[HN Gopher] Bambu Lab - Setting the Record Straight About Our Se...
___________________________________________________________________
Bambu Lab - Setting the Record Straight About Our Security Update
Author : reimertz
Score : 49 points
Date : 2025-01-20 21:47 UTC (1 hours ago)
(HTM) web link (blog.bambulab.com)
(TXT) w3m dump (blog.bambulab.com)
| ChrisArchitect wrote:
| Related:
|
| _BambuLab new firmware to cut access to third-party API and
| tools_
|
| https://news.ycombinator.com/item?id=42760491
| scblock wrote:
| The list of fake concerns they list are not the real and very
| valid concerns I have seen. This addresses nothing.
| the_mitsuhiko wrote:
| > This addresses nothing.
|
| This does in-fact address quite a bit, because they have change
| their stance with this update. Previously even LAN only mode
| required to go via their bambu connect system, now you can
| switch it to developer mode and talk freely via MQTT to the
| printer.
| progbits wrote:
| But when you buy the printer you still need to give it
| internet access / connect via their app, right?
| the_mitsuhiko wrote:
| I'm not sure why you would _need_ to give it internet
| access. I think even the firmware updates work via SD card.
| nullc wrote:
| They just introduced firmware updates via SD card in the
| most recent released version, prior to that you had to
| put the printer online and associate it with an account
| to get firmware updates.
|
| But yes today there is no need to use their cloud
| services unless you want to control the printer with
| their phone app. And the printer works totally fine
| completely isolated from the internet.
|
| The now aborted proposed update would have required using
| a binary shim from bambu with an embedded 1 year lifetime
| SSL cert to speak the the printer at all, even when in
| lan mode.
| LouisvilleGeek wrote:
| Bambu Companion (unfortunately iPhone only) does more
| than Handy and works on LAN. Using it today in fact!
| https://www.youtube.com/watch?v=LZpDQN9zgUI
| TechIsCool wrote:
| Didn't we hear this tune from Sony in the Playstation 3 days
| with Developer mode and then it slowly faded away after a
| couple years of application/product releases...
| vvanders wrote:
| You could already talk freely to the MQTT on the printer
| _and_ it was already secured with a unique password. This
| feels like making it a second class feature that could
| disappear at a future point.
| the_mitsuhiko wrote:
| That is obviously correct, but this is a meaningful
| improvement over what their initial plan was.
| rowanG077 wrote:
| That doesn't seem obvious to me. It's not unthinkable
| their plan is:
|
| - Want to introduce x, but we are worried what our
| userbase thinks.
|
| - Introduce something way more ridiculous y that subsumes
| x.
|
| - Rollback y but not x because of backlash.
|
| Now they look like a company that listens to their users
| and they got what they wanted.
| satvikpendem wrote:
| Ah the classic door in the face technique
|
| https://en.wikipedia.org/wiki/Door-in-the-face_technique
| madeofpalk wrote:
| They've suffered real brand damage. Any of the changes
| (original, or these) seem like they would win over
| unconvinced potential customers, yet they've actively
| turned some away.
| vvanders wrote:
| I don't really see what having a "developer mode" offers
| here beyond the existing solution. The current mqtt is
| already locked down with a unique password and AFAIK the
| endpoint was read-only anyway.
|
| Don't get me wrong I'm glad they're responding to
| feedback but the feedback shouldn't have been required in
| the first place.
|
| I'm all for better security on products(esp ones that
| heat up to 300C!) but interoperability with open
| standards makes it a _better_ product overall and given
| the direction we 've seen in the IoT space I think
| they've done quite a bit of damage(even if not
| intentionally) by not taking more care in this area.
| parasubvert wrote:
| Developer mode is just "how it works today" mode. It's
| insecure, and uses private APIs, and thus shouldn't be
| used, but people will anyway, so they're listening to
| their customers.
| sho_hn wrote:
| Why should I switch to "developer mode" to talk to a computer
| I own on my own network?
| fearoffish wrote:
| Would you be able to elaborate on the ones you've seen?
| iLoveOncall wrote:
| The main concern that was raised was that you couldn't send
| print jobs from other slicers anymore, and this article
| explains why this isn't the case in the section titled "How
| Bambu Connect Works", taking OrcaSlicer as an example.
