@inproceedings{58657, abstract = {{The rapid growth of 3D printing technology has transformed a wide range of industries, enabling the on-demand production of complex objects, from aerospace components to medical devices. However, this technology also introduces significant security challenges. Previous research highlighted the security implications of G-Codes—commands used to control the printing process. These studies assumed powerful attackers and focused on manipulations of the printed models, leaving gaps in understanding the full attack potential. In this study, we systematically analyze security threats associated with 3D printing, focusing specifically on vulnerabilities caused by G-Code commands. We introduce attacks and attacker models that assume a less powerful adversary than traditionally considered, broadening the scope of potential security threats. Our findings show that even minimal access to the 3D printer can result in significant security breaches, such as unauthorized access to subsequent print jobs or persistent misconfiguration of the printer. We identify 278 potentially malicious G-Codes across the attack categories Information Disclosure, Denial of Service, and Model Manipulation. Our evaluation demonstrates the applicability of these attacks across various 3D printers and their firmware. Our findings underscore the need for a better standardization process of G-Codes and corresponding security best practices. }}, author = {{Rossel, Jost and Mladenov, Vladislav and Wördenweber, Nico and Somorovsky, Juraj}}, booktitle = {{Proceedings of the 34th USENIX Security Symposium}}, location = {{Seattle, WA, USA}}, pages = {{1867 -- 1885}}, title = {{{Security Implications of Malicious G-Codes in 3D Printing}}}, year = {{2025}}, } @inproceedings{62738, abstract = {{Vulnerability disclosures are necessary to improve the security of our digital ecosystem. However, they can also be challenging for researchers: it may be hard to find out who the affected parties even are, or how to contact them. Researchers may be ignored or face adversity when disclosing vulnerabilities. We investigate researchers' experiences with vulnerability disclosures, extract best practices, and make recommendations for researchers, institutions that employ them, industry, and regulators to enable effective vulnerability disclosures.}}, author = {{Sri Ramulu, Harshini and Rotthaler, Anna Lena and Rossel, Jost and Gonzalez Rodriguez, Rachel and Wermke, Dominik and Fahl, Sascha and Kohno, Tadayoshi and Somorovsky, Juraj and Acar, Yasemin}}, booktitle = {{Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security}}, keywords = {{software vulnerabilities, vulnerability disclosure, security research}}, publisher = {{ACM}}, title = {{{Poster: Computer Security Researchers' Experiences with Vulnerability Disclosures}}}, doi = {{10.1145/3719027.3760723}}, year = {{2025}}, } @inproceedings{46500, abstract = {{The security of Industrial Control Systems is relevant both for reliable production system operations and for high-quality throughput in terms of manufactured products. Security measures are designed, operated and maintained by different roles along product and production system lifecycles. Defense-in-Depth as a paradigm builds upon the assumption that breaches are unavoidable. The paper at hand provides an analysis of roles, corresponding Human Factors and their relevance for data theft and sabotage attacks. The resulting taxonomy is reflected by an example related to Additive Manufacturing. The results assist in both designing and redesigning Industrial Control System as part of an entire production system so that Defense-in-Depth with regard to Human Factors is built in by design.}}, author = {{Pottebaum, Jens and Rossel, Jost and Somorovsky, Juraj and Acar, Yasemin and Fahr, René and Arias Cabarcos, Patricia and Bodden, Eric and Gräßler, Iris}}, booktitle = {{2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)}}, keywords = {{Defense-in-Depth, Human Factors, Production Engineering, Product Design, Systems Engineering}}, location = {{Delft, Netherlands}}, pages = {{379--385}}, publisher = {{IEEE}}, title = {{{Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth}}}, doi = {{10.1109/eurospw59978.2023.00048}}, year = {{2023}}, } @inproceedings{48012, abstract = {{3D printing is a well-established technology with rapidly increasing usage scenarios both in the industry and consumer context. The growing popularity of 3D printing has also attracted security researchers, who have analyzed possibilities for weakening 3D models or stealing intellectual property from 3D models. We extend these important aspects and provide the first comprehensive security analysis of 3D printing data formats. We performed our systematic study on the example of the 3D Manufacturing Format (3MF), which offers a large variety of features that could lead to critical attacks. Based on 3MF’s features, we systematized three attack goals: Data Exfiltration (dex), Denial of Service, and UI Spoofing (uis). We achieve these goals by exploiting the complexity of 3MF, which is based on the Open Packaging Conventions (OPC) format and uses XML to define 3D models. In total, our analysis led to 352 tests. To create and run these tests automatically, we implemented an open-source tool named 3MF Analyzer (tool), which helped us evaluate 20 applications.}}, author = {{Rossel, Jost and Mladenov, Vladislav and Somorovsky, Juraj}}, booktitle = {{Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses}}, keywords = {{Data Format Security, 3D Manufacturing Format, 3D Printing, Additive Manufacturing}}, location = {{Hongkong}}, publisher = {{ACM}}, title = {{{Security Analysis of the 3MF Data Format}}}, doi = {{10.1145/3607199.3607216}}, year = {{2023}}, }