MA: On the Se­cur­ity of 3D Print­ers: Ana­lyz­ing the Im­pact of Ma­chine Codes

Abstract:

Additive manufacturing is said to be one of the key factors for industry 4.0 [34] and it already has made a huge impact on modern engineering processes. With a value of $10.4bn US and an increasing rate of adoption, the value of the 3D printing market is estimated to reach $30.9bn US by 2025 [16]. In the recent years, 3D printing became widely available to enthusiasts with entry-level prices of around $190 US.

Typically, a 3D printer is controlled with commands called Gcodes. There have been a lot of additions made to the list of Gcodes available for 3D printing, with various manufacturers redefining or not implementing some of these instructions for their machines [36]. Many Gcodes control system critical but also potentially dangerous functions of 3D printers. Likewise, there have been accidents with machines catching on fire [15]. But fires are not only caused by faulty constructions. For example, there are Gcodes that can be used to change the maximum temperature the heater is allowed to reach, followed by overheating the print bed. Which could lead to the 3D printer catching on fire.

In this work, we systematically analyzed the potential risks of all Gcodes used in 3D printing and evaluated how they could be used in a malicious manner. For this purpose, we created a comprehensive list of Gcodes based on documentations of multiple firmware developers and other sources. The codes in this list were analyzed for the potential risks for users or the machines and categorized according to their use in the attack classes Print Manipulation, Denial of Service, Physical Harm and Information Disclosure. Additionally, we defined attacker models, in which attacks of the aforementioned attack classes are possible. We also evaluated 12 attacks with regards to in which attacker models they are applicable. We developed a stand-alone tool suitable for penetration testing of 3D printers over a serial connection, which can be used to execute Gcodes on a 3D printer and test attack vectors. Lastly, we tested the tool on three machines, a Prusa i3 MK3S+, a Creality CR-10S, and a Duet 2 Ethernet controller board, to ensure a wide range of compatibility.