Howdy, folks!
I’m teetering on the brink of connecting my Sovol3D S06 ACE to my wireless network, but I’m pausing because this device can make physical real-world actions like:
- record photos and videos using its built-in camera
- shaking so much that it manages to knock itself on the floor
- melting so much plastic that it dribbles all over itself and then all over everything around and beneath it
- consume lots of electricity and cost me a fortune on my utilities bill
- burn the house down
None of this happens in normal usage, of course, but watching it self-calibrate did make me wonder:
- how safe the firmware is?
- is it retrieving instructions from Sovol3D or some other party by itself?
- is it sending records of my print jobs to a 3rd party?
- is it sending photos and videos to a 3rd party?
- how safe the firmware is once its receiving arbitrary network traffic?
All IPv4 traffic from the internet goes through a NAT/firewall that I conceivable control, but my devices all get public-facing IPv6 addresses, and the default SSH password on all of these printers is publicly-documented
It looks like the Sovol3D S06 ACE firmware is https://www.klipper3d.org/ + https://www.obico.io/ + some unknown amount of stuff that Sovol3D adds on top, and it doesn’t seem like they’ve kept the public source code up-to-date: https://github.com/Sovol3d/SV06-ACE
I do already self-host https://www.home-assistant.io/ and plan to integrate the 3D printer with it, avoiding any cloud behaviour as much as possible, but I’m wondering if anyone else has already done this and has any advice on what to avoid?
Cheers! <3
You must log in or register to comment.
If you really control the firewall, you should know to block all inbound traffic by default.
It doesn’t matter if it’s IPv4 or IPv6; NAT is not a security protocol and it doesn’t protect you.
I can think of no compelling reason whatsoever to have my printer exposed to the outside internet. If I have to get at it remotely that’s what my VPN is for.
Connected to the internet or just connected to your network?
Connect it to your network and use an invalid IP as your gateway and it shouldn’t go out of your network.
IoT devices are, to be quite honest, a shitshow. Where your Sovol counts as such.
Either the device needs to call upstream to get updates or it’s going to ship with a security bug that can be exploited. Or, in may cases, it’ll have an unpatched security vulnerability and it’ll call upstream to get updates.
It costs money to keep the necessary cloud infrastructure in place, both in terms of hosting costs as well as devops time. Either they will eventually need to brick the device, leave it unpatched forever, charge you some maintenance fee, go bankrupt, or fund the whole thing by selling your data.
It’s not hard to write a bot that would scan for signs of a Sovol printer, try the default SSH password, and do nefarious things. And people are generally really bad about the default SSH password regardless.
There’s not really a good answer here for IoT devices. There’s not even a really great answer for home brew IoT devices with the thing where Home Assistant’s reverse-tunnel service had a nasty vulnerability that let you remote HA instances.
Aaand… IPv6 is great. But unfortunately the way things are now means that giving everything on your network a publicly routable IPv6 address is a very bad idea.
Klipper provides a lot of protections but all of that hinges on the microcontroller, so presumably an attacker can upload a substitute firmware using the update mechanism that would go full send on the heaters, which has the potential to actually melt some things.
The problem is that if you want Klipper, you need a full Linux. This is not actually a problem for the Klipper devs, mind you, because they wrote a cool tool for people comfortable modding their printers and only BTT and Obico sponsor Klipper. This was a lot less of a problem when we were talking about Marlin printers. Except that if people weren’t using Klipper, it’s just too damn easy to write a two-piece controller software in the same fashion of Klipper and get the expediency of writing code in Linux instead of in an os-less microcontroller.
tl;dr: there is no safe way to buy a printer with klipper on it, it just looks like it works right now.
Aaand… IPv6 is great. But unfortunately the way things are now means that giving everything on your network a publicly routable IPv6 address is a very bad idea.
A publicly routable IPv6 address doesn’t mean publicly accessible unless you specifically open a port in the firewall. IPv6 privacy extensions, which basically everything uses now, means than the address changes frequently so individual devices can’t be tracked by their IP address.
If you are worried about it, put them on their own VLAN with no internet access. Set a firewall rule so that only the computer you use to control it can talk to that VLAN.
Unless you added a firewall rule allowing inbound access to the printer’s IPv6 address, nothing will be able to make an inbound connection to it from the internet.
I thought the default firewall rule for IPv6 is to block all incoming traffic? At least it is on my hardware out of box.
Public facing IPv6 doesn’t means its externally reachable, its just how IPv6 works because there is no need for NATing. You can quickly test it by trying to SSH to it to make sure its not reachable. Otherwise just add a firewall rule that block all incoming IPv6.
Anyway if you want to make sure it also doesn’t connect to the internet, you could just do the inverse and MAC ban outgoing traffic or put it on a VLAN.
@jokeyrhyme I don’t let mine outside the firewall and keep my security patches up to date.
Safe as any other IP equipped device but only a fool let’s hardware you don’t trust on the internet
Connect it to an isolated vlan. Having access to a printer on your intranet can be handy, having access from the internet is generally unnecessary. Do you need to check on it from outside your house? If that’s the case then you need to start looking at stuff like tailscale but i don’t recommend printing while not at home
make physical real-world actions like:
Send a command to your printer to make something illegal (like a gun), then report you for making an illegal gun.
It’s not always illegal to make your own firearm (country depending), you just have to be aware of how to register or serialize it.
I have my prusa connected to my WiFi, but it only serves up a Web page with limited control locally. You can only upload gcode, and start a print if the printer is ready to start. And it’s open source so I’d expect the community to have found any issues.
You should monitor it’s connections at the firewall and see if it’s trying to make ANY connections outside your network, no reason for it to try making any dns queries even.
The Prusa printers have a hard coded IP address for NTP requests. There’s no other way to set the time on them. At least it’s to a well known public organization in the Czech Republic, but still.
There’s no other way to set the time on them.
Factually wrong. You can do a NAT rule to force it to whatever NTP you want. If you own the network, you can route the packets however you like.
Example from my opnsense config:
Nothing leaves my network on port 123 unless it’s my own timeserver serving a response to an external request. (I actually have a proper GPS-based time server, but nothing stops you from just having a normal linux host as a timeserver or something this way either).
I do the same thing with DNS. Force all port 53 and 853 traffic to my own DNS servers. And have a wide firewall block rule for any known DoH servers.
Fair enough, I should have said that there’s no other built-in way to set the time on them.
I work with 3d printers in a school that uses its own NTP server and blocks other requests. The only way I managed to set the time on the machines sort of using a raspberry pi or something, was to connect them to my phone’s hotspot.
@jokeyrhyme there was a problem last year where Bambu Labs accidentally told people’s printers to start printing some random object in the middle of the night.
Users expressed similar concerns.
I simply don’t leave mine on when I’m not using it.
@jokeyrhyme yup. I won’t ever set mine up like that.
