In the rising era of industrial Internet of Things (IoT) devices, factories are being upgraded. Devices, such as networked 3D printers, can now interact with other machines and be controlled remotely to improve efficiency. But connecting these devices to the network makes them more prone to danger. Some cyber-attackers might stop them from working, while others could steal designs or hold them hostage for ransom.
Carnegie Mellon University security researchers are planning ahead. Vyas Sekar and Matthew McCormack have developed a tool with their team to help protect these devices. This tool, named Connected 3D Printer Observer, or C3PO, is designed to systematically determine potential security risks for individual networked 3D printers. They’re starting to work on it, but it’s very, very nascent,” said Sekar an associate professor of electrical and computer engineering. But, there are few tools to provide security for 3D printers.
C3PO is composed of two parts. One part identifies the printer’s security vulnerabilities, and the other identifies potential attack paths based on the given vulnerabilities and network deployment. For example, it can find out whether connecting a web camera to a 3D printer provides attackers an avenue to steal information.
C3PO functions by following the belief that sometimes the best way to know your enemies is to mimic them.
C3PO functions by following the belief that sometimes the best way to know your enemies is to mimic them. After performing a security audit, C3PO questions what attackers could find if they observe network traffic to the 3D printer. From there, it can learn more about the 3D printer’s operation and protocol. Armed with this knowledge, it can identify malicious inputs to the printer and potential Denial of Service (DoS) attacks in which attackers can make the printers inaccessible to their intended users.
Sekar’s team tested the tool on eight 3D printers from multiple vendors and manufacturing deployments. They found all of the printers were vulnerable to DoS attacks. Understanding each devices’ vulnerabilities is the first step to protect them.
Sekar’s team aims to tailor the protections they have designed to each specific printer based on its problems and how it operates. When that happens, it will strengthen our defenses against future attacks.
"What we want to do next is say, alright, we found these problems, and we have a tool. Can we now create a way to protect them?” said McCormack, a Ph.D. student in electrical and computer engineering. "Can we add on something to the network to protect this printer so someone can’t steal that information? Can we use what we learn about the printer itself to bolt-on a defense for the printer?”