Bambu Lab pushes a control system for 3D printers, and boy, did it not go well
arstechnica.com
You can fit so many arguments about consumer rights into this bad boy Bambu Lab pushes a control system for 3D printers, and boy, did it not go well Security measure? Boxing out third-party tools? Or something more complex? Kevin Purdy Jan 21, 2025 6:21 pm | 29 Credit: Bambu Lab Credit: Bambu Lab Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreBambu Lab, a major maker of 3D printers for home users and commercial "farms," is pushing an update to its devices that it claims will improve security while still offering third-party tools "authorized" access. Some in the user communityand 3D printing advocates broadlyare pushing back, suggesting the firm has other, more controlling motives.As is perhaps appropriate for 3D printing, this matter has many layers, some long-standing arguments about freedom and rights baked in, and a good deal of heat. Bambu Lab's image marketing Bambu Handy, its cloud service that allows you to "Control your printer anytime anywhere, also we support SD card and local network to print the projects." Credit: Bambu Lab Bambu Lab's image marketing Bambu Handy, its cloud service that allows you to "Control your printer anytime anywhere, also we support SD card and local network to print the projects." Credit: Bambu Lab Printing more, tweaking lessBambu Lab, launched in 2022, has stood out in the burgeoning consumer 3D printing market because of its printers' capacity for printing at high speeds without excessive tinkering or maintenance. The product page for the X1 series, the printer first targeted for new security, starts with the credo, "We hated 3D printing as much as we loved it." Bambu's faster, less fussy multicolor printers garnered attentionincluding an ongoing patent lawsuit from established commercial printer Stratasys.Part of Bambu's "just works" nature relies on a relatively more closed system than its often open-minded counterparts. Sending a print to most Bambu printers typically requires either Bambu's cloud service, or, in "LAN mode," a manual "sneakernet" transfer through SD cards. Cloud connections also grant perks like remote monitoring, and many customers have accepted the trade-off.However, other customers, eager to tinker with third-party software and accessories, along with those fearing a subscription-based future for 3D printing, see Bambu Lab's purported security concerns as something else. And Bambu acknowledges that its messaging on its upcoming change came out in rough shape.Authorized access and operations"Firmware Update Introducing New Authorization Control System," posted by Bambu Lab on January 16 (and since updated twice), states that Bambu's printersstarting with its popular X series, then the P and A lineswill receive a "significant security enhancement to ensure only authorized access and operations are permitted." This would, Bambu suggested, mitigate risks of "remote hacks or printer exposure issues" and lower the risk of "abnormal traffic or attacks.""By ensuring that all interactions with the hardwaresuch as moving axes, heating components, or performing other critical actionsare verified and secure, we can minimize risks and prevent potentially dangerous situations," Bambu wrote in a FAQ. This was necessary, Bambu wrote, because of increases in requests made to its cloud services "through unofficial channels," targeted DDOS attacks, and "peaks of up to 30 million unauthorized requests per day" (link added by Bambu).While Bambu has caused attention-getting "abnormal traffic" before, and 3D printer web hacks are real, many of its customers noticed a less-touted effect: third-party software and tools, like slicers (which turn 3D designs into machine-printable "slices") and third-party screens, losing direct access to Bambu printers. Instead, "Bambu Connect" software offers devices like OrcaSlicer protocols to send printer instructions and get a printer's status. As pitched initially, this would have applied to all Bambu printers, whether on local, non-Internet-exposed "LAN Mode" or on "Cloud Mode"Notably, those who use Bambu's own slicer, Bambu Studio, would not be impacted by the incoming firmware upgrade, as that software will keep working as-is.Unfortunate misinformation circulating onlineHow did this go over? So well that Bambu issued a second blog post about the change four days later, sub-titled "Setting the record straight about our security update." Addressing "a mix of valuable feedback and unfortunate misinformation circulating online," the firm denied claims about subscription-required printing, remote file monitoring or bricking, third-party filament blocking, and other fears, uncertainties, and doubts.Using third-party software through Bambu Connect, the difference for users is "not much," Bambu Lab suggests, adding a GIF of a "seamless" authentication inside the OrcaSlicer app. More importantly, the firm said it would update LAN mode on its devices so that there is a Standard Mode with Bambu Connect in place and a Developer Mode that leaves the printer's MQTT, live stream, and FTP functions open.The MQTT protocol blocking is particularly notable, as a popular third-party screen and control device, Panda Touch, would not work without it in "Standard Mode." Bambu states in its second post that it reached out to manufacturer BTT and informed them that using undocumented ("exploited," in Bambu's terms) MQTT protocols "was unsustainable and would place customers in an awkward situation once we updated the system." Big Tree Tech has posted its own version of their talks and history, suggesting that it never got full answers from Bambu, but it plans to ensure the devices work with Developer Mode in the future.Private key already extractedOpen source hardware hacker and YouTube creator Jeff Geerling posted a video on Monday, titled "I probably won't buy another Bambu Lab printer." Geerling doesn't traffic in motives or conspiracy but speaks to broader concerns about Bambu's messaging, treatment of third-party hardware, and customer rights. As for security, "Every IoT [Internet of Things] device has these problems, and there are better ways to secure things than by locking out access, or making it harder to access, or requiring their cloud to be integrated," Geerling said.At the Hackaday blog, the mood was a good deal more adversarial. In a post on Monday about Bambu Lab's "announcement that it would be locking down all network access" to affected printers, it was noted that Bambu Connect, a "fairly low-effort Electron-based affair" (i.e., a containerized web application), has had its certificate and private key extracted. This encryption is "the sole thing standing in the way of tools like OrcaSlicer talking with authentication-enabled Bambu Lab printers," Hackday's post states.Repair advocate Louis Rossmann, noting Bambu's altered original blog post, uploaded a video soon after, "Bambu's Gaslighting Masterclass: Denying their own documented restrictions." Rossmann also took aim at Bambu's Terms of Use, suggesting that the company was asking buyers to trust that Bambu wouldn't enact restrictive policies they otherwise wrote into their user agreements.Ars has reached out to Bambu Lab for comment and will update this post with any response.Kevin PurdySenior Technology ReporterKevin PurdySenior Technology Reporter Kevin is a senior technology reporter at Ars Technica, covering open-source software, PC gaming, home automation, repairability, e-bikes, and tech history. He has previously worked at Lifehacker, Wirecutter, iFixit, and Carbon Switch. 29 Comments
0 Comments
·0 Shares
·55 Views