Consumer Rights Wiki

Bambu Lab Authorization Control System: Difference between revisions

← Older edit
VisualWikitext
removed content about the cease and desist from this article. it will be moved to a separate article
m Removed red links; misc.
 
Line 1: Line 1:
{{IncidentCargo
{{IncidentCargo
|Company=Bambu Lab
|Company=Bambu Lab
|StartDate=2025-01-16
|StartDate=16 January 2025
|EndDate=
|Status=Active
|Status=Active
|Type=Post-purchase terms change
|Type=Post-purchase terms change
Line 44: Line 45:
Bambu Lab has stated that the authorization system is in place in order to protect against "remote hacks," "printer exposure," and "abnormal traffic or attacks". The cited security incidents have specific context:
Bambu Lab has stated that the authorization system is in place in order to protect against "remote hacks," "printer exposure," and "abnormal traffic or attacks". The cited security incidents have specific context:


*The "remote hacks" cited as an example in the article followed a reported security vulnerability in a 3D printer product; according to Bitdefender's reporting, the researcher infected machines to display a harmless message in order to publicize the unpatched flaw.<ref>{{Cite web |last=Cluley |first=Graham |date=2024-03-01 |title=Someone is hacking 3D printers to warn owners of a security flaw |url=https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw?ref=blog.bambulab.com |url-status=live |archive-url=https://web.archive.org/web/20260216002646/https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw?ref=blog.bambulab.com |archive-date=2026-02-16 |access-date=2025-05-01 |website=[[Bitdefender]]}}</ref>
*The "remote hacks" cited as an example in the article followed a reported security vulnerability in a 3D printer product; according to Bitdefender's reporting, the researcher infected machines to display a harmless message in order to publicize the unpatched flaw.<ref>{{Cite web |last=Cluley |first=Graham |date=2024-03-01 |title=Someone is hacking 3D printers to warn owners of a security flaw |url=https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw?ref=blog.bambulab.com |url-status=live |archive-url=https://web.archive.org/web/20260216002646/https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw?ref=blog.bambulab.com |archive-date=2026-02-16 |access-date=2025-05-01 |website=Bitdefender}}</ref>
*In the article cited about printer exposure, the hack was carried out largely because of user misconfiguration.<ref>{{Cite web |last=Ms. Smith |date=2018-09-05 |title=Over 3,700 exposed 3D printers open to remote attackers |url=https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html?ref=blog.bambulab.com |url-status=live |archive-url=https://web.archive.org/web/20260216002556/https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html?ref=blog.bambulab.com |archive-date=2026-02-16 |access-date=2025-05-01 |website=[[CSO]]}}</ref>
*In the article cited about printer exposure, the hack was carried out largely because of user misconfiguration.<ref>{{Cite web |last=Ms. Smith |date=2018-09-05 |title=Over 3,700 exposed 3D printers open to remote attackers |url=https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html?ref=blog.bambulab.com |url-status=live |archive-url=https://web.archive.org/web/20260216002556/https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html?ref=blog.bambulab.com |archive-date=2026-02-16 |access-date=2025-05-01 |website=CSO}}</ref>
*The "abnormal traffic" can be mitigated by steps Bambu has already put in place, as detailed in their own article on the matter.<ref>{{Cite web |title=Summary of Security Incident Responses and Abnormal Cloud Traffic |url=https://wiki.bambulab.com/en/security-incidents-cloud-traffic?ref=blog.bambulab.com |url-status=live |archive-url= |archive-date= |access-date=2025-05-01 |website=[[Bambu Lab]] Wiki}}</ref>
