The Spaghetti Detective (TSD), a company that monitors 3D printers (opens in new tab) remotely to catch potential errors, has issued an apology after a configuration mistake allowed prints to be sent to the wrong devices.
The error, described by founder Kenneth Jiang as ‘a stupid mistake’, let roughly 70 customers access and control each other’s 3D printers. In at least one instance, a user triggered a print on another person’s device.
In a blog post (opens in new tab), an apologetic Jiang explained the security incident had come about as a result of attempted optimizations, which were supposed to improve the speed and efficiency of the company’s service.
- Check out our list of the best home printers (opens in new tab) right now
- Here's our list of the best inkjet printers (opens in new tab) available
- We've built a list of the best laser printers (opens in new tab) on the market
3D printers go rogue
The problem was made possible by a feature called auto-discovery, which gives customers an easy way to synchronize their printers with their TSD accounts. As Jiang explains, the feature makes use of the fact that devices share the same public IP address when on the same local network.
“When I went through the load-balancer reconfiguration, I made a mistake by missing a configuration to let the load balancer pass the public IP address of the connecting client to the backend TSD server. Instead, the load-balancer would just pass its own IP address to the server,” he wrote.
“As a result, the server got the same IP address of the users who happened to be connecting their printer to TSD at the same time. The server thought they were on the same local network, and hence allowed them to link each other’s printers!”
Jiang says the security hole was live for about eight hours, but has since been closed off. All 73 affected users have also been notified.
Although the likelihood that all 73 were attempting to link their 3D printers at the same time is low, The Spaghetti Detective also took additional precautionary steps, including turning off auto-discovery and disabling remote access for affected customers.
“I don’t want to sugar-coat this. This is a serious security vulnerability,” said Jiang. “My sincere apologies to our community for this horrible mistake.”
- Here's our list of the best small business printers (opens in new tab)