Bambu Lab - Setting the Record Straight About Our Security Update

People seem to be missing that FTP and MQTT are generally insecure protocols. I think FTP is probably the bigger issue than MQTT. This kind of stuff is common in home IOT networks but would never pass security audit on a corporate network.<p>Bambu is growing up, serving more corporations beyond the hobby community, and probably has been asked to beef their security up to make it easier to deploy their printers securely.<p>Moving to Mutual TLS via a controlled client like Bambu Connect is a pretty industry standard approach to secure, authenticated communication that doesn&#x27;t require an internet connection, it is done with digital signatures offline.... and thus it can be done over a LAN. It&#x27;s how many web APIs inside a corporate network are secured. It&#x27;s how web browsers are secured. Microsoft, Mozilla, Google, Apple, etc. all send you revised certs&#x2F;keys regularly in your OS or browser patches. Client authentication via x.509 cert signature or subject verification isn&#x27;t super common on the public web but it does happen a lot with mobile apps or thick client apps, or some websites, e.g. SAP&#x27;s many websites often use it to verify you&#x27;re a customer.

The list of fake concerns they list are not the real and very valid concerns I have seen. This addresses nothing.

Related:<p><i>BambuLab new firmware to cut access to third-party API and tools</i><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42760491">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42760491</a>

Does anyone know or can see an actual concrete security concern with the current implementation of LAN mode?<p><a href="https:&#x2F;&#x2F;github.com&#x2F;Doridian&#x2F;OpenBambuAPI&#x2F;blob&#x2F;main&#x2F;mqtt.md">https:&#x2F;&#x2F;github.com&#x2F;Doridian&#x2F;OpenBambuAPI&#x2F;blob&#x2F;main&#x2F;mqtt.md</a><p>Right now, the printer&#x27;s local MQTT server can only be accessed from the local IP using an 8 digit password obtained through through the physical display.<p>I can&#x27;t personally see any fundamental issue with this design assuming the implementation is correct, but I&#x27;m curious if others can.

Bambu lab printers are truly awesome in terms of what they can do for a very reasonable price. Having said that, I have never upgraded mine nor have I ever connected it to the internet and never will. Nor will I update it. If it takes me 15 minutes to get an ssh client running on an esp8266 that can connect to an poorly secured server and execute shell commands, there is no way I&#x27;m letting a proprietary chinese hardware and software anywhere near my home network. But this is just a side hobby of mine, so I can live with carrying around an SD card. But I can see how something like that can be a major blow to business owners. I am not entirely sure if this blog post is just a response or sneaky backpedaling from bambu labs after the backlash they received over the last few days.

The play here is obviously that they want 3rd party services to use Bambu Connect instead of direct protocol integration. They will make Connect easy and direct too much work. That is what all the Panda talk was about. That way, when Bambu inevitably changes the model ( eg. Subscription ), we will have to pay to get access to the ecosystem. But Bambu will be able to claim that it is not them. We still support developer mode they will say, it is the evil third parties that do not.<p>We need to make sure that dev mode becomes the de facto default. Don’t fall for connect.

Meanwhile Jeff Geerling already put a video out on his second channel that he won’t recommend a bambu lab printer anymore although he was happy with his printer. And this update didn’t convince him to change his mind.<p>“Developer mode” isn’t a solution. You buy hardware and it should work 100% without cloud connectivity. Otherwise it’s not your hardware.

I am surprised that the use of a messaging queue through MQTT is considered a misuse of their technology when in reality it appears that the other application just was using an internal API that could change without notice. I also could see how certificate based authentication could be viewed by some as a time based expiration on the firmware.

Is there firmware for Bambu printers beyond the X1 that just skips all the stupid stuff this company does (while keeping the good features)? Like most companies, it seems that they shouldn’t be trusted with control over hardware that you own.

This stuff isn’t gonna stop until we regulate it.<p>I bought a miku baby monitor specifically because they were the only manufacturer that had the feature I wanted that promised to never charge monthly fees to use it.<p>Well then they went bankrupt and a company bought them, forced an over the air update that disabled every feature that made the thing worth buying (for $399), and sent out a letter demanding monthly payment to reenable the “advanced” features.<p>Market forces won’t fix this. Recurring revenue is just too tempting. It also doesn’t matter how well intentioned a company is, the moment they go out of business, someone will buy their assets and force monthly fees on their former customers.

Sad attempt at damage control.<p>Meanwhile, trust continues to be eroded.

Seems like the maker community, esp. YouTube influencers, uniformly recommend bambu. Curious-- do folks here have other recommendations? Equivalent quality, speed, maybe even price, but more committed to free software?

It’s such clownery to try to lock down a thing you’re trying to sell to a community of tinkerers. The brand damage (the article fighting strawmen does little to reduce it) can’t be worth whatever upside they’re seeing unless they really are positioning themselves to use their unjustified power for profit (which will, of course, result in greater brand damage).<p>FWIW, I was really interested in the Bambu models until I found out about their shitty corporate behavior.

We were about to to buy a Bambu Lab printer but then learnt there will be new printers coming out in Q1 so naturally wanted to wait.<p>I need to educate myself on this a bit more on this issue, but it feels like the rest of the printer industry is just catching up with the X1C (looking at Creality K2 Plus)..<p>Do I wait for next-gen printers from Bambu Labs which I imagine will be quite revolutionary, or do I buy we buy a Creality K2 Plus, which basically is a X1C.

Uh-huh. So exactly what threat or threats is the &quot;security upgrade&quot; meant to address, what alternatives were considered, and where the heck is the &quot;security&quot; in sticking a barely obfuscated private key in a publicly distributed binary?

That diagram they have is unfathomable and the arrows are confusing. It would probably have been best to do a separate LAN mode diagram to explain if there are any cloud dependencies whatsoever.

I&#x27;m pretty pissed that they baited and switched me--I bought a bambu printer on holiday sale under the previous terms, and they are now going to change the terms. Feels fraudulent.