2013-08-06

Co.Labs

How Hackers Can Infiltrate A 3-D Printer

With more and more consumer 3-D printers hitting the market, one researcher says we should be concerned with their security. Why would anyone want to compromise one of these things?



As the 3-D-printing revolution barrels forward, things are going to get pretty interesting. I don't just mean in a you-can-print-new-organs kind of way. For every gee-whiz advance in the technology, there will be weirdness, risks, and pitfalls. Today, it's 3-D-printed guns. Tomorrow, it will be printer security flaws. Yup. Believe it or not, your company's 3-D printer can be hacked.

This very topic was the focus of a recent presentation (PDF) given by security researcher Claud Xiao at the XCon 2013 Security Conference in Beijing. Xiao, who does security research for a Chinese antivirus company, outlined the ways in which hackers could take advantage of vulnerabilities within a 3-D printer or the network to which its connected. It's all pretty theoretical, but the details are specific and actionable enough to give any IT director a minor heart attack.

Why Bother Hacking A Printer?

Why would somebody attack a 3-D printer? What could they even achieve? Like any form of malicious hacking, the motivation can range from harmless mischief to legit cyberwar. Whatever the end goal may be, getting enough access to do damage is no trivial matter. It does, of course, vary depending on the type of equipment being targeted. Something like the open source RepRap rapid prototyping system is going to make an easier target than the latest 800-pound machine from the floor of 3D Systems' headquarters.

"We analyzed the whole 3-D model data processing flow and 3-D printer control method when using the RepRap printers. We found almost all related software, firmware, and online download services didn't safeguard security," Xiao told FastCoLabs. "In most cases, when model data or configuration data is transferred or stored, or control command is transferred or executed, there isn't any authentication or verification, which means the potential attacker can easily modify or fake them."

How To Ruin Your Roommate’s 3-D Design Project (Or Worse)

By finding a weak spot in this data processing workflow, one could inject malware that would affect the output of the printer, snatch sensitive CAD files, or even dig into the machine's firmware and take control of the printer itself. It's also conceivable that unsavory code could find its way into the CAD files used to print 3-D models, which are freely distributed online.

Depending on the nature of the attack, the results can vary widely. First, there's the risk that a company's intellectual property or other sensitive information could be exposed. As we've already seen with hackable ink jet paper printers, infiltrating one of the 3-D variety can allow one to intercept STL files or other 3-D model data being sent to the machine. If you're printing an iPhone case you just downloaded from Thingiverse, this sort of thing wouldn't much matter. But if your company is working on prototypes for a top secret new product, an unusually ambitious competitor could take an unauthorized look. When you consider the types of industries that will be apt to use 3-D printing—medicine and the military come to mind—you can start to imagine why 3-D model data would make hacking into a printer worth the trouble.

With the right tactics, one could also affect the behavior of the printer. That could mean something as innocuous as interrupting a fellow student's final project print job to produce something far more obscene. Or, as Xiao's presentation outlines, it could provide hackers a way to physically damage the printer itself. In the same way that the Stuxnet worm was designed to disrupt uranium enrichment at an Iranian nuclear facility, a batch of nefariously authored code could alter the logic behind a printer's firmware, causing the machine to print damaged objects or, worse, damage itself. Deliberately causing the machine to overheat, for example, could render a very expensive machine unusable.

Xiao's research is intended to alert companies that utilize industrial-grade 3-D printers to the as-yet-underexplored security issues these increasingly popular machines can present. It's those heavier-duty printers that would likely be targeted, much more so than the desktop-sized 3-D printers used by hobbyists and designers.


Tracking: Inside 3-D Printing's Weird, Illicit, Dangerous Fringe

Our ability to print things in three dimensions is, they say, the future. It's been around for several years, but this transformative technology is now getting cheap and fast enough for everyday consumers to utilize. The potential is undeniably enormous.

Yet for all the magical potential of 3-D printing, it also raises strange, illicit, and potentially troubling issues. The most obvious example is the 3-D-printed-gun controversy, which we'll follow closely as it heats up. There are also concerns over copyright infringement, a contentious issue that's only beginning to rear its head in the world of rapid 3-D prototyping. What happens when millions of people are slowly granted the ability to produce 3-D objects at will? It's not unlike the Internet: Lots of awesome, radically transformative things will happen. Along with it, we'll get plenty of weirdness.

In this story tracker, we'll touch on everything from 3-D-printed food to sex toys and look at the social, legal, and ethical issues raised by this rapidly blossoming technology.


