BambuLab basically locks down their entire 3D printer ecosystem with this ridiculous cloud authorization system.
You want to print locally via your LAN? Sorry, the cloud needs to authorize your g-code first.
Want to use another slicer to send your job to the printer? Sorry, no.
Would it really still surprise anyone if DRM'd filaments are next on their agenda? Their printers are good, their prices are cheap, but please, stop supporting this company.
https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/
...and less than 24 hours later, the BambuConnect app has been de-obfuscated, including Bambu's private key to sign HTTP requests.
https://hastebin.skyra.pw/pufugimoye.js
So much for their laughable security claims.
@fribbledom
Serves them right, lmao. Still glad I don't own a Bambu printer
@fribbledom ffffuck this noise... I hated them for the constant astroturfing, now I hate them even more...
@fribbledom thanks for posting this, I stirred up some shit on Reddit.
@fribbledom nice, someone beat me to it, i had the exe open in ghidra on friday but couldn't find anything useful
@fribbledom@mastodon.social
Just to make sure nobody overreacts to this:
It seems like many ppl are misinterpreting the implicationshttps://www.reddit.com/r/BambuLab/comments/1i4k9m2/comment/m7zxwlb/
These keys can only be used to replicate what bambu connect is doing (talking to official API servers in a very limited manner) without relying on closed source binaries.
The overall device security isn't "broken" because of this and it won't allow third party slicers to use e.g. camera live view either
Which breaks the new auth layer they're trying to introduce.
Context is everything: what you quoted is a response to people suggesting they may have used the same private key for other parts of the system, which would be ridiculous.
@fribbledom@mastodon.social I didn't claim otherwise
And you can revoke access for exposed keys in your API, so nothing is broken.
... and then they'll release a new BambuConnect version with a new key? Which then is immediately leaked again?
I'm not sure what you're trying to suggest, this solution simply doesn't work.
@fribbledom@mastodon.social They patch the issue and don't need to leak it anymore.
I'm getting the feeling you're really not quite understanding the situation.
You're supposed to run this software on your desktop. There's no technical way to release this and also keep the key private.
@fribbledom@mastodon.social
There are ways to make this secure, even if the private key is exposed to the user.
A very simple example would be a CA-like system, where the BambuLab-Servers sign the Public-Keys that are generated by the Connector, which can then be verified by the printers.
And yes, such a system can be extended so that 3rd-Party-Systems can still communicate with the printers.