Hacking IoT devices has always been a privacy and security risk. Not only it can steal data from the users, but can also cause physical damage. Recently, a similar attack strategy has surfaced online where hacking a 3D printer firmware can induce fire.
Hacking 3D Printer Firmware
Reportedly, the Senior Security Consultant at the firm Coalfire, Dan McInerney, has shared a series of posts detailing his findings of hacking 3d printer firmware. He demonstrated how a cyber attack on 3d printers can induce physical damages by triggering fire.
In their study, the Coalfire researchers took Flashforge Finder WiFi-enabled plug-n-play 3D printer. Specifying the reason behind this choice, they stated in their first post,
“3D printers are becoming more common with no signs of slowing growth. As their price drops and their usability increases, they will soon become household staples, akin to ubiquitous paper printers. With this evolution, the need for security dramatically increases.
Like any other IoT device vulnerable to the attack demonstrated in this study, 3D printers also possess a heating element. This heating element regulates via the underlying printer firmware which, like all smart devices, receives updates over the internet.
Hacking the printer firmware can in turn allow an adversary to disrupt the normal functionality of the device. This even includes removing the temperature constraint of the heating element (240°C in case of Flashforge Finder) thereby triggering a fire.
Briefly, the researchers demonstrated the attack by first gaining root access to the device firmware via WiFi. They then used NSA’s Ghidra Tool to reverse engineer the firmware and deploy a patch with increased maximum temperature. Though, they observed some kind of security within the code as they couldn’t cause the printer temperature to exceed beyond 260°C.
However, in the last post of the series, they revealed how they could finally overcome this hurdle. With a simple change in the code, they could cause the printer to reach a maximum temperature of 455°C as well. At this high temperature, they could visualize the melting of plastic and damages to the printer.
What Next?
In their study, the researchers observed that, for the printer, going beyond 455°C was somehow slowed down. They figured out that the 24v power cable made the power supply temperature increment after a certain level. However, swapping the cable with a high-voltage one could overcome this security check too.
Nonetheless, as they demonstrated, for a cybercriminal, this power supply limitation doesn’t cause any hindrance. A mere hacking of the firmware and the subsequent temperature raises sufficed to induce devastating smoke with toxic chemicals. The researchers believe that such incidents can even induce fire.
As possible mitigation, the researchers recommend using physical thermal breakers in 3D printers. These thermal breakers work independently of printer firmware, hence can avoid such attacks. LaserJet printers presently use these thermal breakers already.
In 2019, some researchers also demonstrated how hacking smart hair straightener could induce fire.
Let us know your thoughts in the comments.