Explaining the "Auth System" in laymans terms

CNC Kitchen interviewed Bambu Lab CEO and asked “Are Bambu Lab Evil?” (https://www.youtube.com/watch?v=7pFtbybLlk0) I hope not. But this latest “change” doesn’t bode well imho.

I’d fancy changing that part “employee” of the month with “seller” of the year. Bambu has just managed to convince (read push) many (if not most) of its current customer base towards Creality’s K2 series for their next purchase … That should make Bambu the best Creality seller of the year

I bought my Bambu Lab P1P when my Creality died (still hope to repair it one day) and I needed a new one asap. I was so happy it worked and was easier to maintain (or so they promised). And my print results were so nice! I was really happy with the printer.

Today, I disconnected my printer from the internet. No update will follow. I don’t mind people seeing what I print (who would want my crappy designs anyway?). I don’t mind using BambuLab filament. I don’t mind using the BambuLab software.

But I do mind taking away choice and the realistic chance this will result into a paid subscription or BambuLab refusing to use their own filament because they might not recognize it for some reason.

Dear BambuLab, please don’t think your are Adobe (Photoshop) or Hewlett Packards. There are alternatives. And people will chose that. There is no such thing as ‘too big to fail’.

Your forum shows your users are in uproar, or at least the ones who understand what’s going on. Please return to the great alternative you were, don’t become the one people will look an alternative for.

Sadly, I don’t think they can do anything to convince me to do business with them again. They just showed their true colors and convinced me to sell my p1p and look for an alternative I can trust on.

That is less than good, but not unsurprising. Unfortunately the masses can’t figure out how to protect their own stuff so companies get a black eye when anything is hacked or whatnot which churns out FUD and probably impacts sales more than this policy. Likely a risk/loss decision plus reoccurring revenue via subscription (forced or otherwise) is basically required for a company to stay in business these days as everyone just steals everywhere and there’s no hardware based intellectual property to increase margin.

I think this should be opt-in though and come with a boat load more features of the cloud connected design so they can get their 5 bux a month and offer a more secure and seamless service. This rollout seems iffy and does alienate a good portion of the current user base. But in the grow or die realm and with 3D printing on the edge of being maintstream, I’m sure that cost benefit analysis on losing the early adopters, makers, and tinkerers was done and came out fine. Once you have a marketplace of content anyone can print, you really don’t need all those other people. And why not have AI churn out models anyways? (it will, it just needs you all to upload more examples…)

Anyhows, I’ll likely be on the blocking this firmware train, and get a lot of entertainment from hacking it as I’m guessing the same people that are good at that sort of thing are also those same early adopters I’m a great product person and fantastic tester, let me know how to help the alt-bambu community

This update solves serious security flaws!

The BambuLab security update focuses on MQTT, as well as Node-RED, Home Assistant, ioBroker, and other applications.

The problem with MQTT is that it is a protocol (from 1999) that lacks any security features. This means data is transmitted in plaintext, there is no encryption in transit, no end-to-end encryption, etc. It’s a lightweight protocol without security features! It’s great for turning lights on and off, controlling window shades, or transmitting satellite images - which is what it was originally designed for.

Controlling 3D printers was never intended. This works fine as long as the data remains within a TLS tunnel, but once the data passes through Node-RED, Home Assistant, etc., BambuLab can no longer guarantee that data won’t leak (models could be stolen), printers could be manipulated, and potentially houses could catch fire.

With the BambuLab Connect app, third-party applications can upload sliced data to the printers. This means Orca Slicer hands over the data to Bambu Connect, which then establishes a secure channel to the printer. Also among other things, it seems that notifications have been significantly improved, e.g., receiving webcam images of print results, etc.

This also raises the question of liability, and it’s only a matter of time before something goes seriously wrong or catches fire! Who would be liable then? The user, BambuLab, or Bastelapp24? When you look at the whole situation, I think this is a very sensible change, albeit communicated extremely poorly. It’s too much from a tech perspective, and end-users get scared because they lack valuable information.

Therefore, I am surprised by the childish, low-IQ chatter from Josef Prusa, as he himself would benefit from these changes. His 3D printer factory is the prime example of the potential risks posed by MQTT. If his place burns down, it wasn’t me, just to make that clear… I would assume that Prusa will follow suit within the next 12 months, if Josef’s ego allows it.

Because the current implementation is username / 4 digit PIN password for authentication and this is maybe acceptable in your LAN at home, but not in factory environments or in regulated environments.