*The "abnormal traffic" can be mitigated by steps Bambu has already put in place, as detailed in their own article on the matter.<ref>{{Cite web |title=Summary of Security Incident Responses and Abnormal Cloud Traffic |url=https://wiki.bambulab.com/en/security-incidents-cloud-traffic?ref=blog.bambulab.com |url-status=live |archive-url= |archive-date= |access-date=2025-05-01 |website=[[Bambu Lab]] Wiki}}</ref>
*"Other malicious devices in the LAN" can be partially mitigated by steps Bambu has already put in place, as detailed in their own article on the matter.<ref>{{Cite web |last=@SpaghettiMonster |date=2022-11-25 |title=Answering network security concerns for our printers |url=https://blog.bambulab.com/answering-network-security-concerns/ |url-status=live |archive-url=https://ghostarchive.org/archive/CE0Ii |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Blog}}</ref>
*"Other malicious devices in the LAN" can be partially mitigated by steps Bambu has already put in place, as detailed in their own article on the matter.<ref>{{Cite web |last=@SpaghettiMonster |date=2022-11-25 |title=Answering network security concerns for our printers |url=https://blog.bambulab.com/answering-network-security-concerns/ |url-status=live |archive-url=https://ghostarchive.org/archive/CE0Ii |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Blog}}</ref>
Line 58: Line 59:
**Confidentiality required by US Law: this is in conflict with users that have to comply with internal U.S. government classified information handling regulations.{{CitationNeeded}}
**Confidentiality required by US Law: this is in conflict with users that have to comply with internal U.S. government classified information handling regulations.{{CitationNeeded}}
*'''Loss of offline independence while also using cloud''': Before, users could have hybrid offline setups. The requirement for authentication removes this option unless users revert to older firmware versions; Bambu Lab initially indicated rollback would not be permitted, though The Verge later reported that users could still downgrade and use LAN access keys while signed into the cloud.
*'''Loss of offline independence while also using cloud''': Before, users could have hybrid offline setups. The requirement for authentication removes this option unless users revert to older firmware versions; Bambu Lab initially indicated rollback would not be permitted, though The Verge later reported that users could still downgrade and use LAN access keys while signed into the cloud.
*'''Increased complexity''': The added authentication layer complicates workflows for users who built custom setups or relied on third-party integrations for LAN control while retaining cloud functionality.<ref name=":4">{{Cite web |last=@edlboston |date=2023-01 |title=Full Non-Cloud Based Network Option Needed |url=https://forum.bambulab.com/t/full-non-cloud-based-network-option-needed/3643 |url-status=live |archive-url=https://ghostarchive.org/archive/1ee4F |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum |quote=Yes, I know about the LAN mode. But as has been stated by many people, things like the camera will not work, nor will the Handy app. There is no technical reason that these are bound to the cloud. This is the problem and why I titled this FULL Non-Cloud Network.}}</ref>
*'''Increased complexity''': The added authentication layer complicates workflows for users who built custom setups or relied on third-party integrations for LAN control while retaining cloud functionality.<ref name=":4">{{Cite web |author=edlboston |date=Jan 2023 |title=Full Non-Cloud Based Network Option Needed |url=https://forum.bambulab.com/t/full-non-cloud-based-network-option-needed/3643 |url-status=live |archive-url=https://ghostarchive.org/archive/1ee4F |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum |quote=Yes, I know about the LAN mode. But as has been stated by many people, things like the camera will not work, nor will the Handy app. There is no technical reason that these are bound to the cloud. This is the problem and why I titled this FULL Non-Cloud Network.}}</ref>