Previous Updates


With 3-D-Printed Metal, Robust Homemade Firearms Are Becoming Reality

August 6, 2013

If you thought the whole 3-D-printed gun thing got contentious earlier this year, just wait. The next generation of 3-D-printed guns will be easier to produce, sturdier, and unlike the firearms that come out of printers today, these homemade guns will be made of metal.

Printing metal with additive technologies is a very new process. This is believed to be the world's first commercially available 3-D-printed gun component:
The Auxetik, a muzzle brake for pistols and rifles that was made available by Michigan-based Sintercore LLC last week. A muzzle brake is a device that reduces the recoil of a weapon when it's fired.

What's different about Auxetik, compared to previously printed gun parts, is that instead of using one of the standard plastic-producing 3-D printers we're all used to seeing, it's built using a technology called direct metal laser sintering (DMLS), a technique already being used by some hobbyists to make homemade rockets.

The DMLS process turns metal powder into solid metal by melting it with a fiber optic laser. Like plastic printers, it takes blueprints from CAD files and turns them into physical objects, tiny layer by tiny layer. The chief difference, of course, is that the output is made of metal.

Why does this matter? It's the first step toward a reality in which real, metal guns can be easily manufactured by anybody with access to the right kind of 3-D printer and the proper design blueprints. The plastic guns and gun components printed by projects like Defense Distributed work, but they're cheap-looking and not particularly durable. In fact, police in Australia (where all guns are banned) have warned that 3-D-printed plastic guns can be dangerous to use, given their fragile construction.

Sintercore isn't providing access to the CAD blueprints for the Auxetik, but rather selling the component itself. Still, what Sintercore is doing gives us a glimpse at what's possible when high-powered lasers meet metal powder to form an object that was designed explicitly for destruction. No matter how you feel about the existence of 3-D-printed guns or the regulation thereof, it's hard to argue that the innovation isn't a big deal. As the music industry knows all too well, the sudden widespread availability of a certain filetype over this globe-spanning network we call the Internet can have a very dramatic impact.

The whole thing also stands as a reminder of how primitive 3-D printing is. Sure, those complex, colorful plastic widgets getting spit out of MakerBots and bigger 3-D printers are really cool, but it's only the beginning of this impending revolution in the way things are made. Plastic prototypes will be joined by hard metal and even a brand new type of flexible, self-healing metal. Houses. Food. Human tissue. The list of what will soon be printable seems to grow by the week.

To many, the advent of 3-D-printed guns represents a scary new frontier in which regulating who has access to deadly weapons becomes virtually impossible. To others, it's all about empowering citizens with expansion of constitutionally promised rights. Whichever it is, it's hard to argue things will ever be the same.


June 18, 2013

Cue The Battle To (Somehow) Regulate 3-D-Printed Guns

Well, this should make for a debate that’s as contentious as possible. Nearly a year after Defense Distributed first grabbed headlines with its plans to build a 3-D-printed gun, lawmakers are starting to freak out. Last week, a New York City council member introduced a law that aims to outlaw the printing of any gun component unless one is a registered gunsmith. Under the law, any guns that are printed would need to be registered with authorities within 72 hours. The proposal comes a few weeks after a similar one was introduced in the New York state assembly. This is undoubtedly just the beginning.

The impossible-sounding nature of these laws highlights precisely why this issue is at once so terrifying and exciting to different camps of people. The same networks that empower everyday people to become publishers and share music freely now permit people to exchange blueprints for deadly weapons. To some, it’s an expansion of liberty. To others, it sends us down a dark and dangerous path. Like the sharing of MP3s, restricting this kind of activity will prove difficult, if not downright impossible. The quest to do so only grows more urgent as 3-D printing becomes more ubiquitous.

For those who haven’t followed the story, it broke into the mainstream last summer when Forbes covered Defense Distributed, an organization dedicated to creating a 3-D-printable gun and making its CAD design blueprints freely available online. To do so, the organization launched a crowdfunding campaign to raise the money needed to buy a 3-D printer. They succeeded, but Stratasys, the 3-D printer manufacturer, quickly repossessed the device, citing concerns over the legality of its intended use.

Cody Wilson, the 25-year-old founder of Defense Distributed, proceeded to develop the world’s first fully 3-D-printable gun anyway. A video of Wilson successfully firing his printable pistol, dubbed "The Liberator" were posted online in May, as were the CAD files needed for others to print the gun. The State Department demanded that Wilson remove the files, which he did, but not before 100,000 people had downloaded them. From here on out, limiting the spread of these files online will be about as easy as scrubbing the leak of Kanye West’s new album from the Internet. Indeed, as an intelligence memo from the Department of Homeland Security said of 3-D-gun blueprints, "limiting access may be impossible."


[Image: Flickr user Creative Tools]




Add New Comment

0 Comments