Users of a popular 3D printer were recently faced with a threatening message on their devices: Disconnect the device from the Internet or face the consequences. Apparently the devices contain a serious security vulnerability that could be abused in various ways.
Users of the Anycubic 3D printer flocked to Reddit to share their experiences of receiving an unwanted message via their device. The message was called “hacked-machine_readme” and claimed that the device had a “critical security flaw.” To “prevent possible exploitation,” users should disconnect their devices from the Internet, the notice says.
“This is just a harmless message. You have not been harmed in any way,” the statement concludes.
Three million messages
According to the alert, the printers have an unspecified vulnerability in Anycubic’s MQTT service that can apparently be used to “connect and control” internet-connected 3D printers. MQTT is described as a “lightweight publish-subscribe machine-to-machine network protocol for message queuing/message queuing services.”
It is designed to connect to remote devices with limited network bandwidth or other constraints (which fits the description of an average IoT device).
“What can be done? “Well, I could give your entire printer to RM, but I don’t feel like wasting your prints or filaments that you spent real money on,” the message reads. “It’s also possible to build a startup script into the printer, but I haven’t done that yet. Let’s just hope Anycubic fixes its MQTT server. Please also Anycubic, make the printer open source.”
The author of the message concluded that it was sent to 2.8 million devices.
There was no mention of this incident on Anycubic’s website or Twitter account as of press time. A Reddit forum administrator responded to one of the threads and said the company was investigating the matter.
Via TechCrunch