this post was submitted on 18 Jan 2025

48 points (92.9% liked)

3DPrinting

15954 readers

417 users here now

3DPrinting is a place where makers of all skill levels and walks of life can learn about and discuss 3D printing and development of 3D printed parts and devices.

The r/functionalprint community is now located at: or !functionalprint@fedia.io

There are CAD communities available at: !cad@lemmy.world or !freecad@lemmy.ml

Rules

No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia. Code of Conduct.
Be respectful, especially when disagreeing. Everyone should feel welcome here.
No porn (NSFW prints are acceptable but must be marked NSFW)
No Ads / Spamming / Guerrilla Marketing
Do not create links to reddit
If you see an issue please flag it
No guns
No injury gore posts

If you need an easy way to host pictures, https://catbox.moe/ may be an option. Be ethical about what you post and donate if you are able or use this a lot. It is just an individual hosting content, not a company. The image embedding syntax for Lemmy is ![](URL)

Moderation policy: Light, mostly invisible

founded 2 years ago

MODERATORS

andypiper@lemmy.world

henry_rowengartner@lemmy.world

j4k3@lemmy.world

GrayBackgroundMusic@lemm.ee

Is anyone else concerned about internet-connected 3D printers? (lemmy.ml)

submitted 17 hours ago by jokeyrhyme@lemmy.ml to c/3dprinting@lemmy.world

15 comments fedilink hide all child comments

Howdy, folks!

I'm teetering on the brink of connecting my Sovol3D S06 ACE to my wireless network, but I'm pausing because this device can make physical real-world actions like:

record photos and videos using its built-in camera
shaking so much that it manages to knock itself on the floor
melting so much plastic that it dribbles all over itself and then all over everything around and beneath it
consume lots of electricity and cost me a fortune on my utilities bill
burn the house down

None of this happens in normal usage, of course, but watching it self-calibrate did make me wonder:

how safe the firmware is?
is it retrieving instructions from Sovol3D or some other party by itself?
is it sending records of my print jobs to a 3rd party?
is it sending photos and videos to a 3rd party?
how safe the firmware is once its receiving arbitrary network traffic?

All IPv4 traffic from the internet goes through a NAT/firewall that I conceivable control, but my devices all get public-facing IPv6 addresses, and the default SSH password on all of these printers is publicly-documented

It looks like the Sovol3D S06 ACE firmware is https://www.klipper3d.org/ + https://www.obico.io/ + some unknown amount of stuff that Sovol3D adds on top, and it doesn't seem like they've kept the public source code up-to-date: https://github.com/Sovol3d/SV06-ACE

I do already self-host https://www.home-assistant.io/ and plan to integrate the 3D printer with it, avoiding any cloud behaviour as much as possible, but I'm wondering if anyone else has already done this and has any advice on what to avoid?

Cheers! <3

top 15 comments

sorted by: hot top controversial new old

[–] 4am@lemm.ee 2 points 5 hours ago

If you really control the firewall, you should know to block all inbound traffic by default.

It doesn’t matter if it’s IPv4 or IPv6; NAT is not a security protocol and it doesn’t protect you.

[–] dual_sport_dork@lemmy.world 51 points 17 hours ago

I can think of no compelling reason whatsoever to have my printer exposed to the outside internet. If I have to get at it remotely that's what my VPN is for.

[–] fuckwit_mcbumcrumble@lemmy.dbzer0.com 3 points 10 hours ago

Connected to the internet or just connected to your network?

Connect it to your network and use an invalid IP as your gateway and it shouldn’t go out of your network.

[–] wirehead@lemmy.world 11 points 16 hours ago (1 children)

IoT devices are, to be quite honest, a shitshow. Where your Sovol counts as such.

Either the device needs to call upstream to get updates or it's going to ship with a security bug that can be exploited. Or, in may cases, it'll have an unpatched security vulnerability and it'll call upstream to get updates.

It costs money to keep the necessary cloud infrastructure in place, both in terms of hosting costs as well as devops time. Either they will eventually need to brick the device, leave it unpatched forever, charge you some maintenance fee, go bankrupt, or fund the whole thing by selling your data.

It's not hard to write a bot that would scan for signs of a Sovol printer, try the default SSH password, and do nefarious things. And people are generally really bad about the default SSH password regardless.

There's not really a good answer here for IoT devices. There's not even a really great answer for home brew IoT devices with the thing where Home Assistant's reverse-tunnel service had a nasty vulnerability that let you remote HA instances.

