Thousands of 3D Printers Exposed to Attacks

Security researchers warn that there are almost 4,000 3D printers whose web-based management interfaces are exposed to the internet without authentication.

The management interfaces allow attackers to download G-code project files, which define the 3D objects that printers are instructed to create. These files are in plain text and can reveal trade secrets.

For example, R&D departments in many companies use 3D printers to develop and test prototypes for future products, said independent security consultant and SANS ISC handler Xavier Mertens in a blog post.

Furthermore, since there’s no authentication, attackers can also upload their own G-code files and force printers to consume resources or, worse, to break down. 3D printing is a very intensive operation that’s typically closely monitored because devices can reach temperatures of 200 degrees Celcius (392 Fahrenheit).

Attackers also could download G-code files, modify them and then re-upload them to introduce flaws and sabotage the final products.

“By changing the G-code instructions, you will instruct the device to print the object but the altered one won’t have the same physical capabilities and could be a potential danger once used,” Mertens said. “Think about 3D-printed guns but also 3D-printed objects used in drones. Drone owners are big fans of self-printed hardware.”

The exposed printers are using an open source web-based management interface called OctoPrint, which also allows the monitoring of printers through webcams. This poses a further privacy risk if the interface is not secured because attackers can get precise information about when and how the printer is used.

OctoPrint supports access control, but even when enabled, users who are not logged in can still access a lot of information They can read G-code files, view the webcam feed, see the printer status and the terminal output, and more.

A warning in OctoPrint’s documentation reads: “If you plan to have your OctoPrint instance accessible over the internet, always enable Access Control and ideally don’t make it accessible to everyone over the internet but instead use a VPN or at the very least HTTP basic authentication on a layer above OctoPrint. A physical device that includes heaters and stepper motors really should not be publicly reachable by everyone with an internet connection, even with access control enabled.”

Almost 400K Websites Expose Sensitive Data Through Git

A lot of companies and developers use the Git version control system to deploy their web applications but forget to secure access to the directory that contains the source code repository.

Vladimír Smitka, a security researcher with Czech company Lynt Services, recently ran a scan of 230 million domains and tested if their web servers allowed unrestricted access to the .git folder.

This is a folder created when deploying websites with the Git tool and contains code and configuration data. Exposing these files is dangerous because even though it’s a security risk, developers often leave API keys, passwords and other sensitive settings in their files.

Smitka’s scans uncovered 390,000 websites with the open .git directory, the majority of them using PHP as a programming language. Of these, a large number were WordPress websites that were running outdated versions of the popular CMS.

“If you use git to deploy your site, you shouldn’t leave the .git folder in a publicly accessible part of the site,” Smitka said in a blog post. “If you already have it there for some reason, you need to ensure that access to the .git folder is blocked from the outside world.”

The researcher attempted to contact the owners of the affected domains after extracting email addresses from the sites’ Git HEAD files. He set up a web page with information on how to block access to all files and directories that start with a dot on a web server. These files should generally be hidden and protected, except for those in the .well-known directory, which have some well-documented uses.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin