News

3606 Articles

Bambu Lab Tries To Clarify Its New “Beta” Authentication Scheme

January 20, 2025 by 62 Comments

Perhaps one of the most fascinating aspects of any developing tech scandal is the way that the target company handles criticism and feedback from the community. After announcing a new authentication scheme for cloud & LAN-based operations a few days ago, Bambu Lab today posted an update that’s supposed to address said criticism and feedback. This follows the original announcement which had the 3D printer community up in arms, and quickly saw the new tool that’s supposed to provide safe and secure communications with Bambu Lab printers ripped apart to extract the security certificate and private key.

In the new blog post, the Bambu Lab spokesperson takes a few paragraphs to get to the points which the community are most concerned about, which is interoperability between tools like OrcaSlicer and Bambu Lab printers. The above graphic is what they envision it will look like, with purportedly OrcaSlicer getting a network plugin that should provide direct access, but so far the Bambu Connect app remains required. It’s also noted that this new firmware is ‘just Beta firmware’.

As the flaming wreck that’s Bambu Lab’s PR efforts keeps hurtling down the highway of public opinion, we’d be remiss to not point out that with the security certificate and private key being easily obtainable from the Bambu Connect Electron app, there is absolutely no point to any of what Bambu Lab is doing.

Bambu Connect’s Authentication X.509 Certificate And Private Key Extracted

January 19, 2025 by 125 Comments

Hot on the heels of Bambu Lab’s announcement that it would be locking down all network access to its X1-series 3D printers with new firmware, the X.509 certificate and private key from the Bambu Connect application have now been extracted by [hWuxH]. This application was intended to be the sole way for third-party software to send print jobs to Bambu Lab hardware as we previously reported.

The Bambu Connect app is a fairly low-effort Electron-based affair, with some attempt at obfuscation and encryption, but not enough to keep prying eyes out. The de-obfuscated main.js file can be found here (archived), with the certificate and private key clearly visible. These are used to encrypt HTTP traffic with the printer, and is the sole thing standing in the way of tools like OrcaSlicer talking with authentication-enabled Bambu Lab printers.

As for what will be the next steps by Bambu Lab, it’s now clear that security through obfuscation is not going to be very effective here. While playing whack-a-mole with (paying) users who are only interested in using their hardware in the way that they want is certainly an option, this might be a wake-up call for the company that being more forthcoming with their userbase would be in anyone’s best interest.

We await Bambu Lab’s response with bated breath.

This Week In Security: Rsync, SSO, And Pentesting Mushrooms

January 17, 2025 by 14 Comments

Up first, go check your machines for the rsync version, and your servers for an exposed rsync instance. While there are some security fixes for clients in release 3.4.0, the buffer overflow in the server-side rsync daemon is the definite standout. The disclosure text includes this bit of nightmare fuel: “an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.”

A naive search on Shodan shows a whopping 664,955 results for rsync servers on the Internet. Red Hat’s analysis gives us a bit more information. The checksum length is specified by the remote client, and an invalid length isn’t properly rejected by the server. The effect is that an attacker can write up to 48 bytes into the heap beyond the normal checksum buffer space. The particularly dangerous case is also the default: anonymous access for file retrieval. Red Hat has not identified a mitigation beyond blocking access.

If you run servers or forward ports, it’s time to look at ports 873 and 8873 for anything listening. And since that’s not the only problem fixed, it’s really just time to update to rsync 3.4.0 everywhere you can. While there aren’t any reports of this being exploited in the wild, it seems like attempts are inevitable. As rsync is sometimes used in embedded systems and shipped as part of appliances, this particular bug threatens to have quite the long tail. Continue reading “This Week In Security: Rsync, SSO, And Pentesting Mushrooms”

Audio On A Shoestring: DIY Your Own Studio-Grade Mic

January 14, 2025 by 14 Comments

When it comes to DIY projects, nothing beats the thrill of crafting something that rivals expensive commercial products. In the microphone build video below, [Electronoobs] found himself inspired by DIY Perks earlier efforts. He took on the challenge of building a $20 high-quality microphone—a budget-friendly alternative to models priced at $500. The result: an engaging and educational journey that has it’s moments of triumph, it’s challenges, and of course, opportunities for improvement.

The core of the build lies in the JLI-2555 capsule, identical to those found in premium microphones. The process involves assembling a custom PCB for the amplifier, a selection of high-quality capacitors, and designing lightweight yet shielded wiring to minimize noise. [Electronoobs] also demonstrates the importance of a well-constructed metal mesh enclosure to eliminate interference, borrowing techniques like shaping mesh over a wooden template and insulating wires with ultra-thin enamel copper. While the final build does not quite reach the studio-quality level and looks of the referenced DIY Perks’ build, it is an impressive attempt to watch and learn from.

