Building

3D-Printers in the Cloud

Dear readers,

with the rise of low-cost 3D-printers in the homes of thousands [1] of enthusiastic tinkerers the word spreads about these magical machines which can produce any mechanical, artsy, useful or useless parts you might come up with. Standing in living rooms worldwide, they don’t seem like a big threat [2] to anybody. But what happens if you connect them to the Internet?

3D-Printers at the TROOPERS12 & TROOPERS13 IT-Security Conference.
3D-printers at the TROOPERS12 & TROOPERS13 IT-Security Conference.

What’s it about? 3D-Printing in a Nutshell.

Some use cases: The handle of your fridge broke? Print a new one! You’ve missed the birthday of your girlfriend? Print a last-minute present as unique as it can get. All those smartphone holders don’t match your car model? Design your own one which carries your favourite sandwich, a coke can and your smartphone – all in one. Use the fancy glowbug plastic filament and make it even shine in the night!

Having a printer myself for more than three years now I can put myself in the “believers corner” right away. I think that 3D-printing will change the way we interact with objects. The predicted third industrial revolution [3] could change the hierarchy of consumers in a world of mass production. I’LL STOP IT RIGHT HERE! Before I get too philosophical, let’s hope that we can agree on this: Having your very own 3D-printer is pretty cool!

3D-Printers in the Cloud

But how about owning (or should I say pwning? ;-)) the printer of your neighbour? To some of you that might sound like a fun thing to do, but for myself it sounded like something I should warn newcomers about. Let’s see why …

Working part-time at ERNW gives me the luxury of being employed at the finest company I’ve seen so far, surrounded by the talent of my colleagues and still being able to pursue my own academic career, which involved 3D-printers since early 2011. After an university team project on the precision of such a low-budget machine [4] I was completely hooked. Within the next years I helped to further develop the Dutch-made Ultimaker 3D-printer within their vibrant open-source community. One step leads to another and now I found myself writing a 350-page entry-level book [5] on 3D-printing for the renowned Hanser publisher as my bachelor thesis.

A small step for human mankind, a giant leap for myself.
A small step for human mankind, a giant leap for myself.

While writing the book, more and more open-source and commercial projects tried to make 3D-printers more cloud friendly. The usual plan was to connect it to a Raspberry Pi, code some webapp magic and make it functional through your web browser. The gadget lover will shout: COOL, a wireless 3D-printer! The IT-Sec community will scream: GREAT, another hack- or defendable device! I was somewhere in the middle back then (August 2013) 🙂

Being quite busy with the book I asked my colleague Niklaus Schiess to look closer at the most popular project, called OctoPrint. The idea was to find some public-facing instances running in the Internet and see how far we can go from there. A day later he wrote back going into detail how port scans could do the job. Well, that’s boring. More interestingly he mentioned that there’s a quite elegant way to do it via Google hacking!

Subtle information disclosure
Subtle information disclosure

Gina Häußge, the inventor and main developer of OctoPrint, included the GitHub commit ID as a reference to troubleshoot problems of users more easily. Because plenty of newcomers are just happy to get it running on their machines they don’t bother too much about enabling the access controls. What happens in the end: Unprotected and easily findable OctoPrint instances in the wild! Ouch 🙁

By collecting those publicly available commit version strings and searching for them with an intext command on Google you could find several instances.

Deep Insights into a Friend's Living Room.
Deep insights into a friend’s living room.

Funnily enough Niklaus didn’t find just some random OctoPrint server running, but one of a 3D-printer fanatic I know personally from the community. With just one web search and the click of a button we were looking into the living room of my friend Gregor Luetolf, who’s running the incredible 3drucken.ch blog.

Why is There a Live Stream? And What Else Could Go Wrong?

Low-budget, but plenty of features: Raspberry Pi + OctoPrint
Low-budget, but plenty of features: Raspberry Pi + OctoPrint

By adding the Pi camera (or any other webcam) onto your Raspberry board you can get a live stream via OctoPrint to monitor your print. Even cooler: You can automatically create time-lapse videos of the printing process.

Besides that you can control everything you could do on the printer itself: Move axes, start and stop prints, run customs machine codes (e.g. manipulating the behavior of the firmware) and also setting the temperature of the print head.

Controlling the temperature of the print head isn’t a feature you want to have publicly accessible! In case your 3D-printer vendor didn’t set maximum temperature limits correctly, an unscrupulous attacker could dial in a temperature, which is higher than the melting point of Teflon (which is commonly used within print heads to prevent cold plastic to get sticky in the inside). Starting from just 300 °C (bear in mind that some common 3D-printing filaments are printed at up to 260 °C) toxic polymer fumes are emitted. Their effects (also known as Teflon flu) can lead to serious lung injuries within seconds.

Luckily enough Gina acted quickly and enforced access controls on all new versions of OctoPrint. Additionally she did some changes on the default robots.txt (to prevent indexing through Google), as well as preventing novice users to run OctoPrint as root user. But it’s also recommended to use additional measures to further protect your printer from being accessed by unauthorized users. For example with the help of a proper .htaccess configuration and restrictive firewall settings on your home router. If this is above a 3D-printing beginners skill set, we should really ask ourselves (once again): Does every new gadget really need an Internet connection? 😉

Gina speaking at a 3D-printing community event in Frankfurt. © Nils Hitze
Gina speaking at a 3D-printing community event in Frankfurt. © Nils Hitze

If the answer is yes, it will be a good idea to sign up for TROOPERS14 (17-21. March), where Gina might join us to talk more about her project and its security. In collaboration with the wonderful RaumZeitLabor hacker space we’ll have a variety of 3D-printers on site – ready to print your ideas.

I’m sure that together we can make the 3D-printing world a bit safer (and still have fun at the same time).

Take care & happy printing/hacking!
Florian

PS: I think we should have a “hack the printer” challenge at TROOPERS14 this time… what do you guys think?

Additional sources:

[1]: More than 55.000 users are registered in the Google+ 3D-printing community alone! Growing daily 🙂

[2]: I won’t even comment on the “3D-printed gun story”. All I’m saying is this: http://www.thingiverse.com/thing:92003 😉

[3]: Rifkins, Jeremy: The Third Industrial Revolution: How Lateral Power is Transforming Energy, the Economy, and the World. Palgrave Macmillan 2011

[4]: Team project on Open Source Rapid Prototyping – Precision of the Ultimaker (German language): https://www.researchgate.net/publication/216448575_Open_Source_Rapid_Prototyping__Przisionsmessungen_ anhand_des_Ultimakers

[5]: The book 3D-Printing for everybody (original title: 3D-Druck für alle) will be available starting on 9th of December in your local bookstore or on Amazon. An English version will follow soon.

Comments

  1. Hello
    It is cool if we could set up a cloud printer using RPi and camera module.

    I am wondering if such configurations are only accessible for open source 3D printers. For example, I have a makerBot replicator 2X, Is it ok to use octoPrint and Rpi. IS there some instructions to follow ?

    Cheers

    zhaoguang WANG

Leave a Reply

Your email address will not be published. Required fields are marked *