Aaand.. IPv6 is great. But unfortunately the way things are now means that giving everything on your network a publicly routable IPv6 address is a very bad idea.

Klipper provides a lot of protections but all of that hinges on the microcontroller, so presumably an attacker can upload a substitute firmware using the update mechanism that would go full send on the heaters, which has the potential to actually melt some things.

The problem is that if you want Klipper, you need a full Linux. This is not actually a problem for the Klipper devs, mind you, because they wrote a cool tool for people comfortable modding their printers and only BTT and Obico sponsor Klipper. This was a lot less of a problem when we were talking about Marlin printers. Except that if people weren't using Klipper, it's just too damn easy to write a two-piece controller software in the same fashion of Klipper and get the expediency of writing code in Linux instead of in an os-less microcontroller.

tl;dr: there is no safe way to buy a printer with klipper on it, it just looks like it works right now.

[–] cmnybo@discuss.tchncs.de 7 points 15 hours ago

Aaand… IPv6 is great. But unfortunately the way things are now means that giving everything on your network a publicly routable IPv6 address is a very bad idea.

A publicly routable IPv6 address doesn't mean publicly accessible unless you specifically open a port in the firewall. IPv6 privacy extensions, which basically everything uses now, means than the address changes frequently so individual devices can't be tracked by their IP address.

[–] cmnybo@discuss.tchncs.de 14 points 17 hours ago

If you are worried about it, put them on their own VLAN with no internet access. Set a firewall rule so that only the computer you use to control it can talk to that VLAN.

Unless you added a firewall rule allowing inbound access to the printer's IPv6 address, nothing will be able to make an inbound connection to it from the internet.

[–] mlg@lemmy.world 4 points 15 hours ago* (last edited 15 hours ago) (1 children)

I thought the default firewall rule for IPv6 is to block all incoming traffic? At least it is on my hardware out of box.

Public facing IPv6 doesn't means its externally reachable, its just how IPv6 works because there is no need for NATing. You can quickly test it by trying to SSH to it to make sure its not reachable. Otherwise just add a firewall rule that block all incoming IPv6.

Anyway if you want to make sure it also doesn't connect to the internet, you could just do the inverse and MAC ban outgoing traffic or put it on a VLAN.

[–] muntedcrocodile@lemm.ee 2 points 13 hours ago (1 children)

The blockage of incoming traffic isn't particularly meaningful. The printer can connect out then establish a reverse connection from that.

[–] 4am@lemm.ee 1 points 5 hours ago* (last edited 5 hours ago)

That is no different from IPv4

EDIT: Also,

The blockage of incoming traffic isn't particularly meaningful.

lol. lmao, even.

[–] quixotic120@lemmy.world 3 points 16 hours ago

Connect it to an isolated vlan. Having access to a printer on your intranet can be handy, having access from the internet is generally unnecessary. Do you need to check on it from outside your house? If that’s the case then you need to start looking at stuff like tailscale but i don’t recommend printing while not at home

[–] IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com 3 points 17 hours ago (1 children)

make physical real-world actions like:

Send a command to your printer to make something illegal (like a gun), then report you for making an illegal gun.

[–] sic_semper_tyrannis@lemmy.today 1 points 14 hours ago

It's not always illegal to make your own firearm (country depending), you just have to be aware of how to register or serialize it.

[–] Munkisquisher 2 points 16 hours ago (1 children)

I have my prusa connected to my WiFi, but it only serves up a Web page with limited control locally. You can only upload gcode, and start a print if the printer is ready to start. And it's open source so I'd expect the community to have found any issues.

You should monitor it's connections at the firewall and see if it's trying to make ANY connections outside your network, no reason for it to try making any dns queries even.

[–] anguo@lemmy.ca 0 points 3 hours ago (1 children)

The Prusa printers have a hard coded IP address for NTP requests. There's no other way to set the time on them. At least it's to a well known public organization in the Czech Republic, but still.

[–] Saik0Shinigami@lemmy.saik0.com 1 points 51 minutes ago

There’s no other way to set the time on them.

Factually wrong. You can do a NAT rule to force it to whatever NTP you want. If you own the network, you can route the packets however you like.

Example from my opnsense config:

Nothing leaves my network on port 123 unless it's my own timeserver serving a response to an external request. (I actually have a proper GPS-based time server, but nothing stops you from just having a normal linux host as a timeserver or something this way either).

I do the same thing with DNS. Force all port 53 and 853 traffic to my own DNS servers. And have a wide firewall block rule for any known DoH servers.