Once the stuff of science fiction, 3D printing has cemented its spot in the mainstream in recent years. However, there are four risks the 3D printing industry needs to address before these devices become engrained in the commercial and private spheres.
All 3D printers are computer controlled. They run software which can be prone to development errors that can result in security vulnerabilities. If an attacker is able to trick a printer owner into loading a malicious 3D printing file, they may be able to create a flaw which can be exploited. This could be done by executing arbitrary code to load a malicious process, or to install some form of “trojanised” firmware.
Printer manufacturers need to make secure coding and design a core aspect of their development process, to minimise the risk of this occurring.
Not all 3D printers operate as standalone devices. It’s common for users, both hobbyists and professionals, to connect to a network. Doing so turns a 3D printer into an Internet of Things (IoT) device and instantly increases its “attack surface” in the process.
Increasing the intrinsic security of 3D printers is primarily a matter for their manufacturers but following network security best practices, such as the use of a firewall and other security controls, can mitigate the risks in the interim. Following the least privilege principle – restricting access to those who have a legitimate reason or purpose – and using Virtual Private Networks and extra authentication for printing via the internet can help prevent unauthorised users and hackers gaining access.
To print objects, 3D printers require precise instructions on how to move their print heads in 3D space. To provide these instructions, many use G-code files, a programming language designed to direct computerised manufacturing tools. Unfortunately, many 3D printing file types have no native encryption or integrity checking capability.
If an attacker were able to intercept print files before use, they could potentially modify them without the owner’s knowledge and weaknesses which compromise the integrity of their finished product could be introduced. While this is unlikely to pose a threat for hobbyists, it could be disastrous for companies using commercial grade printers to produce industrial components.
Standardised encryption and integrity checking are needed to enable users to recognise when unauthorised individuals have modified a critical file. Some proprietary 3D printing solutions already incorporate this feature but it needs to become universal.
Almost every form of technology can be subverted for evil and 3D printers are no exception. The ability to print dangerous or restricted objects, such as guns and gun parts, has long been flagged as an obvious risk. There are other ways malefactors can employ 3D printers for dangerous or dishonest purposes. They include creating authentic looking skimmers, which can be used to harvest customers’ banking details from ATMs and public card readers.
Restricting printers’ ability to print certain designs, such as guns and skimmers, seems an untenable solution, given the purpose of the technology is to enable anyone to create a prototype of any design. Raising public awareness of 3D-printer linked crime may be an effective way to deal with this downside of a technology which has already transformed the way designers and manufacturers operate.
Remaining cognisant of the security risks associated with its use can help companies and individuals exploit its capabilities without opening themselves up to unnecessary risk.
Mark Sinclair, ANZ Regional Director, WatchGuard Technologies