flaws to the world
As I mentioned, my cheap hobbyist printer isn’t fancy and doesn’t have any built-in network printing capability, though many others do. However, even cheap printers like mine have add-ons for network capabilities. If you connect a 3D printer—essentially a specialized computer—to a network, you make it an Internet of Things (IoT) device and expose that IoT device’s potential software flaws to the world,
For example, I use another popular 3D printing project called Octoprint, which is an open source, Linux-based project that’s designed to run on a Raspberry Pi. It provides a small and cheap network printing host for your 3D printer. In other words, it stays connected to your printer and offers you remote management of the device; from starting new print jobs to watching and recording a current print from a webcam. It also connects even the simplest 3D printer to a network, thus exposing its potential flaws to the world (especially if configured badly). Remember that print file exploit I mentioned a second ago? If someone had access to your Octoprint setup they could remotely start a print with a malicious file, thus triggering that flaw and executing code on your printer over the network.
Worse yet, sometimes this additional middleware exposes new vulnerabilities of its own. The Octoprint maintainers recently found (and later fixed) a pretty significant flaw in their printer management software. If you exposed the Octoprint web management interface to the Internet, an unauthorized user could bypass the management interface’s access control and gain full admin access to Octoprint, and thus access to your 3D printer.
In short, whatever network access your printer has, whether direct or through a middleware device, becomes more attack surface. That networking feature can expose the printer’s own vulnerabilities to the world, or the additional software used for networking can introduce new flaws as well.
Like before, the ultimate solution for this comes from the 3D printing industry, but individual owners of 3D printers can play a big part in securing their printer just by following network security best practices. Use a firewall and other security controls to protect your printers and print host. Follow the least privilege principle when allowing access to your printer’s network features. Also, if you really want to print over the Internet, at least use VPNs and extra authentication to protect your printer’s communications and to make sure only authorized users have access to management.
Poisoned print files can result in physical damage
To print objects, 3D printers need exact instructions on how to move their print heads in 3D space, or on what each layer of a 3D print looks like. Many 3D printers, especially the open source ones, use something called G-code files to provide those instructions. G-code is essentially a standardized programming language designed to tell computerized manufacturing tools to do something. For instance, it can tell a printer the exact movements its head should make through a 3D cartesian coordinate system, how hot the head should be, how fast the movement motors should spin, etc. It is the file you give to a printer to instruct it how to print whatever thing you want.
The problem is many of these 3D printing file types have no native encryption or integrity checking capability. If a stealthy attacker could get their hands on your print files before you print them, they could easily modify them without you knowing, and those modification could have some nasty repercussions. Most 3D prints have an internal structure that is not visible to the human eye after the print completes. Many projects might include very specific design elements that are crucial for strength and structural integrity of the printed object. A sophisticated actor with access to your G-code or model files could easily modify them in very elusive ways, introducing weaknesses to your design that you don’t notice after the part is printed. These weaknesses may only come to light when you use the part. While this sort of threat isn’t a big deal for a hobbyist printing knick-knacks for their desk, it could be disastrous to a production company using high-end printers to make real industrial parts.
Many researchers have released various papers warning about how adversaries could modify print files to ruin prints. One research group even released a video showing what they call the dr0wned attack. That video show—from beginning to end—how an attacker could infect a victim’s computer, find any 3D printing models on the computer ( in this case one for a drone propeller), and then modify that model shrewdly so that it eventually fails during use.
These same researchers have also proposed ways to “test” models during or after printing in order to check them for malicious modifications. They offer three techniques, from listening to atypical sounds during a print to using a CT scanner to identify problems. However, I believe the solution is much simpler, and further up the production chain. The print and model files we use for 3D printing need to have standardized encryption and, more importantly, integrity checking. The integrity checking alone would help users to recognize when unauthorized users have modified a critical file. Some proprietary 3D printing solutions have started to do this, but I would like to see it trickle down to the more standard and open 3D printing files like G-code and STLs. In the interim, power uses can at least start to do this manually, on their own. You can use normal MD5 and SHA checksum solutions to add integrity checks to your files or encrypt them with 3rd party tools.
3D printers also offer novel benefits to cyber criminals
If you’ve watched the news, you might have heard about one perceived risk in 3D printers already—the ability for bad actors to print potentially dangerous things like guns or gun parts. I won’t delve into that debate since it doesn’t have anything to do with cyber risks. However, the ability to easily create almost any object does have some “cyber” ramifications as well.
For instance, 3D printers have made “carders” lives much easier. A carder is a type of cybercriminal that focuses on credit card fraud. They try to steal the digital information or track data from magnetic stripe credit cards or ATM cards in order to create fake copies. They steal this data in a number of ways, from hijacking point of sale (POS) systems to adding skimmers to ATMs or other public card readers like gas pumps. As early as 2013, criminals started leveraging 3D printers to make more convincing looking skimmers and selling them on the underground. With a 3D printer, it becomes much easier for even a low-resourced criminal to make a device that pops onto an ATM card reader and looks credibly part of the machine. Having access to this technology even helps them refine and minimize their designs, building the skimming electronics into the part itself, thus making a skimmer that doesn’t stand out.
That is just one example, but I suspect cybercriminals will continue to find novel ways to exploit 3D printers for evil. For instance, another maker used a 3D printer to make a hidden hacker toolkit compartment for her shoe.
3D printers can also be part of the solution. Banks and ATM operators can also experiment with them. In fact, one even used 3D printing technology to design an ATM add-on specifically designed to prevent skimmers.
Some pundits recommend some sort of censoring software on printers that restricts their ability to print certain designs, like guns, but I think this is ridiculous and untenable. The benefit of 3D printing technology is specifically its ability to allow anyone to make anything. That shouldn’t limit the majority of society who want to use this technology for the benefit of humanity. We simply need to enforce laws and prosecute those that do print something they use for a crime. The public should stay aware of the way cybercriminals use 3D printers so they can look out for things like well-made skimmers, but I don’t believe limiting the technology is the proper way to manage the risk of printing dangerous items.
Ultimately, most 3D printers are simply special purpose computers, and thus suffer the same potential security risks as any computer. When you add networking, they also become IoT devices, and you expose those flaws to the world. Like any other IoT device, a 3D printer taken over by a hacker becomes a platform they can use to more easily attack your more sensitive computers. Furthermore, 3D printers are highly sensitive assets—especially in production environments. They literally make physical objects that you may need to rely on, which are often based on your most confidential intellectual design. As this technology improves, 3D printers could move from devices that speed up prototyping to a core part of final manufacturing. Before this happens, the industry needs to find a way to address all of these risks without building censorship into 3D printing.”