3d printers

50,000 3D printers threatened with hacking

Breach notification, Identity and access management, Security operations

Exposed OAuth tokens have since been revoked, mitigating takeover threat

Jeremy Kirk (jeremy_kirk) •
October 18, 2021

MakerBot Replicator 3D Printer

A data breach affecting MakerBot’s Thingiverse 3D printing repository website is far bigger than the company has admitted, claims a former employee.

See also: Live Webinar | Remote Employees and the Big Resignation: How Do You Handle Insider Threats?

The breach likely affects more than 2 million people whose usernames at least were leaked, says TJ Horner, a software engineer and security enthusiast who analyzed the data. Horner worked at MakerBot until last year.

Horner says the data also includes OAuth tokens that until recently could have been used to remotely access 5th Gen MakerBot printers and later. These printers have video cameras, so Horner found it was also possible to view video feeds from printers, including Horner’s own MakerBot Method X printer.

Horner’s MakerBot Method X printer and its video feed could be accessed using the leaked OAuth tokens.

Additional harm could have been possible. A malicious attacker could have sent the wrong schematic to a 3D printer that could have, for example, broken a printer’s stepper motors, says Horner. The tokens also granted access to a user’s Thingiverse account, with read and write access.

These OAuth tokens have now been invalidated by MakerBot, says Horner.

MakerBot claims fewer than 500 users were affected by the data breach. He also said the data breach consisted of non-production, non-sensitive information that primarily tested data. He also maintains that all affected users have been notified.

But MakerBot’s numbers have been disputed not only by Horner but also by Troy Hunt, the creator of the freeware. Have I been pwned data breach notification site, which alerts subscribers whenever their email address appears in a known breach. Hunt’s service sent 10,646 notifications to subscribers who were affected by the Thingiverse breach. In total, Hunt says the breach exposed 228,000 unique email addresses, which he uploaded to Have I Been Pwned.

Hunt, who uses Thingiverse for his own projects, expressed frustration with the difficulty of alerting MakerBot and Thingiverse to the breach, as well as the company’s continued lack of full disclosure.

“What I find most remarkable about the incident is not the breach itself, but the handling,” says Hunt, along with “MakerBot’s failure to be transparent and honest about the impact and within reach”.

MakerBot officials could not immediately be reached for comment on Horner’s findings. On Friday, Information Security Media Group alerted MakerBot to the exposed authentication tokens, and the company later invalidated the tokens.

MySQL database leak

Thingiverse is a website where users can share digital designs of objects that can be printed using 3D printers. Although the site is popular, some reviewers have alleged that the site infrastructure has not been sufficiently updated.

The offense happened after someone was nicknamed Pompompurine discovered that Thingiverse left a 36GB MySQL database exposed to the internet in an Amazon S3 bucket. The data then appeared on a well-known forum for buying and selling data breaches (see Thingiverse data leak affects 228,000 subscribers).

Data disclosed includes email addresses, IP addresses, usernames, physical addresses, full names, direct messages between users, and moderation logs. There are also SHA1 hashes of passwords as well as bcrypt hashes. For years security experts have warned that the SHA1 hashing algorithm should not be used to manage passwords because it is relatively easy to brute-force the hashes it generates to recover passwords in clear.

Horner, who was previously a full-stack software engineer at MakerBot, carefully reviewed the exposed data. The data is a snapshot of the MySQL database from October 2020 which contains the Thingiverse staging database. But Horner notes that there is also a full production database in the staging database.

The production data extends through May 15, 2018, and contains a total of 2,079,011 users, says Horner. Horner also shared a hypothesis as to why MakerBot may have underestimated the number of affected users.

When the production data was imported, MakerBot changed those more than 2 million email addresses, says Horner. This probably caused the information to appear as test data when it was real data.

Thus, the affected users were not informed. As a result, Horner says MakerBot should correlate impacted user IDs from the staging database with those from the production database, and then send a notification to those email addresses in the staging data.

If that doesn’t happen, Horner has also created a tool for people to query if they are affected by the breach.

Vulnerable printers

A perhaps surprising aspect of the breach was that it not only exposed user details, but also OAuth tokens for individual 3D printers. MakerBot has not publicly disclosed that these tokens have been leaked, although they have since been invalidated, meaning the leak should no longer pose a risk.

OAuth tokens for Horner’s MakerBot Method X 3D printer were among the hacked data.

At MakerBot, Horner’s development work included managing internet connectivity software on the 50,000 3D printers he had sold. This group of printers would have been vulnerable to takeovers because of this data breach, says Horner.

“Anyone with one of these compromised tokens has full control over the printer if it is connected to the internet,” says Horner.

Horner says the affected printers would have included the Replicator 5th Gen, Replicator Mini, Replicator Z18, Replicator+, Replicator Mini+, all Method series printers, and MakerBot Sketch.

OAuth tokens for Horner’s MakerBot Method X 3D printer were in the data, which at the time – before being invalidated – still worked with the Thingiverse API and the Remote Printer Access API from Thingiverse, which is called Reflector, explains Horner. By pinging the APIs with a token, the API would return a list of printers allowed to a particular user, Horner explains.