*LAN-Only mode in Orca Slicer is implemented by passing API Calls to the installed proprietary Bambu Network Plug-In (unlike BTT and other solutions that did indeed communicate with printer directly via MQTT protocol).
*LAN-Only mode in Orca Slicer is implemented by passing API Calls to the installed proprietary Bambu Network Plug-In (unlike BTT and other solutions that did indeed communicate with printer directly via MQTT protocol).
Line 69: Line 70:


===X1E firmware 01.01.02.00 LAN-mode connection failure===
===X1E firmware 01.01.02.00 LAN-mode connection failure===
Newly received X1E printers with firmware 01.01.02.00 will not connect to the Bambu Studio using the Lan only method password. Bambu Studio identifies the un-logged printer but will not allow a connection to the printer. Only after connection / account pairing is done over the Bambu Handy app by giving internet access to the PC and Printer then using the cloud service connection will Lan only communication and login work.<ref>{{Cite web |last= |date=2024-09 |title=Connect X1E to stand-alone computer |url=https://forum.bambulab.com/t/connect-x1e-to-stand-alone-computer/101474 |url-status=live |archive-url=https://web.archive.org/web/20260223033045/https://forum.bambulab.com/t/connect-x1e-to-stand-alone-computer/101474 |archive-date=2026-02-23 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum}}</ref>
Newly received X1E printers with firmware 01.01.02.00 will not connect to the Bambu Studio using the Lan only method password. Bambu Studio identifies the un-logged printer but will not allow a connection to the printer. Only after connection / account pairing is done over the Bambu Handy app by giving internet access to the PC and Printer then using the cloud service connection will Lan only communication and login work.<ref>{{Cite web |last= |date=Sep 2024 |title=Connect X1E to stand-alone computer |url=https://forum.bambulab.com/t/connect-x1e-to-stand-alone-computer/101474 |url-status=live |archive-url=https://web.archive.org/web/20260223033045/https://forum.bambulab.com/t/connect-x1e-to-stand-alone-computer/101474 |archive-date=2026-02-23 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum}}</ref>


==Implementation timeline and requirements==
==Implementation timeline and requirements==
Line 226: Line 227:
==Customer reactions==
==Customer reactions==


Customer reactions on community forums and Reddit were negative.<ref>{{Cite web |last=@hho |date=2025-01-15 |title=Bambu Studio 1.10.2 Public Beta |url=https://forum.bambulab.com/t/bambu-studio-1-10-2-public-beta/134549/4 |url-status=live |archive-url=https://ghostarchive.org/archive/ahrz6 |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum |quote=Improvements Introduce authorization and authentication protection mechanism: Bambu Studio now supports signing and encrypting control commands sent to printers when the printer supports authorization and authentication protection. The printer will determine whether the commands can be executed. Hmmm. This reads suspiciously vague. It could mean that Bambu printers get an onboard permission handling, so that you can "lock down" your printer and set what commands can be run. But it could also mean that Bambu printers in (or of?) the future will only run Gcode encrypted and signed by Bambu Studio…}}</ref><ref>{{Cite web |last=@iranintoavan |title=Firmware Update Introducing New Authorization Control System |url=https://old.reddit.com/r/BambuLab/comments/1i2psvz/firmware_update_introducing_new_authorization/ |url-status=live |archive-url=http://web.archive.org/web/20250403012526/https://old.reddit.com/r/BambuLab/comments/1i2psvz/firmware_update_introducing_new_authorization/ |archive-date=2025-04-03 |access-date=2025-05-01 |website=Old [[Reddit]]}}</ref> Bambu Lab has historically pushed cloud-based printer interaction while offering limited LAN mode functionality<ref name=":4" />. Many customers argue that the security issues this locked-down firmware claims to address are actually consequences of the company's cloud-based design choices rather than inherent risks of local network control.<ref name="bambulab-forum-134549/12" /> After the announcement, Bambu Lab's Trustpilot page recorded a wave of one-star reviews citing the firmware restrictions as the reason for the rating.<ref>{{Cite web |title=Bambu Lab |url=https://www.trustpilot.com/review/bambulab.com?sort=recency |archive-url=https://web.archive.org/web/20250119162028/https://www.trustpilot.com/review/bambulab.com?sort=recency |archive-date=2025-01-19 |website=[[Trustpilot]]}}</ref>
Customer reactions on community forums and Reddit were negative.<ref>{{Cite web |last=@hho |date=2025-01-15 |title=Bambu Studio 1.10.2 Public Beta |url=https://forum.bambulab.com/t/bambu-studio-1-10-2-public-beta/134549/4 |url-status=live |archive-url=https://ghostarchive.org/archive/ahrz6 |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum |quote=Improvements Introduce authorization and authentication protection mechanism: Bambu Studio now supports signing and encrypting control commands sent to printers when the printer supports authorization and authentication protection. The printer will determine whether the commands can be executed. Hmmm. This reads suspiciously vague. It could mean that Bambu printers get an onboard permission handling, so that you can "lock down" your printer and set what commands can be run. But it could also mean that Bambu printers in (or of?) the future will only run Gcode encrypted and signed by Bambu Studio…}}</ref><ref>{{Cite web |last=@iranintoavan |title=Firmware Update Introducing New Authorization Control System |url=https://old.reddit.com/r/BambuLab/comments/1i2psvz/firmware_update_introducing_new_authorization/ |url-status=live |archive-url=http://web.archive.org/web/20250403012526/https://old.reddit.com/r/BambuLab/comments/1i2psvz/firmware_update_introducing_new_authorization/ |archive-date=2025-04-03 |access-date=2025-05-01 |website=Old [[Reddit]]}}</ref> Bambu Lab has historically pushed cloud-based printer interaction while offering limited LAN mode functionality<ref name=":4" />. Many customers argue that the security issues this locked-down firmware claims to address are actually consequences of the company's cloud-based design choices rather than inherent risks of local network control.<ref name="bambulab-forum-134549/12" /> After the announcement, Bambu Lab's Trustpilot page recorded a wave of one-star reviews citing the firmware restrictions as the reason for the rating.<ref>{{Cite web |title=Bambu Lab |url=https://www.trustpilot.com/review/bambulab.com?sort=recency |archive-url=https://web.archive.org/web/20250119162028/https://www.trustpilot.com/review/bambulab.com?sort=recency |archive-date=2025-01-19 |website=TrustPilot}}</ref>


