Access misconfiguration opens 3D printers to remote attacks
Spurred by a report coming from a regular reader, SANS ISC handlers Richard Porter and Xavier Mertens searched for OctoPrint interfaces for 3D printers exposed online and found over 3,700 that are accessible without authentication.
The danger of publicly accessible 3D printer interfaces
OctoPrint is a free and open source web interface. The project is headed by programmer Gina Häußge and is boosted by a number of supporting projects, add-ons and plugins.
The software is compatible with most consumer 3D printers and users can use it to control and monitor every aspect of their 3D printer and their printing jobs from within their browser. But, without the need of authentication, it means that random attackers can do the same.
They can make the printer print unneeded objects and potentially cause fires, as some 3D printers don’t switch off when they overheat. They can download the unencrypted G-code files that tell the printer what to print, change some instructions and print altered objects.
“G-code files can be downloaded and lead to potentially trade secret data leak. Indeed, many companies R&D departments are using 3D printers to develop and test some pieces of their future product,” Mertens added.
How to eliminate the danger
The fact that so many of these interfaces can be found exposed online is not due to a vulnerability but misconfiguration.
When creating an OctoPrint instance and planning to have it accessible over the Internet, they are urged to always enable Access Control.
“If Access Control is disabled, everything is directly accessible. That also includes all administrative functionality as well as full control over the printer!” OctoPrint devs warn.
In the wake of the ISC blog post, the devs published a comprehensive guide to safe remote access of Octoprint and warned users against using blind port forwarding.
“Putting OctoPrint on the internet is nothing short of dangerous. If you must do this, take advantage of the ACL system built into OctoPrint, and even better, put another form of authentication in front. Even if it seems like extra work to setup a plugin, or a VPN/reverse proxy, it’s worth it,” they noted.
“Anything with the potential to burn down your house should be treated with the utmost care. It may seem more convenient to cut corners… but is it really worth it?”