The project’s key challenge here would be achieving consistent audio quality. The microphone struggled with noise, low volume, and single-channel audio, until [Electronoobs] made smart modifications to the shielded wiring and amplification stages. Despite the hurdles, the build stands as an affordable alternative with significant potential for refinement in future iterations.

Continue reading “Audio On A Shoestring: DIY Your Own Studio-Grade Mic”

Hackaday Europe 2025 Tickets On Sale, And CFP Extended Until Friday

January 14, 2025 by 6 Comments

We’re opening up shop for Hackaday Europe, so get your tickets now! We’ve managed to get the ticket price down a bit this year, so you can join in all the fun for $145. And if you’re reading this right now, snap up one of the $75 early bird tickets as fast as you can.

Hackaday Europe is going down again in Berlin this year, on March 15th and 16th at MotionLab. It’s going to be a day and a half of presentations, lightning talks, badge hacking, workshops, and more. This is where Hackaday hangs out in person, and it’s honestly just a great time – if your idea of a great time is trading favorite PCB design tricks, crafting crufty code, and generally trading tales of hardware derring-do.

In short, it’s the best of Hackaday, live and in person. Throughout the weekend, all the meals are catered, we’ve got live music at night, and the soldering irons will be warmed up for you. It’s going to be great!

If you’re in town on Friday the 14th, we’ll be meeting up in the evening to get together over some pre-event food and drink, sponsored by Crowd Supply. It’s a nice opportunity to break the ice, get to know the people you’re going to be spending the next 48 hours with, and just mingle without missing that great talk or wonderful workshop. Continue reading “Hackaday Europe 2025 Tickets On Sale, And CFP Extended Until Friday”

This Week In Security: Backdoored Backdoors, Leaking Cameras, And The Safety Label

January 10, 2025 by 3 Comments

The mad lads at watchTowr are back with their unique blend of zany humor and impressive security research. And this time, it’s the curious case of backdoors within popular backdoors, and the list of unclaimed domains that malicious software would just love to contact.

OK, that needs some explanation. We’re mainly talking about web shells here. Those are the bits of code that get uploaded to a web server, that provide remote access to the computer. The typical example is a web application that allows unrestricted uploads. If an attacker can upload a PHP file to a folder where .php files are used to serve web pages, accessing that endpoint runs the arbitrary PHP code. Upload a web shell, and accessing that endpoint gives a command line interface into the machine.

The quirk here is that most attackers don’t write their own tools. And often times those tools have special, undocumented features, like loading a zero-size image from a .ru domain. The webshell developer couldn’t be bothered to actually do the legwork of breaking into servers, so instead added this little dial-home feature, to report on where to find all those newly backdoored machines. Yes, many of the popular backdoors are themselves backdoored.

This brings us to what watchTowr researchers discovered — many of those backdoor domains were either never registered, or the registration has been allowed to expire. So they did what any team of researchers would do: Buy up all the available backdoor domains, set up a logging server, and just see what happens. And what happened was thousands of compromised machines checking in at these old domains. Among the 4000+ unique systems, there were a total of 4 .gov. domains from governments in Bangladesh, Nigeria, and China. It’s an interesting romp through old backdoors, and a good look at the state of still-compromised machines.

Continue reading “This Week In Security: Backdoored Backdoors, Leaking Cameras, And The Safety Label”

3DBenchy Starts Enforcing Its No Derivatives License

January 9, 2025 by 105 Comments

[Editor’s note: A few days later, it looks now like Prusa pulled the models of their own accord, because of their interpretation of the copyright law. Creative Tools and NTI claim that they were not involved.]

Nobody likes reading the fine print, least of all when you’re just downloading some 3D model. While printing a copy for personal use this is rarely an issue, things can get a lot more complicated when you make and distribute a derived version of a particular model.

Case in point the ever popular 3DBenchy model, which was intended to serve as a diagnostic aid by designer [Creative Tools] (recently acquired by [NTI Group] ). Although folks have been spinning up their own versions of this benchmark print for years, such derivative works were technically forbidden by the original model’s license — a fact that the company is now starting to take seriously, with derivative models reportedly getting pulled from Printables.

The license for the 3DBenchy model is (and always has been) the Creative Commons BY-ND 4.0, which requires attribution and forbids distributing of derivative works. This means that legally any derived version of this popular model being distributed on Thingiverse, Printables, etc. is illegal, as already noted seven years ago by an observant user on Reddit. According to the message received by a Printables user, all derived 3DBenchy models will be removed from the site while the license is now (belatedly) being enforced.

Although it’s going to be a bit of an adjustment with this license enforcement, ultimately the idea of Creative Commons licenses was that they set clear rules for usage, which become meaningless if not observed.

Thanks to [JohnU] for the tip.