Consumer_Action_Taskforce

Bambu Lab Authorization Control System: Difference between revisions

← Older edit
VisualWikitext
Abc (talk | contribs)
25 edits
m use original reference
mNo edit summary
 
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
On January 16, 2025, the 3D-printer manufacturer [[:wikipedia:Bambu Lab|Bambu Lab]] announced that future firmwares for their 3D printers would introduce an authorization and authentication protection mechanism for their connection and control, in the name of security. This mechanism restricts the use of third party accessories and slicers, such as Panda Touch and OrcaSlicer. Bambu has stated the following:<blockquote>''"This change is mitigating any risk of remote hacks or printer exposure issues that have happened in the past and also lower the risk of abnormal traffic or attacks."''<ref name="firmware-update-introducing-new-authorization-control-system-2">https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/</ref><ref>https://all3dp.com/4/bambu-lab-limits-third-party-printer-control-with-new-security-update/</ref></blockquote>
On January 16, 2025, the 3D-printer manufacturer Bambu Lab announced that future firmwares for their 3D printers would introduce an authorization and authentication protection mechanism for their connection and control, in the name of security. This mechanism restricts the use of third party accessories and slicers, such as Panda Touch and OrcaSlicer. Bambu has stated the following:<blockquote>''"This change is mitigating any risk of remote hacks or printer exposure issues that have happened in the past and also lower the risk of abnormal traffic or attacks."''<ref name="firmware-update-introducing-new-authorization-control-system-22">https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/</ref><ref>https://all3dp.com/4/bambu-lab-limits-third-party-printer-control-with-new-security-update/</ref></blockquote>


==Controversy regarding firmware updates==
==Controversy regarding firmware updates==
Line 5: Line 5:


===Potential for remote disabling of printers===
===Potential for remote disabling of printers===
A significant concern raised by the community revolves around the wording in Bambu Lab's [[Terms of Service]] and firmware update announcements. Critics and users argue that the phrasing leaves open the possibility for the manufacturer to remotely disable printers that are not updated to the latest firmware. Specifically, Bambu Lab's Terms of Service<ref>https://bambulab.com/en-us/policies/terms</ref> states that printers '''"may block new print jobs"''' if updates are not applied, which some users interpret as a potential pathway for forced obsolescence<ref name="firmware-update-introducing-new-authorization-control-system-2" />. While defenders of Bambu Lab point out that offline modes such as SD-card printing and LAN-only setups would remain functional, others point out that the Terms of Service do not explicitly limit this restriction to cloud-based printing. This ambiguity has led to speculation that Bambu Lab could enforce broader limitations, effectively rendering printers inoperable for users who choose not to update.<ref>https://old.reddit.com/r/BambuLab/comments/1i45iy2/bambu_lab_reserves_the_right_to_brick_your/</ref>
A significant concern raised by the community revolves around the wording in Bambu Lab's [[Terms of Service]] and firmware update announcements. Critics and users argue that the phrasing leaves open the possibility for the manufacturer to remotely disable printers that are not updated to the latest firmware. Specifically, Bambu Lab's Terms of Service<ref>https://bambulab.com/en-us/policies/terms</ref> states that printers '''"may block new print jobs"''' if updates are not applied, which some users interpret as a potential pathway for forced obsolescence.<ref name="firmware-update-introducing-new-authorization-control-system-2">https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/</ref> While defenders of Bambu Lab point out that offline modes such as SD-card printing and LAN-only setups would remain functional, others point out that the Terms of Service do not explicitly limit this restriction to cloud-based printing. This ambiguity has led to speculation that Bambu Lab could enforce broader limitations, effectively rendering printers inoperable for users who choose not to update.<ref>https://old.reddit.com/r/BambuLab/comments/1i45iy2/bambu_lab_reserves_the_right_to_brick_your/</ref>


====Editing of initial announcement====
====Editing of initial announcement====
Bambu users were concerned they would not be able to utilize their printer if they did not install this update, due to the wording of the blog and the terms of service<ref>[[:File:Bambu tos screenshot.png]]</ref>. This caused confusion since users report that Bambu's blog post dated January 16th<ref>https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/</ref> specifically says the following:<blockquote>
Bambu users were concerned they would not be able to utilize their printer if they did not install this update, due to the wording of the blog and the terms of service.<ref>[[:File:Bambu tos screenshot.png]]</ref> This caused confusion since users report that Bambu's blog post dated January 16th<ref>https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/</ref> specifically says the following:<blockquote>
====<sup>What happens if I never upgrade to this firmware?</sup>====
====<sup>What happens if I never upgrade to this firmware?</sup>====
<sup>You may continue using an older firmware version that does not include the new security updates; however, this means the printers may miss out on important security fixes or bug patches included in newer versions. We highly encourage updating to the latest firmware version for the best experience and enhanced security.</sup></blockquote>However, '''this was not present on the day of the announcement.''' A snapshot of their webpage from archive.is demonstrates this section did not exist on the day of the announcement, when community members voiced their concerns.<ref>https://archive.is/ejq3R</ref><ref>[[:File:2024-01-16-Firmware Update Introducing New Authorization Control System.pdf]]File:2024-01-16-Firmware Update Introducing New Authorization Control System.pdf</ref> Bambu's response to community feedback<ref>https://blog.bambulab.com/updates-and-third-party-integration-with-bambu-connect/</ref> references ''"social media posts spreading baseless allegations and untrue claims about Bambu Lab",'' including ''"Firmware updates will block your printer’s ability to print.",'' without mentioning the context for those allegations. The context for those allegations was the lack of inclusion of the ''"What happens if I never upgrade to this firmware?"'' in Bambu's initial announcement alongside their stated terms of service.
<sup>You may continue using an older firmware version that does not include the new security updates; however, this means the printers may miss out on important security fixes or bug patches included in newer versions. We highly encourage updating to the latest firmware version for the best experience and enhanced security.</sup></blockquote>However, '''this was not present on the day of the announcement.''' A snapshot of their webpage from archive.is demonstrates this section did not exist on the day of the announcement, when community members voiced their concerns.<ref>https://archive.is/ejq3R</ref><ref>[[:File:2024-01-16-Firmware Update Introducing New Authorization Control System.pdf]]File:2024-01-16-Firmware Update Introducing New Authorization Control System.pdf</ref> Bambu's response to community feedback<ref>https://blog.bambulab.com/updates-and-third-party-integration-with-bambu-connect/</ref> references ''"social media posts spreading baseless allegations and untrue claims about Bambu Lab",'' including ''"Firmware updates will block your printer’s ability to print.",'' without mentioning the context for those allegations. The context for those allegations was the lack of inclusion of the ''"What happens if I never upgrade to this firmware?"'' in Bambu's initial announcement alongside their stated terms of service.
Line 40: Line 40:
*Operating printers exclusively in offline modes.
*Operating printers exclusively in offline modes.
*Utilizing LAN connections or VPN setups: this requires an access key from the printer (previously, you could use your cloud credentials over LAN).
*Utilizing LAN connections or VPN setups: this requires an access key from the printer (previously, you could use your cloud credentials over LAN).
*Exploring alternative firmware or third-party scripts to restore full functionality<ref>https://old.reddit.com/r/BambuLab/comments/1i45iy2/bambu_lab_reserves_the_right_to_brick_your/m7t8i7r/</ref>.
*Exploring alternative firmware or third-party scripts to restore full functionality.<ref>https://old.reddit.com/r/BambuLab/comments/1i45iy2/bambu_lab_reserves_the_right_to_brick_your/m7t8i7r/</ref>


==Bambu Lab's justification and rebuttal==
==Bambu Lab's justification and rebuttal==
Line 47: Line 47:
*'''The "remote hacks" that were cited as an example in the article seem to be a direct result of the 3D-printer vendor not responding properly to a reported security vulnerability in their product.<ref>[https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw?ref=blog.bambulab.com https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw]</ref> Therefore, in order to get attention, the researcher decided to infect machines and display a harmless message to spread publicity.''' Properly responding to security vulnerabilities, working to patch them quickly, and working with the security community (who would be more than happy to help secure products) would be some ways to prevent this.
*'''The "remote hacks" that were cited as an example in the article seem to be a direct result of the 3D-printer vendor not responding properly to a reported security vulnerability in their product.<ref>[https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw?ref=blog.bambulab.com https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw]</ref> Therefore, in order to get attention, the researcher decided to infect machines and display a harmless message to spread publicity.''' Properly responding to security vulnerabilities, working to patch them quickly, and working with the security community (who would be more than happy to help secure products) would be some ways to prevent this.
*In the article cited about printer exposure, the hack was carried out largely because of user misconfiguration.<ref>[https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html?ref=blog.bambulab.com https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html]</ref> Printer exposure can be mitigated by offering more convenient ways to securely expose printers to the internet, so that users are not tempted to allow unauthenticated access over the network.
*In the article cited about printer exposure, the hack was carried out largely because of user misconfiguration.<ref>[https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html?ref=blog.bambulab.com https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html]</ref> Printer exposure can be mitigated by offering more convenient ways to securely expose printers to the internet, so that users are not tempted to allow unauthenticated access over the network.
*The "abnormal traffic" can be mitigated by steps Bambu has already put in place, as detailed in their own article on the matter<ref>[https://wiki.bambulab.com/en/security-incidents-cloud-traffic?ref=blog.bambulab.com https://wiki.bambulab.com/en/security-incidents-cloud-traffic]</ref>.
*The "abnormal traffic" can be mitigated by steps Bambu has already put in place, as detailed in their own article on the matter.<ref>[https://wiki.bambulab.com/en/security-incidents-cloud-traffic?ref=blog.bambulab.com https://wiki.bambulab.com/en/security-incidents-cloud-traffic]</ref>
*"Other malicious devices in the LAN" can be partially mitigated by steps Bambu has already put in place, as detailed in their own article on the matter.<ref>https://blog.bambulab.com/answering-network-security-concerns/</ref> Another mitigation is to add stronger authentication mechanisms, rather than using a weak pre-shared LAN access code as is currently the case.
*"Other malicious devices in the LAN" can be partially mitigated by steps Bambu has already put in place, as detailed in their own article on the matter.<ref>https://blog.bambulab.com/answering-network-security-concerns/</ref> Another mitigation is to add stronger authentication mechanisms, rather than using a weak pre-shared LAN access code as is currently the case.


Line 58: Line 58:
**Confidentiality required by US Law - This is in conflict with those that have to comply with 18 CFR § 3a.61, 32 CFR § 117.15, 32 CFR § 2001.47, and other restrictions.
**Confidentiality required by US Law - This is in conflict with those that have to comply with 18 CFR § 3a.61, 32 CFR § 117.15, 32 CFR § 2001.47, and other restrictions.
*'''Loss of offline independence while also using cloud''': Before, users could have hybrid offline setups. The requirement for authentication removes this option unless users revert to older firmware versions, which Bambu does not allow people to do once they have updated to the firmware using the new scheme.
*'''Loss of offline independence while also using cloud''': Before, users could have hybrid offline setups. The requirement for authentication removes this option unless users revert to older firmware versions, which Bambu does not allow people to do once they have updated to the firmware using the new scheme.
*'''Increased complexity''': The added authentication layer complicates workflows for users who built custom setups or relied on third-party integrations for LAN control while retaining cloud functionality<ref>https://forum.bambulab.com/t/full-non-cloud-based-network-option-needed/3643</ref>.
*'''Increased complexity''': The added authentication layer complicates workflows for users who built custom setups or relied on third-party integrations for LAN control while retaining cloud functionality.<ref>https://forum.bambulab.com/t/full-non-cloud-based-network-option-needed/3643</ref>


It is worth noting that:
It is worth noting that:
Line 86: Line 86:
These software updates are mandatory for users who update their firmware. Failing to update all components simultaneously will result in certain printer controls becoming unusable. Users who choose to maintain third-party software compatibility can continue using older firmware versions, or downgrade the firmware for new printers that ship with the authorization system pre-installed.
These software updates are mandatory for users who update their firmware. Failing to update all components simultaneously will result in certain printer controls becoming unusable. Users who choose to maintain third-party software compatibility can continue using older firmware versions, or downgrade the firmware for new printers that ship with the authorization system pre-installed.


