Anycubic communique un problème de sécurité du service MQTT sur les Kobra 2 Pro / Plus / Max

[PPAC]

Salutation !

 

Certains utilisateurs ont retrouvé un fichier "hacked_machine_readme.gcode" sur leur machine.

Source image https://www.reddit.com/r/anycubic/comments/1b1t8k5/hacked_message_everyone_is_getting_for_anycubic/

 

En gros de ce que j'ai compris, sur les firmware des Kobra 2 Pro/Plus/Max,

un défaut de sécurité du service MQTT (connexion au Cloud d'Anycubic), a permis à des "hacker" de téléverser un fichier ".txt" d'un autre serveur que ceux de Anycubic Cloud, et de le renommer tout en changeant l'extension en ".gcode"  sur plusieurs machines connecté au Wi-Fi.

 

Anycubic ne donne pas vraiment plus de détails.

Et propose d'éventuellement désactiver le Wi-Fi et d'attendre la prochaine mise a jour du firmware qui devrait arriver le 05/03/2024 pour corriger cela.

 

https://www.facebook.com/ANYCUBIC3dprinter/posts/pfbid02iT2dHeyrA1rY2Hr27oytvtCsvhucPjQNWYMZFzDMCUnVNDwh5wEu4Vx5mNDJSEFnl -> https://store.anycubic.com/blogs/news/security-issue-of-anycubic-cloud

Citation

Security Issue of Anycubic Cloud

Dear Anycubic Users,

First of all, we sincerely apologize for the cloud security issue that happened to our customers. This is our responsibility and we are truly sorry for the late response.

What Happened?

On February 26th (UTC-5), we received a user's email reminding the vulnerabilities of the MQTT server of Anycubic.

On February 27th (UTC-5), multiple users reported the presence of "hacked_machine_readme.gcode" on the screen of their Anycubic Kobra 2 Pro/Plus/Max.

As of the time of this statement, a total of 237 devices have been affected. Preliminary findings suggest that over 2,000 devices have received this file.

Upon investigating the logs customers sent to us, it was found that these printers received remote commands to download "message.txt" documents from another cloud server (not Anycubic server) and rename the "message.txt" to "hacked_machine_readme.gcode".

We confirm that this incident was caused by a third party using a security vulnerability of the MQTT server to access users' printers.

How Do We Plan To Solve This?

We have undertaken the following measures:

• Strengthened the security verification steps of the cloud server
• Strengthened authorization/permission management in the cloud server
• Currently improving the security verification of firmware (new firmware will be available on the official website by March 5th.)

Further steps:

• Implementing network segmentation measures to restrict external access to services
• Conducting regularly audits and updates for systems, software, and the MQTT server

What Customers Should Do?

If you find the "hacked_machine_readme.gcode" file on the screen, please note that this file is harmless and can be manually deleted through the printer's screen.

If you find the "hacked_machine_readme.gcode" file on the USB drive, please delete the file using your PC.

If the "hacked_machine_readme.gcode" file is not found on the printer, you are good to use the printer, and the cloud service can also be used normally.

For those who feel uncomfortable with the cloud service, you easily disable the WiFi via the printer's screen. ("how to disable the WiFi" shown below)

Further recommendation:

• Kobra 2 Pro/Plus/Max users, please download and update the new firmware from this page; the OTA update is optional.
• Avoid downloading firmware updates from unknown sources.
• Users who use USB sticks are advised to conduct an antivirus scan on their PC.

We understand the widespread concern on this issue. We are responsible for issue occurrence and assure users that addressing it is our utmost priority. The Anycubic team is ready to assist in resolving the matter. If you have encountered the mentioned issue, you can contact us directly by sending an email to service@anycubic3d.com. Our team will respond as soon as possible.

We Are Open For Suggestion

We deeply apologize for the inconvenience caused to our users. We welcome any suggestions, and if you have any input regarding vulnerabilities or other concerns, please feel free to send them to feedback@anycubic.com. Your suggestion is highly valuable to Anycubic to continuous improvement.

Since cloud services are widely used nowadays, we are actively seeking professional cloud security solutions to enhance the security of Anycubic's cloud platform.

More information will be shared on our official website.

Best regards,

Anycubic Team

 

Comme le firmware des "Kobra 2 Pro/Plus/Max" n'offre pas d'accès ssh impossible de savoir si cet exploit/hack se limite seulement à la possibilité de création de fichiers dans le dossier de destination des fichiers d'impression (donc éventuellement saturer l'espace libre, ou placer et lancer un fichier d'impression avec des instructions g-code qui pourrait éventuellement "abîmer" l'imprimante).

 

Ajout >

En complément, trouvé sur le serveur Discord de PolyWorkshop ( invitation https://discord.gg/K8GkMMxGzm )

https://discord.com/channels/481927147498242054/606038105476169745/1212800944945893447 

Citation

Thomas — Hier à 17:37

@everyone si vous avez une imprimante Anycubic, vous êtes invités à la déconnecter du réseau... https://www.bleepingcomputer.com/news/security/anycubic-3d-printers-hacked-worldwide-to-expose-security-flaw/ (info par @Jotho )

-> https://www.bleepingcomputer.com/news/security/anycubic-3d-printers-hacked-worldwide-to-expose-security-flaw/

(extrait)

Citation

According to a wave of online reports from Anycubic customers, someone hacked their 3D printers to warn that the devices are exposed to attacks.

The person behind this incident added a hacked_machine_readme.gcode file to their devices—a file that usually contains 3D printing instructions—alerting the affected users that their printer is impacted by a critical security bug.

