Exploiting 3D Printers. [ Internet Of Things ]

“ The IoT is next Big thing because "Reach out and touch somebody' is becoming reach out and touch everything'.” 

Nowadays everything is getting connected to the internet we called it IoT. Even brush is connected to the internet it shows us when i brushed, how long i have brushed, how much dirt is on my teeth. It will be calculated by measuring the friction between my teeth and brush. With merits there's comes demerits. Connected to the internet means you are opening a bridge if proper control are not there anyone can come in. Hackers can compromise the brush to make it do unintended functions or even can dominate the entire Home network. Nowadays this is no more fiction. Presently hackers are targeting 3D printers by changing the max temperature to a higher value which will lead to Printer overheated and it will catch the fire.

I tested my friend 3D printer Remotely with his permission. What I did was I changed the max value from 240 degrees to 245 to play a safer side because i don’t want to burn my friend printer. So basically there are two strategies we can follow locally or remotely.

Exploit Locally

1. Get access to WI-FI network which  3D printer connected to it.

2. ARP spoof the 3D printer using Bettercamp to pass the request of a firmware update to the server.

3. DNS spoof the address of the public firmware repository so that we act as a real server. when printer request for firmware update then we will pass the malicious firmware to 3D printers.

4. Host malicious firmware at the spoofed address

5.Wait for the owner to update their firmware or do it by Social engineering.

6. We move the head position to the plastic side of the printer. We moved head to plastic side because plastic easily susceptible to catch  fire

The 3D printer which we are targeting works on port 8899 with no authentication this is very common to find with 3D printers. Ports takes G-code command for performing an action such as increasing temperature.

Exploit Remotely

 1. Search a 3D printer via the Shodan search engine.

 2. Connect port 8899 (no authentication needed) via netcat.

 3. Echo G-code command and also move the head position to the plastic side of the printer. We moved the head to the plastic side because of plastic easily susceptible to catch  fire 

 Commands looks like

   Echo –e “~M109 S260\r\n” > /dev/ttyS11.

 snippet of firmware code

As we can see  IPFINDERPlusISP files take the hex as an argument this makes room for us to pass our desired value to burn the printer.  In a future post, I will try to coverup in much detail how to exploit a 3D printer till then stay safe.