Bambu lab communication and security – answer
On November 23, I posted this post regarding the lack of security with Bambu WAN mode. Today, they replied and I said their developers mostly had a background in robotics and thus little understanding of internet security, but they’ve started to educate themselves
want to comment on some misunderstandings here
“The printer doesn’t have an ethernet port and wifi isn’t secure with PSK”
It is important to point out that this statement is not entirely accurate as the printer supports Wi-Fi security protocols, including WPA/WPA2-PSK.If the WLAN is protected by WPA/WPA2-PSK, which is generally the default security protection nowadays on wireless routers, the WLAN connection should be relatively safe.
What I wrote in the article, was that anyone with the known PSK, that is, anyone connected to the average access point used, will be on the same network. That the network is encrypted with WPA, still means they all have the same key, so once logged into the network, it’s all cleartext between clients on that network. Still – it’s better than nothing, but the best thing is to encrypt everything.
So, they summerise
The security of the LAN mode depends on the security of the WLAN at the moment. It is vulnerable if the LAN is not properly secured. We will work on an improvement for this by January 2023 and we will share an update when that becomes available.
The HTTP connection to the cloud vulnerabilitty has now been fixed.
This is good! Kudos to Bambu lab for fixing this quickly!
The cleartext keyID is a misunderstanding.
My apologies.
So, the WAN connection is a bit safer, and the LAN connection works, ish. All we now need if we want to use this in LAN mode, is a working camera.
roy
I’m impressed with such a fast and open response from Bambu Lab. I’m looking forward to seeing firmware updates from them that not only fix the issues you’ve raised but further improve the product. Thanks Roy, for raising these issues publicly and with Bambu Lab in the first place.
Quick question, on the keyID. From what I read it still seems dangerous even if the pre-signed url is to only upload an object.
That may be the case, I don’t know, but then, they have switched to HTTPS now, so it shouldn’t be a problem anymore.
@Howard
Why do private Citizens of another country need to tell this Chinese corporation to use HTTPS?
Bambu failed and failed hard. You answer sounds shilled.