Howdy, folks!
I’m teetering on the brink of connecting my Sovol3D S06 ACE to my wireless network, but I’m pausing because this device can make physical real-world actions like:
- record photos and videos using its built-in camera
- shaking so much that it manages to knock itself on the floor
- melting so much plastic that it dribbles all over itself and then all over everything around and beneath it
- consume lots of electricity and cost me a fortune on my utilities bill
- burn the house down
None of this happens in normal usage, of course, but watching it self-calibrate did make me wonder:
- how safe the firmware is?
- is it retrieving instructions from Sovol3D or some other party by itself?
- is it sending records of my print jobs to a 3rd party?
- is it sending photos and videos to a 3rd party?
- how safe the firmware is once its receiving arbitrary network traffic?
All IPv4 traffic from the internet goes through a NAT/firewall that I conceivable control, but my devices all get public-facing IPv6 addresses, and the default SSH password on all of these printers is publicly-documented
It looks like the Sovol3D S06 ACE firmware is https://www.klipper3d.org/ + https://www.obico.io/ + some unknown amount of stuff that Sovol3D adds on top, and it doesn’t seem like they’ve kept the public source code up-to-date: https://github.com/Sovol3d/SV06-ACE
I do already self-host https://www.home-assistant.io/ and plan to integrate the 3D printer with it, avoiding any cloud behaviour as much as possible, but I’m wondering if anyone else has already done this and has any advice on what to avoid?
Cheers! <3
IoT devices are, to be quite honest, a shitshow. Where your Sovol counts as such.
Either the device needs to call upstream to get updates or it’s going to ship with a security bug that can be exploited. Or, in may cases, it’ll have an unpatched security vulnerability and it’ll call upstream to get updates.
It costs money to keep the necessary cloud infrastructure in place, both in terms of hosting costs as well as devops time. Either they will eventually need to brick the device, leave it unpatched forever, charge you some maintenance fee, go bankrupt, or fund the whole thing by selling your data.
It’s not hard to write a bot that would scan for signs of a Sovol printer, try the default SSH password, and do nefarious things. And people are generally really bad about the default SSH password regardless.
There’s not really a good answer here for IoT devices. There’s not even a really great answer for home brew IoT devices with the thing where Home Assistant’s reverse-tunnel service had a nasty vulnerability that let you remote HA instances.
Aaand… IPv6 is great. But unfortunately the way things are now means that giving everything on your network a publicly routable IPv6 address is a very bad idea.
Klipper provides a lot of protections but all of that hinges on the microcontroller, so presumably an attacker can upload a substitute firmware using the update mechanism that would go full send on the heaters, which has the potential to actually melt some things.
The problem is that if you want Klipper, you need a full Linux. This is not actually a problem for the Klipper devs, mind you, because they wrote a cool tool for people comfortable modding their printers and only BTT and Obico sponsor Klipper. This was a lot less of a problem when we were talking about Marlin printers. Except that if people weren’t using Klipper, it’s just too damn easy to write a two-piece controller software in the same fashion of Klipper and get the expediency of writing code in Linux instead of in an os-less microcontroller.
tl;dr: there is no safe way to buy a printer with klipper on it, it just looks like it works right now.
A publicly routable IPv6 address doesn’t mean publicly accessible unless you specifically open a port in the firewall. IPv6 privacy extensions, which basically everything uses now, means than the address changes frequently so individual devices can’t be tracked by their IP address.