Approximately 3,800 3D printers featuring an OctoPrint interface were exposed online without the security measure of a password, rendering their webcam feeds and product designs vulnerable.
As ZDNet reports, OctoPrint is a free web interface used by some 3D printer manufacturers to give users remote access to printing stations; the interface offers a variety of features, including “the ability to download and upload 3D models” as well as the ability to view webcam feeds, depending on the printer model.
However, according to two SANS ISC researchers, thousands of printers which have this interface have been left exposed online, “allowing anyone to modify a printer’s settings.” As a result, their 3D product designs could be readily stolen, “potentially revealing private or proprietary information about unreleased products.”
The exposure could also render the printers vulnerable to sabotage, as “a malicious competitor could download a rival’s 3D model”, modify it to make it faulty, and then reupload it to the printer to be printed out.
In addition, the printer’s webcam could be accessed, revealing further “manufacturing secrets.”
“Things like a printer – regardless whether it prints in 2D or 3D – do not belong on the public internet,” commente Gina Häußge, creator and maintainer of the OctoPrint project.
“Sadly a lot of users actively ignore such recommendations,” she added. “We have to educate users, so they don’t take unnecessary risks for the sake of convenience.”
OctoPrint has published its own blog, offering advice on securing printers against unauthorised access, while still allowing authorised users to gain access to the devices remotely. The blog also warned of additional dangers which could arise from unsecured printers, such as damage to the device itself, which could even trigger a fire.
