A Data Exfiltration and Remote Exploitation Attack on Consumer 3D Printers

摘要

With the increased popularity of 3D printers in homes, and industry sectors, such as biomedical and manufacturing, the potential for cybersecurity risks must be carefully considered. Risks may arise from factors such as printer manufacturers not having the requisite levels of security awareness, and not fully understanding the need for security measures to protect intellectual property, and other sensitive data that are stored, accessed, and transmitted from such devices. This paper examines the security features of two different models of MakerBot Industries’ consumer-oriented 3D printers and proposes an attack technique that is able to, not only, exfiltrate sensitive data, but also allow for remote manipulation of these devices. The attack steps are discretely modeled using a threat model to enable formal representation of the attack. Specifically, we found that the printers stored the previously printed and currently printing objects on an unauthenticated web server. We also ascertain that the transport layer security implementation on these devices was flawed, which severely affected the security of these devices and allowed for remote exploitation. Countermeasures to the attack that are implementable by both the manufacturer and the user of the printer are presented.