Consumer Rights Wiki

Bambu private keys leaked less than 24 hours after announcement: Difference between revisions

← Older editNewer edit →
VisualWikitext
Emanuele (talk | contribs)
confirmed, Administrators
966 edits
m fixed references and category, removed incomplete section
Abc (talk | contribs)
25 edits
more accurate implementation details and impact
Line 1: Line 1:
In January 2025, [[Bambu Lab|'''Bambu Lab''']] introduced an authorization control system<ref>[https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/? https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/?]</ref> for its X1-series 3D printers, aiming to enhance security by restricting critical operations to authorized applications, notably their own "Bambu Connect" app. As part of this change, certificate files and private keys responsible for decrypting communications were stored in the code of the updated software files.
In January 2025, [[Bambu Lab|'''Bambu Lab''']] introduced an authorization control system<ref>[https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/? https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/?]</ref> for its X1-series 3D printers, aiming to enhance security by restricting critical operations to authorized applications, notably their own "Bambu Connect" app. As part of this change, certificates and private keys responsible for distinguishing authorized applications from third-party applications were stored in the source code of Bambu Connect, Bambu Handy, and the network plugin.


==Private keys found==
==Private keys found==


Shortly after this implementation, security researcher [hWuxH] successfully extracted the X.509 certificate and private key from the Bambu Connect application. The application, built on the Electron framework, employed obfuscation techniques to protect its code. However, these measures proved insufficient, allowing the de-obfuscation of the main.js file and the exposure of sensitive cryptographic materials.<ref>https://hackaday.com/2025/01/19/bambu-connects-authentication-x-509-certificate-and-private-key-extracted/</ref>
Shortly after this implementation, security researcher [hWuxH] successfully extracted the X.509 certificate and private key from the Bambu Connect application. The application, built on the Electron framework, employed obfuscation techniques to protect its code. However, these measures proved insufficient, and the main.js file was deobfuscated, exposing sensitive cryptographic material which allow third parties to circumvent the imposed restrictions.<ref>https://hackaday.com/2025/01/19/bambu-connects-authentication-x-509-certificate-and-private-key-extracted/</ref>


==Company's response==
==Company's response==
Retrieved from "https://consumerrights.wiki/Bambu_private_keys_leaked_less_than_24_hours_after_announcement"