Another day, another discovery of internet-connected devices open to unauthenticated access. This time it is thousands of exposed 3D printers that require no password for remote access.
And users seem to have gone out of their way to make this security blunder, as OctoPrint, an open-source web interface for 3D printers that many manufacturers embed in the devices, offers numerous secure ways to remotely access a 3D printer without putting it on the public internet for anyone to abuse.
SANS ISC researcher Richard Porter first warned about the exposed OctoPrint 3D web interfaces after receiving a tip, but then SANS ISC researcher Xavier Mertens took it much further by spelling out what could go wrong with the thousands of exposed 3D printers.
Thanks to OctoPrint interfaces, which are accessible without needing authentication, worst-case scenarios involved espionage, such as a remote attacker stealing R&D; overheating the printer to burn down the building; changing the item to be printed to something dangerous like a 3D-printed gun or drone; or even spying on people via the embedded webcam monitoring feature.
Whether it is for espionage or destruction of the 3D printer, everything except for the spying could happen after an attacker finds an unprotected 3D printer, connects to the associated IP, and either downloads or uploads G-code files that tell the printer what to print.
Using Shodan, Mertens found 3,759 OctoPrint instances that required zero authentication. Sadly, the U.S. had 1,585 — the majority of those that were exposed and unprotected — but Germany, France, the U.K., and Canada also had unauthenticated access to 3D printers.
OctoPrint responds with a guide for safe remote access
As Mertens pointed out, OctoPrint provided documentation explaining how to lock down instances. (If only users would heed the advice.) After the hackable 3D printer story gained traction, OctoPrint responded to the security concerns with “a guide to safe remote access of OctoPrint.”
The guest post by Jubaleth states, “While it is possible that a percentage of the instances found are unintentionally exposed, the vast majority is very likely users who have gone out of their way to expose OctoPrint to the public internet for the sake of convenience.”
Putting OctoPrint onto the public internet is a terrible idea, and I really can’t emphasize that enough. Let’s think about this for a moment, or two, or even three. OctoPrint is connected to a printer, complete with motors and heaters. If some hacker somewhere wanted to do some damage, they could. Most printers can have their firmware flashed over USB. So as soon as the box hosting OctoPrint is compromised, there go any fail-safes built into the firmware. All one would have to do, is flash a new, malicious firmware with no safeguards, over USB, and then tell the printer to keep heating, leading to catastrophic failure. Of course, there are other reasons to not have an OctoPrint instance available on the public internet, such as sensitive data theft, but catastrophic failure is by far the worst case scenario here.
From there, the post explains various plugins that are the easiest way to gain remote access without making your 3D printer available for everyone to toy with: Polar Cloud, OctoPrint Anywhere, OctoPrint-DiscordRemote, and Telegram. A VPN or reverse proxy were recommended for advanced access.
Jubaleth added:
All in all, there are many ways one can safely access an OctoPrint instance remotely, that do not involve blindly forwarding ports on your router and putting yourself at risk. Plugins are a fantastic tool that I recommend beginners take advantage of. Putting OctoPrint on the internet is nothing short of dangerous. If you must do this, take advantage of the ACL system built into OctoPrint, and even better, put another form of authentication in front. Even if it seems like extra work to setup a plugin, or a VPN/reverse proxy, it’s worth it. Anything with the potential to burn down your house should be treated with the utmost care. It may seem more convenient to cut corners…but is it really worth it?