Hackers set their sights on 3D printers
An online workshop shows how easy it is to break into the software that controls these important devices
Niko McCarty • December 22, 2020
A set of 3D printers in Nikhil Gupta’s laboratory at New York University. [Credit: Nikhil Gupta | Used with permission]
Uri Shaked hacks 3D printers with a vengeance.
It started after he contributed to a Kickstarter campaign for what was touted as the world’s smallest and most user-friendly 3D printer. “And then about a year too late, I got a product and it was half-baked and a horrible experience,” says Shaked, an Israeli software engineer.
The 3D printer had a problem with its firmware — software that comes preloaded on a machine — and couldn’t print objects reliably. Shaked spent a month trying to hack into the code, which was encrypted with a substitution cipher (each letter is swapped with another), so that he could fix the buggy issues.
“It was a month full of suffering. Every evening when I got home from work, I sat down and banged my head against the wall,” he says. Eventually, he cracked the cipher and was able to write new firmware code to fix the 3D printer.
Now, Shaked is venting his frustration, and sharing the lessons he learned, at the first Remoticon conference, an online gathering of do-it-yourself hacking enthusiasts.
Shaked’s workshop, called “Live Breaking into Encrypted 3D Printer,” was one of about 20 at the conference. “Crowd-Controlled Robots” and “Learn How to Hack a Car” were other offerings. Sophi Kravitz, the organizer, says that in-person conferences in previous years typically drew about 500 attendees. This year 1,800 people signed up for the online version.
A group of 75 hackers gathered on Zoom for Shaked’s workshop and followed along as he typed in a collaborative code document — a sort of Google Doc for programmers. The actual hacking was not nearly as sexy as the movies make it seem. It felt a lot like Sudoku, actually; breaking one part of the cipher revealed new clues that could slowly be used to unravel the 3D printer’s code.
Shaked’s workshop taught people how to break into encrypted software so that they could improve its code; it was a learning exercise. But not everyone in the world of 3D printer hacking has good intentions. Even large, industrial 3D printers can have serious security flaws that leave them vulnerable to thieves, says Nikhil Gupta, a researcher at New York University who specializes in 3D printer vulnerabilities.
Modern 3D printers can produce objects shaped to precise specifications from polymers, metals and even ceramics. Large companies — including airplane and medical device manufacturers — are using 3D printers to create parts faster and with more precision. But hackers can break into 3D printer software and steal proprietary files in order to make counterfeit parts.
“In the aircraft industry, this has been a problem where people steal designs or take the original part and make replicas and sell it at cheaper prices,” says Gupta.
Good-spirited computer scientists have developed ways to fix buggy 3D printer software, though. Matthew McCormack, an engineering graduate student at Carnegie Mellon University, developed a patch called Connected 3D Printer Observer, or C3PO, that can repair some common security flaws in 3D printers. The patch can detect vulnerabilities in the 3D printer’s software and then set up a firewall to prevent them from being exploited by hackers. When McCormack approached manufacturing companies that use 3D printers, offering to evaluate their security, he found some serious issues.
“When we surveyed machines, the majority had outdated software,” says McCormack, meaning that they are potentially vulnerable to hackers.
McCormack’s software fix comes at a good time. A 2016 study, presented at the Resilience Week conference, found that some of the most popular software for 3D printers allows malicious actors to execute code on the machines. If a 3D printer is hacked, it can fail and cause the company to start losing money.
“A big concern is machine uptime. You have a production line and if something stops you’re losing profit,” says McCormack. “When machines are down, costs elevate rapidly.”
The hackers on Shaked’s Zoom session, at least, didn’t seem nefarious or likely to shut down a factory’s operations. Their children screamed in the background through unmuted mics. Phones pinged as Joe Biden was announced as president-elect. And then, when Shaked hit “Run,” and the cipher was broken, the Zoom chat flooded with positive comments.
“Wow, it worked,” Shaked shouted, raising his arms in triumph.