|
| How does it not address the concerns of people?
| geerlingguy wrote:
| Judging by the PR thread in OrcaSlicer's GitHub repo, not all
| users are happy with the proposed fix, requiring users to
| install Bambu Connect on their computers (which currently
| doesn't run on Linux, IIRC?) to be able to use the new
| OrcaSlicer to Bambu workflow...
| https://github.com/SoftFever/OrcaSlicer/pull/8103
| ipv6ipv4 wrote:
| Tellingly, this pull request is coming from a Bambu Lab
| employee. I think the OrcaSlicer maintainers should tell
| Bambu Lab to pound sand with this change.
| iLoveOncall wrote:
| > I think the OrcaSlicer maintainers should tell Bambu
| Lab to pound sand with this change.
|
| Hum, the alternative is OrcaSlicer stops working with
| Bambu printers...
| ipv6ipv4 wrote:
| You mean Bambu Lab broke compatibility with OrcaSlicer
| and every other slicer out there.
|
| I don't know if the OrcaSlicer maintainers feel this way.
| But if they feel that Bambu Lab is stabbing them in the
| back, they don't have to jump when Bambu Lab tells them
| to (that's pretty much the raison d'etre of open source).
| iLoveOncall wrote:
| > But if they feel that Bambu Lab is stabbing them in the
| back, they don't have to jump when Bambu Lab tells them
| to (that's pretty much the raison d'etre of open source).
|
| The raison d'etre of Orca Slicer is to slice files for 3D
| printers. They don't manufacture printers. They have no
| raison d'etre if they don't support one of the major
| players in the 3D printing space.
| sho_hn wrote:
| > Hum, the alternative is OrcaSlicer stops working with
| Bambu printers...
|
| Which is fine, no? Plenty of other good printers
| available.
| parasubvert wrote:
| Um no? First, Bambu is the best, by far. Secondly, Orca
| Slicer is a fork of Bambu Studio and the vast majority of
| its users are Bambu customers that want extra features.
| easygenes wrote:
| OrcaSlicer is a fork of Bambu's slicer. It defeats the
| whole impetus of the project to not support Bambu Lab
| printers.
| wildzzz wrote:
| These companies always pick the most ridiculous tinfoil hat
| bullshit list of complaints to debunk when trying to explain
| why they want to close off their API. The real reason almost
| always comes down to money. The mention of Panda Touch is very
| telling. While I'm sure Bambu doesn't want to maintain
| documentation for a non-public (is that the right term)? API,
| they definitely don't want other companies making money off
| their ecosystem.
| rpearl wrote:
| who cares if Panda Touch/BigTreeTech was making money off the
| ecosystem? it did nothing more than sell more bambu printers.
| It's not net-zero--money for BigTreeTech is not coming out of
| Bambu's pockets; I seriously doubt it was net-negative for
| Bambu.
| sitkack wrote:
| Having 2nd and 3rd party support only make an ecosystem
| more robust.
|
| This whole kerfuffle only sours me to them. I like the
| printer but the desktop software quality is low and
| features in LAN mode are not available for what one can
| only think of as a shity move to Hoover up data for the
| enshitification
| Jzush wrote:
| Because the writing on the wall is that this was always
| meant to be a subscription based, continual revenue stream
| for Bamboo Labs. They are just edging that direction.
|
| Whether or not it's simply greed or that they didn't make
| as much selling the printers as they had thought. The next
| step to closing an API and killing 3rd party interactions
| is almost always so they can introduce some form of
| continuous monetization scheme.
|
| That was always something that rubbed me the wrong way with
| Bamboo Labs. They threw an absolutely obscene amount of
| money at influencers. Essentially buying a ringing
| endorsement from nearly the whole hobbyist community and
| made their brand a household name.
|
| The time was right to pull the switch.
| louwrentius wrote:
| Meanwhile Jeff Geerling already put a video out on his second
| channel that he won't recommend a bambu lab printer anymore
| although he was happy with his printer. And this update didn't
| convince him to change his mind.
|
| "Developer mode" isn't a solution. You buy hardware and it should
| work 100% without cloud connectivity. Otherwise it's not your
| hardware.
| sitkack wrote:
| Absolutely!