As of publication, '''no changes have been announced for owners who never sign their printers into the Bambu cloud service'''. Past firmware updates allowed pairing the slicer via IP address and access key and performing offline firmware updates without ever signing the printer into the cloud, keeping local functionality unchanged.<ref name="firmware-update-introducing-new-authorization-control-system-2" />
As of publication, '''no changes have been announced for owners who never sign their printers into the Bambu cloud service'''. Past firmware updates allowed pairing the slicer via IP address and access key and performing offline firmware updates without ever signing the printer into the cloud, keeping local functionality unchanged.<ref name="firmware-update-introducing-new-authorization-control-system-2" />


==Comparisons to similar practices by other companies==
==Comparisons to similar practices by other companies==
Bambu Lab's new authorization and authentication requirements have been compared to a number of practices by traditional printer manufacturers, such as [[HP]] and [[Epson]], who have faced backlash and litigation over [[digital rights management]] (DRM) practices in 2D printers.{{CitationNeeded}}  
Bambu Lab's new authorization and authentication requirements have been compared to a number of practices by traditional printer manufacturers, such as [[HP]] and [[Epson]], who have faced backlash and litigation over [[digital rights management]] (DRM) practices in 2D printers.{{CitationNeeded}}  


A parallel from the 3D-printing industry is the 3D-printer manufacturer [[MakerBot]], whose 2012 shift from open-source, DIY-focused machines to closed-source, proprietary machines drove customers to less-expensive open-source competitors, as documented by Hackaday's 2016 obituary of the company.<ref>{{Cite web |last=Benchoff |first=Brian |date=2016-04-28 |title=The MakerBot Obituary |url=https://hackaday.com/2016/04/28/the-makerbot-obituary/ |url-status=live |archive-url=http://web.archive.org/web/20251208222057/https://hackaday.com/2016/04/28/the-makerbot-obituary/ |archive-date=2025-12-08 |access-date=2025-05-01 |website=[[Hackaday]]}}</ref> MakerBot was also accused of asserting ownership over publicly available, open-source designs uploaded to its 3D print repository, Thingiverse.<ref>{{Cite web |last=Biggs |first=John |date=2014-05-28 |title=MakerBot Responds To Critics Who Claim It Is Stealing Community IP |url=https://techcrunch.com/2014/05/28/makerbot-responds-to-critics-who-claim-it-is-stealing-community-ip/ |url-status=live |archive-url=http://web.archive.org/web/20251111041317/https://techcrunch.com/2014/05/28/makerbot-responds-to-critics-who-claim-it-is-stealing-community-ip/ |archive-date=2025-11-11 |access-date=2025-05-01 |website=[[TechCrunch]]}}</ref>
A parallel from the 3D-printing industry is the 3D-printer manufacturer [[MakerBot]], whose 2012 shift from open-source, DIY-focused machines to closed-source, proprietary machines drove customers to less-expensive open-source competitors, as documented by Hackaday's 2016 obituary of the company.<ref>{{Cite web |last=Benchoff |first=Brian |date=2016-04-28 |title=The MakerBot Obituary |url=https://hackaday.com/2016/04/28/the-makerbot-obituary/ |url-status=live |archive-url=http://web.archive.org/web/20251208222057/https://hackaday.com/2016/04/28/the-makerbot-obituary/ |archive-date=2025-12-08 |access-date=2025-05-01 |website=Hackaday}}</ref> MakerBot was also accused of asserting ownership over publicly available, open-source designs uploaded to its 3D print repository, Thingiverse.<ref>{{Cite web |last=Biggs |first=John |date=2014-05-28 |title=MakerBot Responds To Critics Who Claim It Is Stealing Community IP |url=https://techcrunch.com/2014/05/28/makerbot-responds-to-critics-who-claim-it-is-stealing-community-ip/ |url-status=live |archive-url=http://web.archive.org/web/20251111041317/https://techcrunch.com/2014/05/28/makerbot-responds-to-critics-who-claim-it-is-stealing-community-ip/ |archive-date=2025-11-11 |access-date=2025-05-01 |website=TechCrunch}}</ref>


