Is Your OctoPrint Safe?
A fascinating article at OctoPrint.org shows the right - and wrong - ways to use OctoPrint remotely.
If you’re a desktop 3D printer operator and not familiar with OctoPrint, you should be. It’s an incredibly powerful open source tool to provide intelligent management of your otherwise “dumb” desktop 3D printer.
Most desktop systems are equipped with a USB stick / SD card interface to load prints, and a USB connection to control the machine from a PC because there are not enough smarts in the machine itself to do very much.
That USB connection is leveraged by OctoPrint, which runs on a separate computer outside the printer. Normally this is a small set-top box, like a Raspberry Pi or similar, and it effectively adds considerable brainpower to your machine. You’ll be able to connect with it by WiFi, manage it without having to be physically present at the machine. With a webcam installed, you can even watch the machine operate from afar.
Those features are typically only present on higher-priced 3D printers, but can be made to work on almost any desktop 3D printer when you install OctoPrint. And it gets better, as OctoPrint has a plug-in system where other developers can create new functionality for the system. There are some terrific plug-ins, such as a way to manage your filament spools, for example.
But one of the most important uses of OctoPrint is remote management. 3D prints typically take a long time and almost no one sits beside their printer waiting for it to fail on multi-hour prints. No, you do other things. But you still must remain within reach of the 3D printer to stop it if something goes wrong, which happens all too often on most machines.
With OctoPrint, it’s possible to enable it to work through the Internet to manage the machine remotely. You can observe the print through the webcam and make decisions about whether to abort the print if you see something amiss. This could save on wasted material, or even prevent damage to the machine.
The attraction of those benefits causes many OctoPrint users to light up their installation on the Internet.
But there are right and wrong ways to do so.
In a brilliant article on OctoPrint.org, contributor Jubaleth describes how many OctoPrint installations are actually publicly exposed to anyone by improper methods of Internet connection. Typically an uninformed operator might simply forward the OctoPrint ports through their network router to the public Internet. This could be a very significant problem, as Jubaleth explains:
"Putting OctoPrint onto the public internet is a terrible idea, and I really can’t emphasize that enough. Let’s think about this for a moment, or two, or even three. OctoPrint is connected to a printer, complete with motors and heaters. If some hacker somewhere wanted to do some damage, they could. Most printers can have their firmware flashed over USB. So as soon as the box hosting OctoPrint is comprimised, there go any failsafes built into the firmware.
All one would have to do, is flash a new, malicious firmware with no safeguards, over USB, and then tell the printer to keep heating, leading to catastrophic failure. Of course there are other reasons to not have an OctoPrint instance available on the public internet, such as sensitive data theft, but catastrophic failure is by far the worst case scenario here."
Jubaleth then describes several methods of properly connecting OctoPrint to the Internet, which include connecting to several different secure cloud environments, or to securable command line systems such as Telegram. These are all relatively easy to implement on OctoPrint as they are, guess what, plug-ins.
There are also more advanced networking methods, such as VPN, but they require a more deep understanding of network configurations and might not be suitable for all operators.
But regardless of your skill level, you should implement one of Jubaleth’s approaches, as you could be putting your 3D printer’s environment at great risk.