Hot on the heels of Bambu Lab’s announcement that it would be locking down all network access to its X1-series 3D printers with new firmware, the X.509 certificate and private key from the Bambu Connect application have now been extracted by [hWuxH]. This application was intended to be the sole way for third-party software to send print jobs to Bambu Lab hardware as we previously reported.
The Bambu Connect app is a fairly low-effort Electron-based affair, with some attempt at obfuscation and encryption, but not enough to keep prying eyes out. The de-obfuscated main.js file can be found here, with the certificate and private key clearly visible. These are used to encrypt HTTP traffic with the printer, and is the sole thing standing in the way of tools like OrcaSlicer talking with authentication-enabled Bambu Lab printers.
As for what will be the next steps by Bambu Lab, it’s now clear that security through obfuscation is not going to be very effective here. While playing whack-a-mole with (paying) users who are only interested in using their hardware in the way that they want is certainly an option, this might be a wake-up call for the company that being more forthcoming with their userbase would be in anyone’s best interest.
We await Bambu Lab’s response with bated breath.
So they tied access to a single, publicly distributed, private key and called it a ‘security’ feature?
That’s honestly repulsive. Just blatantly not bothering with authentication is a step above being both useless and controlling.
“publicly distributed private key”
I’m pretty sure there are two kinds of employees at Bambu: those who understand the oxymoron, and those with decision-making authority. The Venn diagram is two disjoint circles.
Who would be foolish enough to buy anything from them after recent publicity? They effectively wrote themselves off the market. Their further statements and even reverting the vendor lock-in will not matter as nobody will trust them anymore. Bambulab is effectively a dead company now. And they deserved it.
They said the same about Microsoft after Windows 8 debacle.
Decades have passed and the Year Of Linux is still not there. In fact modern Linux is in many ways less usable than a humble Windows 98 😂
You obviously don’t know anything about linux.
He is right. Windows 98 was more usable than modern Linux distros for sure.
I miss those days.
Aside from the ridiculous statements about Linux (which is everywhere, and even steadily increasing in consumer hardware in bot aldulterated and purer forms), Windows and MS in general is a LOT more ubiquitous than Bambu and their printers are. Also, Bambulabs are actively using the work done by other 3DP pioneers. It would be the same if Windows had a tenth of the marketshare in the 90s, and was actually mostly Linux underneath. It’s not even close to comparable.
The most popular OS in the world is powered by Linux, with nearly twice as many installs as Windows.
” Bambulab is effectively a dead company now. And they deserved it.” Really? They are one of the best printers on the market, and don’t gouge you with crazy prices if you need parts.
There are similar offering from other companies i.e. Creality with their line of XY printers that are open source and cheaper. I have a K1C and it worked out of the box and is extremely reliable. It was also about $100 cheaper than the Bambu offering. I considered Bambu but decided against it simply because it was a proprietary system and I could see the subscription model coming.
I’m in the market for a new printer right now and honestly their products have such excellent value that it’s hard to ignore them, regardless of how much I hate proprietary stuff and closed ecosystems. BambuLab is the Apple of 3D printers, except unlike Apple, their products are vastly cheaper than the open ecosystem stuff. I would absolutely prefer having a Voron 2.4 or Trident over a X1C, but choosing the Voron means I have to pay significantly more for a product that not only requires more parts to be printed, but tens of hours of assembly.
I threw my toys out the pram at my current 3dp over Xmas, and was also considering a P1S. I’m hoping the Anycubic S1 reviews well, otherwise I’ll just have to swallow the Bambu pill.
I was completely unaware of these shenanigans – I was considering buying a Bambu printer once I’ve got some more free time to play with it, but I didn’t expect it to be locked down like that.
The link to the main.js is already gone. Waiting for the T-shirts with the key to emerge pretty soon.
QR-code, colors or base64 encoded? ;-)
https://archive.ph/ has it.
Well, that didn’t take long.
Odd timing to leak the key if it gives Bambu time to fix the issue.
They should have learnt a trick from console hackers and delay any disclosure until it’s necessary.
Maybe I’m giving someone at Bambu too much credit; but this seems like a situation where the weakness would have been known from the moment the lockout system was designed: if you are reusing the same cert across all devices and distributing the key(not just using it so the printers can verify that they are talking to your servers rather than DNS trickery); that key is not going to stay private.
A lightly obfuscated Electron phone-in is a comparatively soft target; but when extracting a single private key gets you in to all devices even attacks that would otherwise probably not be worth the trouble(decapping and physical inspection of/tampering with smartcard or ‘secure element’ IC, say) are realistic concerns.
Not sure if they were just looking for a low-effort speedbump with none of the key management hassle associated with per-device certs; or if the hope is to get a legal hook that they can use to dissuade anyone who makes working around their locks too easy(the way that CSS on DVDs fell fairly quickly; but did ensure that DVD ripping never got the sort of ubiquitous commercial support that CD ripping did; since, while pitifully weak vs. people who just didn’t care, the DRM was just enough that outfits big enough to sue mostly didn’t want to touch it).
This reminds me a bit of Sony with the PS3 and when they removed the “OterOs” functionality, This resulted in a class action lawsuit, and a settlement of either USD 55 or USD65 for each affected user, depending to which website you look.
I have not bought Sony stuff ever since they started placing rootkits on CD’s don’t have a PS3 and am not familiar with further details.
Can I haz bambu lab collorcoded key t-shirt?
Waiting for the keys to be posted in a maker world print