As both a maker and a security engineer, I am disappointed to see the announcement from Bambu Labs this week regarding their plans to create a hard dependency on their cloud service to use their printers.

I am/was planning to purchase an X1C in the coming months to replace my aging and frustrating Ender 3v2. However, the new Authorization Control System will require cloud access to authorize access to core functions:

  • Binding and unbinding the printer.
  • Initiating remote video access.
  • Performing firmware upgrades.
  • Initiating a print job (via LAN or cloud mode).
  • Controlling motion system, temperature, fans, AMS settings, calibrations, etc.

I do not need or want to use their cloud services to access or monitor my prints. I was planning to use their printer in LAN mode exclusively. Creating a hard dependency on their cloud is a showstopper for my purchase decision.

Professionally, I am a security engineer with over 30 years of experience. I have sent this proposal to Bambu Labs for an alternative method to provide the same protection for the privileged API calls on the printer while still maintaining access to these calls in 100% LAN mode.

Binding:

  • User interacts with printer UI to enable binding mode
  • Printer Logic board starts printer side binding process, enabling the binding API
  • Printer UI displays unique binding auth code, such as a 6 or 8 digit PIN.
  • User prompts printer client software (Bambu Studio, Connect, or third party) to bind to the printer, providing PIN to authorize the connection
    • Client software generates public/private key pair
    • Client software calls binding API providing PIN and an X.509 CSR
  • Binding process signs CSR and returns certificate to client software
  • Printer UI modally asks user if they are done binding clients
    • If user is done, binding process shuts down to eliminate attacks on binding process, like we saw with WiFi WPS.
    • If not, another unique PIN is provided to the user to bind another client

Printing and printer control:

  • Client software authenticates to the printer, including access to privileged APIs using mutual TLS with the client cert issued by the printer.

I release this design under the Creative Commons CC0 (i.e. public domain) license.

I hope Bambu Labs seriously reconsiders this decision to require a hard cloud requirement. Continuing down this path will force me to select a different, more open, manufacturer for my next printer and recommend to friends and colleagues that they not purchase Bambu Labs printers.

Edited to add: Seems that the Bamboo Connect app has already been reverse engineered and a cert and private key were extracted from it. That’s some serious security ass-hattery there. It’s effing 2025 people, you don’t hard code creds or private keys into your application.