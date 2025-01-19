Hot on the heels of Bambu Lab’s announcement that it would be locking down all network access to its X1-series 3D printers with new firmware, the X.509 certificate and private key from the Bambu Connect application have now been extracted by [hWuxH]. This application was intended to be the sole way for third-party software to send print jobs to Bambu Lab hardware as we previously reported.
The Bambu Connect app is a fairly low-effort Electron-based affair, with some attempt at obfuscation and encryption, but not enough to keep prying eyes out. The de-obfuscated
main.js file can be found here, with the certificate and private key clearly visible. These are used to encrypt HTTP traffic with the printer, and is the sole thing standing in the way of tools like OrcaSlicer talking with authentication-enabled Bambu Lab printers.
As for what will be the next steps by Bambu Lab, it’s now clear that security through obfuscation is not going to be very effective here. While playing whack-a-mole with (paying) users who are only interested in using their hardware in the way that they want is certainly an option, this might be a wake-up call for the company that being more forthcoming with their userbase would be in anyone’s best interest.
We await Bambu Lab’s response with bated breath.
5 thoughts on “Bambu Connect’s Authentication X.509 Certificate And Private Key Extracted”
So they tied access to a single, publicly distributed, private key and called it a ‘security’ feature?
That’s honestly repulsive. Just blatantly not bothering with authentication is a step above being both useless and controlling.
Who would be foolish enough to buy anything from them after recent publicity? They effectively wrote themselves off the market. Their further statements and even reverting the vendor lock-in will not matter as nobody will trust them anymore. Bambulab is effectively a dead company now. And they deserved it.
They said the same about Microsoft after Windows 8 debacle.
Decades have passed and the Year Of Linux is still not there. In fact modern Linux is in many ways less usable than a humble Windows 98 😂
I was completely unaware of these shenanigans – I was considering buying a Bambu printer once I’ve got some more free time to play with it, but I didn’t expect it to be locked down like that.
The link to the main.js is already gone. Waiting for the T-shirts with the key to emerge pretty soon.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)