You are missing the point here I think. While I think there is some truth to what you say about the protocol etc, they could have done this in a better way overall. By the way, the catching fire thing is in my opinion extremely exaggerated and nobody should take it seriously. There are many hardware failsafes in modern printers that prevent that. Even then… malicious code could also be sent over the secured network link. Who even says that bambu lab scans/validates the commands/g-code sent over their servers?

Anyways…

• LAN Mode:
  Users in LAN mode are on their own. Leave them be. The MQTT is running on their printers, their home network, their liability. End of story. They should be able to watch their video feed how they want, they should use the slicer they want, they can do anything.

• Cloud mode:
  Bambu can enforce the rules here imo, and it is their right. If you want to use their cloud, it has to be encrypted, understandable, and thus providing the BambuLab connect app seems reasonable. However: They should provide some form of certificate / keys / authorization methods for 3rd party applications so they can use the new secure loud channels too. That way, bambu ensures that only authorized and secure connections can be made. What they actually did is, denying the developers of OrcaSlicer to do exactly that. They kindly ask for encryption keys so they can securely talk to the bambu servers, and they just said no. Why?

So yea, I get that bambu can dictate how it should work in the cloud, but they could also help 3rd party developers/apps to get the same security up to their wanted standards. LAN mode people should just be left alone. Their liability. Hell, make it a checkbox and double confirmation before you can activate LAN mode, so everyone knows what they do to their “insecure” printer.

Users will either connect Orca Slicer to Bambu Connect or continue to use Bambu Studio as before. What is the big deal?

Orca Slicer will work exactly as before, but it will not have access to all features for security reasons. The missing features are provided by Bambu Connect. I think from a security standpoint this makes a lot of sense, because BambuLab cannot outsource the handling of security questions to a 3rd party although it is convenient from a developer or user standpoint. The reason is, that they would have to have an audit for all 3rd party apps.
I also don’t know personally who will get access to what features in the connect app. So this remains to be seen. But I work in big IT-Environments and you want to keep the number of involved partys/apps as low as possible, since otherwise the effort explodes.

Mainly AMS, printer controls, switching on/off lights, fans etc. That’s the big deal.

Saying it will work exactly as before, then saying it doesn’t.

I am on your side with the cloud thing, if the printer is using the bambu cloud, they dictate who can access and how. OrcaSlicer could just say “alright, if you wanna use OrcaSlicer and bambu printers, first thing is going LAN mode”. And no one would bat an eye. But they force this also on lan mode users, which makes no sense.

The auth part makes no sense for local (LAN mode) users.

What is the audit for exactly? You said they did it because MQTT does not provide a secure channel. BambuLab connect app just builds a secure channel using certificates and secrets and sends over the job via API. Using the reverse engineered parts and implement them directly built into OrcaSlicer would do the exact same thing. No extra security was found in the bambu connect app. You know whats even crazier? OrcaSlicer is open source and everyone in the world can see what they do when talking to bambulabs API. You know what is not open source? The bambu connect app. Who guarentees that bambu won’t mess with my files? Who audits them? Their code is not public. As someone that works in IT, this is a big red flag to me.

Oh and by the way: they control the server side in cloud mode. If the client establishes a secure link, the server can still reject requests to their liking. Looks like it is malicious? Reject the request. Looks like non-conformal gcode? Reject it. Spamming the server? Block the IP and inform the user via mail. There are many options to ensure safe operations from their side. But locking users out of the options they used to have with their machines is not the right way. Especially in LAN mode.

Analysis of BambuLab’s Security Update

Background

BambuLab has recently announced a security update for its 3D printers, focusing on the use of MQTT (Message Queuing Telemetry Transport) and integration with home automation systems like Node-RED, Home Assistant, and ioBroker and others. This update aims to enhance device security and minimize potential risks.

MQTT and Security Concerns

• MQTT: This protocol, developed in 1999, is known for its lightness and efficiency, but it lacks built-in security features. Data is transmitted in plaintext, with no encryption in transit or end-to-end encryption. MQTT was originally designed for simple applications like turning lights on and off or controlling window shades, not for controlling complex devices like 3D printers.

• Security Risks: Controlling 3D printers via MQTT can be problematic, as data outside a secure TLS tunnel is vulnerable to manipulation. This could lead to data leaks (e.g., theft of 3D models), printer manipulation, or even physical hazards like fires.

BambuLab Connect App

• Function: The BambuLab Connect app allows third-party applications to securely upload sliced print data to the printers. Orca Slicer can pass the data to Bambu Connect, which then establishes a secure channel to the printer. This app also offers enhanced notification features, such as webcam images of print results.

Liability and Security Responsibility

• Liability: The question of who is responsible for security incidents remains open. Is it the user, BambuLab, or a third-party provider like RandomApp42? The introduction of BambuLab’s security update is a step in the right direction to minimize these risks, even if the communication of the changes was suboptimal.

