AnyCubic fixes exploited 3D printer zero day flaw with new firmware

AnyCubic has released new Kobra 2 firmware to fix a zero-day vulnerability exploited last month to print security warnings on 3D printers worldwide.

At the end of February, AnyCubic printer users began reporting that their Kobra 3D printers were hacked with a print job that warned their devices were vulnerable to a critical vulnerability.

This vulnerability enabled attackers to abuse insecure permissions in the company's MQTT service API to send commands to the printer.

This allowed the attacker to queue a G-code file named 'hacked_machine_readme.gcode,' which, when opened in a text editor, contained a warning that a critical vulnerability had impacted the printers.

"Your machine has a critical vulnerability, posing a significant threat to your security. Immediate action is strongly advised to prevent potential exploitation," the text file reads.

"Feel free to disconnect your printer from the Internet if you don't wanna get hacked by a bad actor. This is just a harmless message. You have not been harmed in any way."

"You should blame anycubic for their mqtt server which allows any valid credential to connect and control your printer via the matt API. Let's just hope anycubic fixes their mqtt server," continued the message.

The researchers claim that they had emailed AnyCube three times about the flaw and were ignored, leading them to take the unorthodox approach of exploiting the flaw to warn printer owners publicly.

"We have attempted to communicate with Anycubic regarding two critical security vulnerabilities we identified, in particoular one can be catastrophic if found by a malicious. Despite our efforts over the past two months, we have not received a single response to our three emails. These vulnerabilities are significant, and we have invested considerable time and effort into addressing them," reads a forum post from the researchers.

"Despite our initial intention to resolve the issue amicably (and we still hope in it), it appears that our concerns have not been taken seriously by Anycubic. Consequently, we are now preparing to disclose these vulnerabilities to the public along with our repo and our tools."

AnyCubic releases a security update

On March 5th, AnyCubic released new firmware for the Kobra 2 Pro/Plus/Max 3D printers with a fix for this zero-day vulnerability.

"We want to inform you that swift action has been taken on our part, and we released a new firmware on March 5th, specifically designed to address the vulnerabilities highlighted," AnyCube told BleepingComputer in an email.

To resolve the issue, AnyCubic says they have strengthened the security verification and authorization/permission management in its MQTT server, which was abused to send the warnings to printers.

The company says they plan to implement the following security measures in future firmware updates, with the next one scheduled for March 13th.

• Implementing network segmentation measures to restrict external access to services
• Conducting regular audits and updates for systems, software, and the MQTT server

For those uncomfortable with your printers accessing AnyCubic's cloud service, the company has provided steps on turning off the WiFi via the printer screen.

While AnyCubic apologizes for the incident, they still have not explained why three emails sent by the security researchers over two months were ignored.