This vulnerability allegedly enables potential attackers to control any Anycubic 3D printer affected by this vulnerability using the company's MQTT service API.

The file received by the impacted devices also asks Anycubic to open-source their 3D printers because the company's software "is lacking."

"Your machine has a critical vulnerability, posing a significant threat to your security. Immediate action is strongly advised to prevent potential exploitation," the text file reads.

"Feel free to disconnect your printer from the Internet if you don't wanna get hacked by a bad actor. This is just a harmless message. You have not been harmed in any way."

Hacked Anycubic 3D printer (Mr_0verwrite)

"You should blame anycubic for their mqtt server which allows any valid credential to connect and control your printer via the matt API. Let's just hope anycubic fixes their mqtt server."

According to the same text file, 2,934,635 devices downloaded this warning message via the vulnerable API.

Customers who received this warning message are advised to disconnect their printers from the Internet until the company patches the security issue.

[PPAC]

Comme promis par Anycubic, la version 3.1.0 des firmware pour les Kobra 2 Pro/Plus/Max est disponible et devrait corriger le défaut de sécurité.

https://discord.com/channels/966957505580236851/1041537291086209064/1214557329094344824

Citation

Anycubic Community — Hier à 13:57
Hi Guys,
We have just updated the firmware for the Kobra 2 series on the security issue with Anycubic Cloud that occurred earlier. Please check the details here: https://store.anycubic.com/blogs/news/security-issue-of-anycubic-cloud

https://store.anycubic.com/blogs/news/security-issue-of-anycubic-cloud

Citation

Firmware Upgrades - March 5, 2024

The 3.1.0 Firmware Updates

Key Changes:

1. Enhanced security verification for file downloads.
2. Strengthened security measures for server connections.

For a secure firmware upgrade experience, this update will be conducted through OTA upgrades. Please find the firmware updates for your specific model:

• Kobra 2 Pro: Firmware Upgrade Guide
• Kobra 2 Plus: Firmware Upgrade Guide
• Kobra 2 Max: Firmware Upgrade Guide

Upgrade Instructions:

• For firmware versions below 3.0.3, users will first receive an upgrade prompt for version 3.0.3. After upgrading to version 3.0.3, another prompt for the 3.1.0 firmware upgrade will follow. Once the 3.1.0 upgrade is completed, normal usage can resume.
• For firmware versions equal to or higher than 3.0.3, users will directly receive the upgrade prompt for version 3.1.0. Click on the firmware upgrade option, and once the upgrade is completed, normal usage can resume.

Future Plans:

We will continue to focus on security issues related to printer usage, implementing additional protective mechanisms. We have scheduled comprehensive security testing to encounter the newly identified issues. The next firmware update is anticipated to be completed by March 13th, and we will then proceed with upgrades to both the server and firmware.

----------------------------------------------------------------------

Dear Anycubic Users,

First of all, we sincerely apologize for the cloud security issue that happened to our customers. This is our responsibility and we are truly sorry for the late response.

 

[PPAC]

De nouveau une mise a jour du firmware des Kobra 2 Pro / Plus / Max, version 3.1.2, pour encore mieux sécuriser ...

https://store.anycubic.com/blogs/news/security-issue-of-anycubic-cloud

Citation

Firmware Update - March 15, 2024

1. This firmware upgrade includes two significant security enhancements:

• Rectification of an issue that could potentially result in unexpected deletion of firmware files.
• Elimination of unnecessary instructions to bolster overall system security.

Please refer to the following links for firmware updates tailored to your specific model:

• Kobra 2 Pro: Firmware Upgrade Guide
• Kobra 2 Plus: Firmware Upgrade Guide
• Kobra 2 Max: Firmware Upgrade Guide

2. Firmware Upgrade 3.1.2 Notes:

In the course of addressing security vulnerabilities, we received proactive engagement from reverse engineers who provided invaluable technical support, expediting the resolution process. This collaborative effort led to:

• Identification and mitigation of the vulnerability allowing potential illegal access to the MQTT server for the transmission of abnormal commands.
• Identification and resolution of hazardous commands embedded within the firmware.

This incident underscores the importance of fortifying our focus on device security. We are committed to maintaining open communication channels and continually enhancing product quality in response.

Bonne mise a jour a ceux qui on des Kobra 2 Pro / Plus / Max.

(Ne pas oublier de refaire l'auto Z-offset (Tools -> Control -> Auto-Level) et éventuellement un auto leveling après la mise a jour.)

Modifié (le) Mars 16 par PPAC

[hyoti]

Oui cela a fait des remous dans le milieu cyber.

https://www.zataz.com/vulnerabilite-zero-day-enfin-corrigee-par-anycubic/

[PPAC]

En fait, pour moi, le plus dérangeant,

c'est (il semblerait) que le/les "gentil hacker" et/ou ceux qui avaient découvert la vulnérabilité, avaient, depuis un petit moment informé Anycubic. Mais Anycubic n'avait (semble t'il) pas réagit.
( Cf https://klipper.discourse.group/t/printer-cfg-for-anycubic-kobra-2-plus-pro-max/11658/202 )

et, de plus, comme Anycubic n'a toujours pas (a ma connaissance a ce jour) rendu public les sources des firmwares des "Kobra 2 *" et qu'il n'y a pas de connexion ssh possible a l'OS, on ne peut pas vraiment/simplement vérifier s'il y a ou non d'autres failles, ni rien modifier dans les fichiers de conf Klipper ou sur l'OS.

Modifié (le) Mars 16 par PPAC
orthographe.