I’m reading an interesting piece by David Gerwitz at ZDNet, who talks about 3D printers being vulnerable IoT devices.
The idea is that an increasing proportion of desktop 3D printers have network connectivity, one way or another. These networking interfaces were designed to provide several useful productivity features, including:
- Ability to monitor and control a 3D printer remotely
- Perform diagnostics on the equipment
- Upgrade firmware via network
- Drive the print job directly
- Supply 3D models from online 3D repositories
- And more
So you can see it’s quite a useful feature to have.
But the price for this is that the device, depending on how it’s networked, can have its own IP address exposed to the world. That exposed IP address is how you can view the print’s progress via webcam on your smartphone while attending the football game.
And your 3D printer joins a worldwide collection of “things” that have exposed IP addresses, like security cameras, appliances, thermostats and much, much more. Even TV monitors have exposed IP addresses.
The bad guys on the internets have realized this is an opportunity and have developed software that takes advantage of this exposed computing power. Gerwitz explains:
Many 3D printers use Arduino-level single board computers, which can generally only run one program at a time. Other printers, like the Ultimaker 3, have full general purpose computers inside. The Ultimaker 3 has an A20 LIME2 Linux board inside, which is an open source hardware design.
As a result, it's entirely possible that a 3D printer you bring inside a firewall is not just potentially vulnerable to a hack, but may well provide all the power and capability of a Linux environment, running unchecked, within your assumed-to-be-secure perimeter defenses.
Thus it is possible in the right circumstances that your desktop 3D printer might be compromised by hackers through an unprotected network connection.
But what does this mean? Should we be afraid a hacker might start a print on your equipment?
I think that’s a very low risk, as setting up a machine to print often requires physical intervention, although it would be more possible to cancel an ongoing print in an act of 3D vandalism.
No, what I fear would be most likely is that the CPU in your idle 3D printer (and many such machines sit idle for hours), would become part of a large BotNet. A small piece of malware installed on the machine could, for example, be used to assist in a DDOS attack or an email spam campaign.
It would be insidious: the machine simply sits there, apparently doing nothing, but meanwhile it’s mashing the corporate website for a BotNet client organization.
These machines could be similar to the unmaintained Windows PCs operated by your elderly relatives. The ones that are often used in a similar manner.
The problem here is that you cannot install anti-malware software on your 3D printer, because the systems are often “closed” and depend on the manufacturer to update it properly.
But will they? I think not. The notion of securing your 3D printer as an IoT device is not something I’ve heard ANY vendor speak of, at least not yet.
Nevertheless, it is likely increasingly important that such features be designed into future 3D printer options by the manufacturers.