==TOS restricting development of third party devices and accessories==
==TOS restricting development of third party devices and accessories==
Archived discussion threads from January 2024 confirm that a clause restricting the development of third party devices and accessories - § 3.1 - has been part of the Bambu Lab Terms of Use at least since then.<ref>{{Cite web |last=@X1Plus |title=X1plus community Bambu Lab firmware - A win for everyone? |url=https://www.reddit.com/r/3Dprinting/comments/18zaay0/x1plus_community_bambu_lab_firmware_a_win_for/kggqg4n/ |url-status=live |archive-url=https://web.archive.org/web/20260222212657/https://old.reddit.com/r/3Dprinting/comments/18zaay0/x1plus_community_bambu_lab_firmware_a_win_for/kggqg4n/ |archive-date=2026-02-22 |access-date=2025-05-01 |website=[[Reddit]]}}</ref> Community reaction was split: some readers argued the clause is intended to restrict third-party development, while others characterized it as standard boilerplate in vendor terms.<ref>{{Cite web |last=@mflexx |title=Not updated. And this part is shared by pretty much every company that has ever existed on this planet. That's just blatant karma farming at this point. |url=https://www.reddit.com/r/BambuLab/comments/1ibhhg7/updated_tos_shots_fired/m9i78kj/ |url-status=live |archive-url=https://web.archive.org/web/20260222212738/https://old.reddit.com/r/BambuLab/comments/1ibhhg7/updated_tos_shots_fired/m9i78kj/ |archive-date=2026-02-22 |access-date=2025-05-01 |website=[[Reddit]]}}</ref>
Archived discussion threads from January 2024 confirm that a clause restricting the development of third party devices and accessories - § 3.1 - has been part of the Bambu Lab Terms of Use at least since then.<ref>{{Cite web |last=@X1Plus |title=X1plus community Bambu Lab firmware - A win for everyone? |url=https://www.reddit.com/r/3Dprinting/comments/18zaay0/x1plus_community_bambu_lab_firmware_a_win_for/kggqg4n/ |url-status=live |archive-url=https://web.archive.org/web/20260222212657/https://old.reddit.com/r/3Dprinting/comments/18zaay0/x1plus_community_bambu_lab_firmware_a_win_for/kggqg4n/ |archive-date=2026-02-22 |access-date=2025-05-01 |website=[[Reddit]]}}</ref> Community reaction was split: some readers argued the clause is intended to restrict third-party development, while others characterized it as standard boilerplate in vendor terms.<ref>{{Cite web |last=@mflexx |title=Not updated. And this part is shared by pretty much every company that has ever existed on this planet. That's just blatant karma farming at this point. |url=https://www.reddit.com/r/BambuLab/comments/1ibhhg7/updated_tos_shots_fired/m9i78kj/ |url-status=live |archive-url=https://web.archive.org/web/20260222212738/https://old.reddit.com/r/BambuLab/comments/1ibhhg7/updated_tos_shots_fired/m9i78kj/ |archive-date=2026-02-22 |access-date=2025-05-01 |website=[[Reddit]]}}</ref>


Retrieved from "https://consumerrights.wiki/w/Bambu_Lab_Authorization_Control_System"