Bambu Lockdown: Update

Bambu Lab has responded to much of the outrage over the upcoming changes and some people were able to extract the X.509 cert used from the Bambu Connect app.

First, I'll start with the cert. Well, that was quick. I had said that, for Bambu Connect to be able sit on a local network and NOT rely on the cloud that it would need the cert inside the product they shipped. And well... it does. This should go at least part of the way to quelling some fears on why. Though, on the flipside, it doesn't help the theories that either the PMs or Devs (or both) actually have no clue how to secure software.

First, allowing Bambu Connect (BC) to remain disconnect from BL servers but able to sign requests to the print means that the cert needs to be compiled into BC. This means it is possible for someone extract that from the code or in memory while the app it running. Once extracted, they can do whatever malicious things that the auth was meant to protect against. And since BL designed their printers to be able to function offline, this also means that the those printers must ALWAYS accept messages signed by those certs.

Now, some may point out that the printer itself could reject the certs after 1 year. But the P1 series (and likely the A1 series as well) have no real-time clock (RTC). As such, they would have no way of knowing that the requests were signed by an expired certificate.

As for the changes, it sounds like BL plans to add a Dev Mode option for LAN Mode which basically allows everything to function as it used to.

And this just proves that they still don't get it. Because the overwhelming majority of PC users in general are not computer literate enough to route traffic from their ISP to a specific device in the household, let alone setup dynamic DNS, most LAN Mode users are completely confined to their local network already. And, of those who ARE literate enough, most are also literate enough to do some rudimentary securing of their own networks. The Venn diagram intersection of people who CAN expose their printers to the internet but can't properly secure it would be incredibly small. 

What I'm saying is; Dev Mode should simply be LAN Mode. This change would mean that BC is only needed for Cloud Mode. And since Cloud Mode implies required internet access, there is no longer any need to keep private keys locally and some semblance of actual security could be achieved.

All that said, I'm still baffled as to why BC even exists. Just add the security to the Cloud API. We already need to sign into BL to give things like Orca Slicer access to the printers and it looks like it is via some sort of OAuth or similar challenge. If that isn't sufficient for ongoing security then simply have the auth process give us a JWT with an expiry and we refresh it periodically. I mean, BC had a cert with a 1 year life. You could have even do something like a 1 month JWT and most people would likely be happy and then the only things which potentially break are things like the Panda Touch.

The last thing I will toss in is; If what BL said about their communications with BIQU is true, then the fault for Panda Touch really is on BIQU and not BL. Now, if I were BL, I would see that there is a potential partner in BIQU who is doing things to help improve the desirability of your products and improve the lives of your customers. And with that, it would make a lot more sense to work with them ahead of such changes to come up with a way forward to maintain support. From what I can see online, BIQU devices are used by a sizeable chunk of the community. Hurting this many customers with a move that seems and likely feels needless to consumers just helps to fan the flames.