Once reserved for large-scale manufacturing plants and educational institutions, 3-D printers are now going mainstream, with IDC predicting double-digit growth in shipments each year through 2020. But according to research from Carnegie Mellon University, increased availability may also prompt a rise in 3-D printing vulnerabilities — is “build your own breach” the next big attack vector?
While the consumer 3-D printing market lacks focus — relatively cheaper devices make it possible to print novelty items but don’t yet offer day-to-day benefits — business-driven solutions are enjoying widespread success. As noted by Hackaday, for example, companies have started experimenting with Hydra printers, which use multiple heads to create several objects simultaneously.
Additionally, 3-D Printing Industry reported that additive manufacturing company Sharebot recently released a high-speed professional digital light processing (DLP) printer, which is eight times faster than other DLP solutions.
There’s also progress in education. TechCrunch explained that companies such as XYZ Printing are now in the market with small, classroom-focused printer/scanner combinations that retail for less than $250. Manufacturers like Zortrax, meanwhile, have upped the ante with a large-scale M300 offering that can print objects up to 300 millimeters cubed.
Even 3-D-printed food is on the rise. According to Digital Trends, NASA has tasked a Texas startup with creating printed pizza for long space flights.
With progress, however, comes price. If 3-D printers can print anything with the right blueprint, then it’s possible to create both dangerous items, such as weapon parts, or steal corporate secrets by snapping photos of physical security devices, extrapolating those pictures into CAD files and then making multiple copies. Sure, it sounds farfetched — but it’s not.
According to The Intercept, it all started with a 2014 story from The Washington Post about TSA baggage handling. Part of the piece featured images of a master key used to open TSA-approved luggage locks if necessary. Cybercriminals did some digging and found more detailed images on the website of a company that worked with federal agencies to create and enforce travel security guidelines.
Next, a security researcher and hacker named Steven Knuchel, who goes by the alias Xylitol, created CAD files out of these images and posted them on Github. Printing enthusiasts took up the torch and made multiple copies, which easily opened the supposedly secure luggage locks.
More recently, in March 2016, researchers from the University of California, Irvine discovered it was possible to reverse engineer items created by a 3-D printer using a smartphone to record the sounds made by the printer’s nozzle as it applied item layers. If malicious insiders or outside actors could make and leverage these recordings, companies could lose a competitive edge in the market, along with their intellectual property.
Another possible attack avenue involves hacking internet-connected printers to introduce errors in design. This could slow production or completely sidetrack a new product launch. Because many printers share the same vulnerabilities as other IoT devices — which often amounts to a total lack of network security since they’re not seen as an integral part of the network — there’s huge potential here for motivated attackers to create duplicates, corrupt the printing process or disrupt corporate plans.
Protection From 3-D Printing Vulnerabilities
So how do companies defend against 3-D printing vulnerabilities? It starts with the understanding that sensitive data now extends beyond protected documents and spec sheets to include images. Assume that anything visible in a picture can be deconstructed, reconstituted as a CAD file and then recreated via a 3-D printer. This means that employees traveling with physical security devices such as keys or locks need to consider going dark while in transit so they don’t accidentally make private information public.
When it comes to on-site 3-D printers, meanwhile, it’s a good idea to employ an air-gap strategy and keep them separate from both the internet at large and your internal network. In addition, you need to restrict access since attackers can leverage mobile or desktop microphones to copy and replicate printed objects.
There’s big potential for the industrial side of 3-D printing, and while home units may not corner the market, they’re now readily available to at-home hobbyists and cybercriminals alike. With niche companies quickly spinning up to improve production speed, item size and even print consumable items, it’s no surprise that companies are jumping on board to print prototypes or streamline production.
But 3-D printing vulnerabilities are pervasive: An image or audio recording is all it takes for cybercriminals to effectively build their own breach and access high-value data — all without compromising network security. Bottom line? 3-D printing demands a new dimension in IT security to safeguard intellectual property and physical devices.