Community Reactions

• Josef Prusa: The reaction of Josef Prusa, a competitor in the 3D printing market, is shortsighted. Prusa could benefit from such security measures, as his printers are also vulnerable to similar security gaps. It is speculated that Prusa might introduce similar security measures within the next 12 months, if his ego allows it.

Conclusion

BambuLab’s security update is a necessary measure to address the risks associated with using MQTT for controlling 3D printers. It ensures that critical operations are authorized and securely executed, thereby increasing the integrity and security of the printers. The introduction of Bambu Connect as a secure interface for third-party software shows that BambuLab is seeking a balance between security and user-friendliness. However, the communication of these changes could be improved to alleviate user concerns and clearly convey the benefits of the new security measures.

With you on the need for security, but that doesn’t mean that bricking their Orcaslicer integration is the right way to go about it. They’ve made it pretty clear - you use BambuSlicer or you go back to manual sd uploads. From the looks of it it is very much an attempt to force you into using their slicer. These security updates do not need to totally prevent 3rd party slicers, the security update is being used as a convenient cover for nailing doors closed.

Right, connecting to a closed source Chinese cloud service is “a necessary measure” to improve “security”. What is your profession again?

If you want security

• You disable any kind of Internet access (a.k.a. “air gapped”)
• You use open source software only (ideally also open source firmware)
• You certainly don’t use proprietary Chinese cloud services
• You don’t rely on certificates, authorizations, etc. which you have no control over
• You only trust documented, open APIs in your local network

Dang, now my printer will be isolated from the internet and I’ll continue to use orca slicer. Sucks because I was planning on buying the new flagship but this is too much.

BambuLab’s update, where running the printer in LAN-only mode requires a cloud connection, is in fact neither necessary nor sufficient to ensure security. Quite the opposite.

I do want security and as an obvious first step, this includes the printer running without the ability to connect to the internet. IOT devices are a security nightmare, particularly when they are communicating with a poorly secured cloud service.

LAN-only mode with a proper network configuration is a decent compromise, and BambuLab is taking that away. This removal of a security feature is completely orthogonal to improving security by adding proper encryption and authorization, which at this point I highly doubt BambuLab is even implementing correctly.

I fully expected BambuLab to improve security in firmware updates, it’s a big reason why software updates are even a thing. I could perhaps even tolerate having to use BambuStudio. What I cannot take is the mandated cloud connection for purely local operation, by a company with a spotty security track record.

As a self-identified “IT expert”, why did you leave out this crucial consideration?

Thanks for telling me you don’t know cybersecurity best practices without telling me you don’t know cybersecurity best practices…

With the BambuLab Connect app, third-party applications can upload sliced data to the printers. This means Orca Slicer hands over the data to Bambu Connect, which then establishes a secure channel to the printer.

Sure, having an encrypted channel is great… But you don’t put the same single private key on every single instance of the app

Sure they are using an asymmetric key system to lock their door. And then they put the key on the doormat…

At the end of the day, forcing LAN mode to contact the cloud services for “security” is laughable. I bought a printer, I want to control it the way I always have, without Bambu forcing my hand one way or the other.

If you want to read the actual write up instead of a inaccurate ai summary, go read the write up by drakko Explaining the "Auth System" in laymans terms - #21 by drakko

I am SO disappointed in this company. They managed to lure me back to the hobby after 6 years of being away and I even bought 3 of their printers and was considering getting a 4th (one of the core xy models). This leaves such a bad taste in my mouth I’d rather buy ANY other brand at this point and I’m someone who tends to be VERY brand loyal. Cured me of that issue I guess.

Admittedly, I might not work in IT-Environments as big as you so I might have missed something, but I only spent a decade in the cybersecurity industry and today work with MQTT on a daily basis on systems far, far more complex (and with far bigger stakes - as in, controlling megawatt power lines) and I really struggle with understanding how does what they’re proposing improves security in any shape or form.

So, pray tell, how is an added app as a bridge between a slicer and the printer, running on the same system as the slicer, improve security? If the system is compromised it won’t matter if you added 50 added steps in-between, the ultimate command goes out of that system - and just as the slicer can be compromised, so can the Bambu Connect. At least if the slicer is open source more eyes can see how it communicates with the printer, how it hardens its binary etc., whereas with Bambu Connect you have to trust BambuLab that they know what they’re doing, security wise - a company that has shown multiple times that might know how to make 3D printers but hasn’t a faintest idea of how properly secure their software and comms.

If Bambu decides to integrate this Auth system i am going to install custom firmware on all of my printers. Try me.