Could Terrorists and Hackers Harm Us Through Our 3D Printers?

[Brian_Krassenstein]

A recent report/guide issued by the Department of Commerce's National Institute of Standards and Technology, has gone over several ways in which hackers, or terrorists could harm defense manufacturers for the US Military, both physically, and from a production standpoint. Through attacks on systems, as well as hacking into hard drives and networks it is possible for terrorists to harm us from afar. More details on what can be done to prevent this, and what actually our fears should be can be found here: http://3dprint.com/14970/3d-print-hack-terrorism/

Should this be a fear of the US Government and other governments as 3d printing begins to take over manufacturing floors?

[Feign]

What reason would you ever have to put your printer online to get hacked in the first place? I mean, I see a lot of gimmicks for internet-connected printers, but none of them have ever hit me as reasons.

Unwary factories and labs can get slowed by attacks, absolutely, but corporate and international sabotage is nothing new. The Iranian lab attack may have been more important in making it known that the labs existed at all, since Iran had been hiding them up to that point. It should probably be emphasized though that these kind of attacks aren't generally the concern of the average person (certainly not more than the hacking of major credit card systems and the huge hacking attack on the Healthcare.gov site or the NSA surveillance of effectively everyone everywhere).

The idea that hackers interested in individual citizens could cause intentional printer meltdowns hits me as the same media fearmongering that said hackers would be able to turn your hard drives and monitors into bombs in your house back in the '90s.

[curious aardvark]

What feign said.

I'm struggling to find anything else to say because the question is so ludicrous.

[bshadown]

Un less your printer can print a bomb in 10 seconds you have nothing to worry about, im moré concern about my creditcard been cloned on any restaurant than this kind of bullshit, lets be honest most mainstream media and almost any government want people be afraid of things these sectores cant control, so in my opinión that paper from the department of comerce is bullshit. Have a nice day

[Mjolinor]

I can see the problem of distributed manufacturing and speed to re-production after a bust being a real problem for the authorities, 3d printing and cheap CNC generally allows that more than any other technology I think.

[jimmydave]

This kind of thing could never affect household 3d printers. It was meant to say that large 3d printers with lasers and scary flammable powders in 3d factories could *potentially* explode.

[LucaS]

Scenario 1. Imagine an industrial 3D printer used to manufacture something to be used in a building structure. Eg. a pillar.

This pillar should conform to certain features, eg. it should be so and so dense and be able to withstand this amount of weight, etc.

Now, a hacker changes the model, the 3D printer creates a pillar that looks ok from the outside, but that is actually hollow. Or perhaps the materials mixture isn't as it should be. Or it has some other type of defect that would make it unfit to pass the safety checks. If the safety checks are indeed inaccurate and/or avoided and/or tampered with, that pillar could one day collapse. And part of the building with it.

Scenario 2. Doctors use a 3D printer to manufacture a prosthetic implant, part of a bone, a vital medical implant, you-name-it. Hackers, again, insert some kind of malware that changes all models by decreasing the density of each manufactured object from, say, 1 to 0.8. The doctors don't notice the change because the (malware-tampered) software says everything's okay. A million medical implants get produced, shipped to hospitals and implanted. A few years later the first ones start to break down...

You know, cyber-terrorism connected to 3D printing doesn't necessarily mean exploding printers.

L.

P.S.
Feign, in order to be hacked a printer doesn't need to be online. Stuxnet was introduced into the Iranian computers with a USB key.

[Feign]

While both of those are possibilities, they are unlikely for other reasons. The first because for both the mad hacker and the terrorist, introducing a flaw that will fail someday isn't terribly productive. No thrill in it for the hacker, and no sense of immediacy or attack in it for the terrorist. In the case of the medical implant, there's no competent medical device manufacturer that would just go without continuous testing their product because they trust their printing process. Like the pillar, no sense of immediacy for the perpetrator as well.

Also, if someone is getting into your facility with hard copies of malware to put on your machines, you have a bigger problem than the malware itself. The Stuxnet attack on Iran's nuclear lab was carried out by a professional and highly competent national spy agency (no points for guessing which one, we don't need politics in here).

[LucaS]

Hi Feign, thanks for answering.

While both of those are possibilities, they are unlikely for other reasons. The first because for both the mad hacker and the terrorist, introducing a flaw that will fail someday isn't terribly productive. No thrill in it for the hacker, and no sense of immediacy or attack in it for the terrorist.

You assume hackers are like the kids of the nineties, coding to have a thrill. We are not talking about those, not anymore. Hackers today are professional teams that seek either a financial or a political goal. Being able to tamper with a production process and then try to draw benefits from it is far from being unlikely: it's being attempted every day. Introducing poison into food or medicine production factories is just one of many examples. 3D printing just brings the process a little closer to hackers' "core competences" than before.

Criminals, terrorists or enemy Governments constantly scout for new vulnerabilities. Adding 3D printing capabilities to a production process without thinking thoroughly about possible tampering scenarios introduces the proverbial weakest link.

In the case of the medical implant, there's no competent medical device manufacturer that would just go without continuous testing their product because they trust their printing process.

The question is simply about two aspects of this testing: 1) how many devices per production batch will be tested and 2) what will be tested.

If the answer to 1) is 100% then you go straight to 2). However, in many production processes only a sample of produced equipment gets tested. In that case, the attacker only needs to tamper with the program so that a percentage of the items are faulty. If, for example, 10% of the produced items get tested, the attacker would need to introduce the flaws in 1% of the production and only a fraction of defective material will be discarded, while the rest will be shipped.

2) Someone familiar with the way products are being tested might very well introduce flaws that circumvent those tests.

Also, if someone is getting into your facility with hard copies of malware to put on your machines, you have a bigger problem than the malware itself.

I think you shouldn't concern yourself with that part of the security problem. Let others handle the "how-the-heck-did-he-enter-the-compound" issue. Security should be present at all layers, in order to make the cost of the attack higher. Here - if I'm not mistaken - we are discussing the security of 3D printers, or in other words the "okay-he-got-through-and-he-accessed-the-printer-now-what" issue. What measures should the 3D printing industry develop in order to minimise the attacks? Digitally signing the models perhaps?

I am unfamiliar with 3D printing, but I am very familiar with cybersecurity (>25 years in the field), and I'm telling you the "it's not a problem now" is not the right attitude.
People fifteen years ago wouldn't believe their mobile phone could be attacked by malware or hackers. Now more than 15,000 new Android malware gets added every three months, and hacking your phone is the favourite way for cybercriminals and law enforcement alike to track you and spy on you.
People today don't believe their future car will be attacked by malware or hackers. It will be, and if the automotive industry doesn't do something soon it's going to get ugly.
Finally, I see 3D printing industry members today that are similarly sceptical about 3D printers being attacked by malware or hackers. Hackers are going to get there, eventually. The choice to prepare for them is yours.

L.

[Geoff]

A recent report/guide issued by the Department of Commerce's National Institute of Standards and Technology, has gone over several ways in which hackers, or terrorists could harm defense manufacturers for the US Military, both physically, and from a production standpoint. Through attacks on systems, as well as hacking into hard drives and networks it is possible for terrorists to harm us from afar. More details on what can be done to prevent this, and what actually our fears should be can be found here: http://3dprint.com/14970/3d-print-hack-terrorism/

Should this be a fear of the US Government and other governments as 3d printing begins to take over manufacturing floors?

...........