|
| Local first, everything that should likely run locally should
| be enabled.
|
| You can't use the desktop software to see the contents of the
| SD card, you have to enable cloud access.
|
| I own two Bambu printers, great hardware, and ok software. No
| longer recommending them.
| parasubvert wrote:
| Neither LAN mode nor Developer mode requires cloud
| connectivity. Keep spreading the FUD though.
| muppetman wrote:
| There is little I find more hilarious than the "<talking head>
| has put out a video on their <youtube/tiktok/facebook> that
| says <thing>" comment reply.
|
| I summarise all these replies in my head as "Influencer I've
| never heard of influences"
|
| I agree with your re: Developer mode though.
| Jzush wrote:
| Yeah, what is the point of developer mode for a device you're
| not "allowed" to develop for anyway?
| mmorriso wrote:
| I use LAN mode for my P1S currently in a shed with a local AP
| and no internet access and it works fine.
| TechIsCool wrote:
| I am surprised that the use of a messaging queue through MQTT is
| considered a misuse of their technology when in reality it
| appears that the other application just was using an internal API
| that could change without notice. I also could see how
| certificate based authentication could be viewed by some as a
| time based expiration on the firmware.
| vvanders wrote:
| Yeah that's a huge bummer if so, I've got both a HA automation
| that shows the printer status without needing to have an app
| installed _and_ I 've got a secondary filtration system that's
| fully automated which would be a PITA if I had to manage
| manually.
|
| Totally understand if it's something that could change/break in
| future updates but the language about it being "exploited" is a
| bummer, you would think extending/documenting that would
| actually drive further adoption of the printers by building a
| more robust ecosystem around them.
| blutack wrote:
| Does anyone know or can see an actual concrete security concern
| with the current implementation of LAN mode?
|
| https://github.com/Doridian/OpenBambuAPI/blob/main/mqtt.md
|
| Right now, the printer's local MQTT server can only be accessed
| from the local IP using an 8 digit password obtained through
| through the physical display.
|
| I can't personally see any fundamental issue with this design
| assuming the implementation is correct, but I'm curious if others
| can.
| iLoveOncall wrote:
| Look up old results about "BambuLab MQTT" on Google.
|
| They use an online MQTT server instead of the local one for the
| following functions: initiating printing, heating the nozzle,
| and heating the heatbed. (see
| https://www.allaboutbambu.com/2024/06/14/p1p-p1s-new-
| firmwar...)
|
| On https://forum.bambulab.com/t/bambu-lab-mqtt-
| limitations/8344... you can see their MQTT server got DDOSed by
| some faulty 3rd party "client".
|
| I don't think it's so much about security of the users as much
| as it is about their own.
| nullc wrote:
| That article is referring to conflicting controls when using
| their cloud stuff.
|
| In lan mode it doesn't use anything remote and works just
| fine completely isolated.
|
| > you can see their MQTT server got DDOSed by some faulty 3rd
| party "client"
|
| Right, when you use 'cloud mode' then bambu controls the
| printer, and your own control has to go through them.
| parasubvert wrote:
| To me this whole thing feels like they're trying to pass audit
| to sell Bambu printers to corporations that require secure
| communications. Mutual TLS with client certs is nearly
| universal, which is what they're trying to do with Bambu
| Connect. On the other hand, MQTT isn't a very secure protocol,
| plus the printer also uses FTP which is mostly banned on
| corporate networks these days.
| blutack wrote:
| I wasn't aware of any specific vulnerabilities in the basic
| MQTT design (assuming it's over TLS).
|
| I agree that MTLS for embedded m2m/IOT auth against MQTT is
| pretty standard (see AWS IOT, Azure etc) but do paper
| printers used in enterprise which have displays typically
| require MTLS for printing?
|
| Surely any corporation with a security team would VLAN and
| null route these things anyway!
| Hizonner wrote:
| Uh-huh. So exactly what threat or threats is the "security
| upgrade" meant to address, what alternatives were considered, and
| where the heck is the "security" in sticking a barely obfuscated
| private key in a publicly distributed binary?
| ClassyJacket wrote:
| The threat of Bambu not being able to remotely brick your
| printer in 5 years when they want to sell you a new one
| karunamurti wrote:
| The security threat is real, they got ddos attempt to their
| mqtt service last year from 3rd party apps. The fix is not good
| though, distributing private key.
