You’ve installed an exciting
new 3D printer in the office and decide you want to access it remotely because – heck – that sounds convenient… now what do you do? According to
an alert put out by the SANS Internet Storm Center (ISC), for 3,759 owners using an open-source monitoring utility called
OctoPrint, the answer was to hook up their expensive 3D printer to the internet without bothering with the nuisance of authentication.
This is a bad idea because it’s trivially easy for someone with malicious intentions to spot the unsecured printer using Shodan (a search engine for internet-connected devices). In fact, the ISC was tipped off about the issue by someone who’d done just that. The great thing about OctoPrint is how easy it makes it for an owner to control their complex 3D printer, but that applies to any other internet user connecting to it when access control is turned off. In this state a hacker could steal valuable IP by downloading previous print job files in the unencrypted G-code format or, worse, try to damage the printer by uploading specially-crafted print files. Because most 3D printers have a built-in webcam for print monitoring, they could even watch their malicious print handiwork from afar.
The Shodan trawl showed that the worst offenders were in the US, which accounted for 1,585 printers, ahead of Germany on 357, France on 303, the UK on 211, and Canada on 162. This only covers OctoPrint, of course, which raises the possibility that owners using other 3D printer monitoring software might be making the same mistake.
