While I can’t tell how any of this secures their cloud operation - at least for local/LAN-only mode this seems utterly pointless, again - if security was the motivation behind this change.
A malicious actor would not need local PC access to control the printer - what they did is they delivered a public key (or keys) together with the firmware update which tell the printers only to accept commands signed by the corresponding private key (or keys). Then they publicly distributed that private key with Bambu Connect (and possibly the same or another ‘authorized’ key with the latest Bambu Studio beta) hoping that way the printers will accept only commands from their ‘authorized’ apps. Of course, the key got exfoliated immediately and a threat actor doesn’t need any sort of a local PC access to continue having the ability to control the printers if they manage to establish a network breach.
So, short of forcing the printers to also talk with BL servers to aid in a proper key exchange with authorized apps - which would wholesomely negate the LAN-only mode - they did diddly squat to increase security while simultaneously disabling the convenience of 3rd party access (at least until someone fully reverse-engineers the Connector and creates a library that those 3rd party tools can use instead).
The more we find out about what they attempted, the more puzzling it is why in the world did they do it?! At the very best, this was just a very amateurish attempt to increase security at a cybersec understanding of a self-taught high-schooler; at worst this is a deliberate (albeit also amateurish) anti-consumer step aimed at establishing a single controllable channel towards finding a way to monetize it later. And I’m not sure which is worse for BambuLab company image.
Given what’s been discovered, I’m not saying that it was done well or effectively. Just that it would have met the intent. Curious how they will respond after that discovery was made.
I ask these questions about developers all the time
So they aren’t allowed to make a new decision based upon new evidence? Are we supposed to just shake our fist at Bambu? I suppose that may be all you want to do, but I’d rather work on sussing out how this change effects people so that Bambu has an opportunity to see the impact and scope of the change. I rather like their printers and would like to hopefully purchase more in the future. Knowing that, I’d rather spend my time trying to effect the changes I want to see instead of grumbling about what hasn’t happened yet. I may learn that they are going down a path I don’t like, but until that happens I’ll at least try to work with them.
I agree with earlier comments, this has nothing to do security or orca slicers or any others, it’s an attempt to dupe users into a fully walled system, when I bought my machine it was clear they did not do that, and that was the terms and conditions bought the product under, they have no right to retroactively change those conditions or affect how I use my machine, if this is how they do business i do not want to do business with them anymore, period!
There is a very certain way to do what they want to do, if what they’re saying is their motivation (increased security) - and they don’t need to reinvent the wheel at all. They’re not the first ones to use MQTT for hardware comms, all they need is to have an OTP pairing process - OTP is shown on the printer screen, the printer then requests that OTP to be provided when exchanging device-generated public keys after which those keys can be used for anything - from mere request to sign commands in order for the printer to accept them, to fully encrypting the MQTT status messages / camera stream (provided that the printer has hardware powerful enough to handle large-stream encryption). They don’t need to roll anything of this out, there are several widely available and vetted MQTT+TLS implementations already (and they already use a version of it for sending commands to begin with - that’s why you need the ‘auth code’ to establish a connection).
No cloud needed whatsoever, in fact, adding the cloud to the mix only lowers the security.
What is it that you think that you are seeing? Recently I have been studying up on the security of web connected devices. The whole passing of keys and certificates, the encryption, the buffers… is all kind of standard fare.
Being the developer and all, perhaps you could point out and explain the nefarious parts of the code. drakko posted it at post #313.
Agree. This is about locking out users from perpetual, full LAN-only control of their own machines, allowing to charge multiple times (e.g., in case you want to use your printer in a print farm management system), or if you want to use a third party accessory like the one from BigTreeTech.
They are publicly distributing a hardcoded private key. Nefarious might be the overall intent, we can all speculate on this, but what’s not debatable is that the implementation screams sheer incompetence. If you don’t understand why, based on my first sentence, I’d suggest you to read up some more on key exchanges, asymmetric keys, message authentication and overall PKI.
It was about 1%. Now after the news lots of people like me who didn’t participate in community but has a Bambu printer came here to express thoughts
And if Bambu printers will get the update with forcing to logging into account I’ll never recomend to my students buy it. Because closing in one ecosystem leads to degradation.
Your decision to shut out 3rd party software is anti user and i do not support it.
I was eagerly awaiting the next generation of bambu printers hoping to go to the next flagship product from my current P1S but i will not be buying a closed product from a closed company.
Ill be looking to other brands for my next printer now.
Remember when people claimed Android was a million times better than Apple? Yet, Apple isn’t exactly scraping by; they’re still raking in profits, despite some folks swearing off their products. Perhaps the earth has replenished those users with new ones?
I don’t have the insider info that many here seem to possess, so I’ll just wait and see what happens.
Just think of what a few thousand 2nd hand used printers is going to cost them. If they think their customer service is overloaded now, they are in for a rude awakening.
If you really want to follow through with this. I hope you will go extinct from the printer market. The inovations were great and good for the ecosystem but this is not acceptable.