| snvzz wrote:
| Sad attempt at damage control.
|
| Meanwhile, trust continues to be eroded.
| pmichaud wrote:
| I'm pretty pissed that they baited and switched me--I bought a
| bambu printer on holiday sale under the previous terms, and they
| are now going to change the terms. Feels fraudulent.
| parasubvert wrote:
| People seem to be missing that FTP and MQTT are generally
| insecure protocols. I think FTP is probably the bigger issue than
| MQTT. This kind of stuff is common in home IOT networks but would
| never pass security audit on a corporate network.
|
| Bambu is growing up, serving more corporations beyond the hobby
| community, and probably has been asked to beef their security up
| to make it easier to deploy their printers securely.
|
| Moving to Mutual TLS via a controlled client like Bambu Connect
| is a pretty industry standard approach to secure, authenticated
| communication that doesn't require an internet connection, it is
| done with digital signatures offline.... and thus it can be done
| over a LAN. It's how many web APIs inside a corporate network are
| secured. It's how web browsers are secured. Microsoft, Mozilla,
| Google, Apple, etc. all send you revised certs/keys regularly in
| your OS or browser patches. Client authentication via x.509 cert
| signature or subject verification isn't super common on the
| public web but it does happen a lot with mobile apps or thick
| client apps, or some websites, e.g. SAP's many websites often use
| it to verify you're a customer.
| LeFantome wrote:
| The play here is obviously that they want 3rd party services to
| use Bambu Connect instead of direct protocol integration. They
| will make Connect easy and direct too much work. That is what all
| the Panda talk was about. That way, when Bambu inevitably changes
| the model ( eg. Subscription ), we will have to pay to get access
| to the ecosystem. But Bambu will be able to claim that it is not
| them. We still support developer mode they will say, it is the
| evil third parties that do not.
|
| We need to make sure that dev mode becomes the de facto default.
| Don't fall for connect.
| axegon_ wrote:
| Bambu lab printers are truly awesome in terms of what they can do
| for a very reasonable price. Having said that, I have never
| upgraded mine nor have I ever connected it to the internet and
| never will. Nor will I update it. If it takes me 15 minutes to
| get an ssh client running on an esp8266 that can connect to an
| poorly secured server and execute shell commands, there is no way
| I'm letting a proprietary chinese hardware and software anywhere
| near my home network. But this is just a side hobby of mine, so I
| can live with carrying around an SD card. But I can see how
| something like that can be a major blow to business owners. I am
| not entirely sure if this blog post is just a response or sneaky
| backpedaling from bambu labs after the backlash they received
| over the last few days.
| sarchertech wrote:
| This stuff isn't gonna stop until we regulate it.
|
| I bought a miku baby monitor specifically because they were the
| only manufacturer that had the feature I wanted that promised to
| never charge monthly fees to use it.
|
| Well then they went bankrupt and a company bought them, forced an
| over the air update that disabled every feature that made the
| thing worth buying (for $399), and sent out a letter demanding
| monthly payment to reenable the "advanced" features.
|
| Market forces won't fix this. Recurring revenue is just too
| tempting.
| igor47 wrote:
| Seems like the maker community, esp. YouTube influencers,
| uniformly recommend bambu. Curious-- do folks here have other
| recommendations? Equivalent quality, speed, maybe even price, but
| more committed to free software?
| aweiland wrote:
| Prusa
| thomassmith65 wrote:
| I gather the webpage (I didn't read it due to its bad smell)
| refers to this:
|
| Bambu Lab shutting out 3rd party slicers
|
| https://news.ycombinator.com/item?id=42735825
|
| Bambu Lab Firmware Update Forces Cloud Dependency and User Lock-
| In
|
| https://news.ycombinator.com/item?id=42756235
|
| New Bambu Lab Firmware Update Adds Mandatory Authorization
| Control System
|
| https://news.ycombinator.com/item?id=42769565
|
| BambuLabs removing 3rd party access to its printers
|
| https://news.ycombinator.com/item?id=42738118
___________________________________________________________________
(page generated 2025-01-20 23:00 UTC)