Bambu Lab states these coordinated updates are necessary because the new authorization system fundamentally changes how the printer validates and accepts commands. The older versions of Bambu Studio and Bambu Handy lack the authentication mechanisms required to interact with printers running the new firmware. The Bambu Connect application was created specifically to provide a controlled interface for third-party software, replacing the previous direct access through network plugins<ref name="firmware-update-introducing-new-authorization-control-system-2" />.
Bambu Lab states these coordinated updates are necessary because the new authorization system fundamentally changes how the printer validates and accepts commands. The older versions of Bambu Studio and Bambu Handy lack the authentication mechanisms required to interact with printers running the new firmware. The Bambu Connect application was created specifically to provide a controlled interface for third-party software, replacing the previous direct access through network plugins.<ref name="firmware-update-introducing-new-authorization-control-system-2" />


==Impact on third-party integration and user choice==
==Impact on third-party integration and user choice==


===Changes to third-party access===
===Changes to third-party access===
The new authorization system replaces direct network API access with a more limited URL-based interface through Bambu Connect. Third-party software can only interact with the printer by sending specific URL commands to Bambu Connect<ref name="bambu-connect" />. The interface requires three parameters:
The new authorization system replaces direct network API access with a more limited URL-based interface through Bambu Connect. Third-party software can only interact with the printer by sending specific URL commands to Bambu Connect.<ref name="bambu-connect" /> The interface requires three parameters:


*<code>path</code>: The absolute file system path to the 3MF file (e.g., /tmp/cube.gcode.3mf)
*<code>path</code>: The absolute file system path to the 3MF file (e.g., /tmp/cube.gcode.3mf)
Line 238: Line 238:
==Customer reactions==
==Customer reactions==


Customer reactions have been overwhelmingly negative.<ref>https://forum.bambulab.com/t/bambu-studio-1-10-2-public-beta/134549/4</ref><ref>https://old.reddit.com/r/BambuLab/comments/1i2psvz/firmware_update_introducing_new_authorization/</ref> Bambu Lab has historically pushed cloud-based printer interaction while offering limited LAN mode functionality<ref name="bambulab-forum-3643/9" />. Many customers argue that the security issues this locked-down firmware claims to address are actually consequences of the company's cloud-based design choices rather than inherent risks of local network control<ref name="bambulab-forum-134549/12" />, which continues to infuriate users who are now told that security is the justification for a loss of freedom. As a result of the announcement of the shift, customer ratings on sites like Trustpilot rapidly dropped<ref>https://www.trustpilot.com/review/bambulab.com?sort=recency</ref>, with many reviews citing the restrictions as the reason for the bad reviews.
Customer reactions have been overwhelmingly negative.<ref>https://forum.bambulab.com/t/bambu-studio-1-10-2-public-beta/134549/4</ref><ref>https://old.reddit.com/r/BambuLab/comments/1i2psvz/firmware_update_introducing_new_authorization/</ref> Bambu Lab has historically pushed cloud-based printer interaction while offering limited LAN mode functionality<ref name="bambulab-forum-3643/9" />. Many customers argue that the security issues this locked-down firmware claims to address are actually consequences of the company's cloud-based design choices rather than inherent risks of local network control,<ref name="bambulab-forum-134549/12" /, which continues to infuriate users who are now told that security is the justification for a loss of freedom. As a result of the announcement of the shift, customer ratings on sites like Trustpilot rapidly dropped,<ref>https://www.trustpilot.com/review/bambulab.com?sort=recency</ref> with many reviews citing the restrictions as the reason for the bad reviews.


The shift raises privacy concerns as the restricted LAN mode functionality will now push more users into Bambu's cloud infrastructure for processing user print data, including file names and print settings.  
The shift raises privacy concerns as the restricted LAN mode functionality will now push more users into Bambu's cloud infrastructure for processing user print data, including file names and print settings.  


Many community members and customers ask whether the significant costs of maintaining and deploying this cloud infrastructure might lead to future monetization of these now-mandatory services<ref name="bambulab-forum-3643/5" />, with subscriptions required for features that once worked with local access.
Many community members and customers ask whether the significant costs of maintaining and deploying this cloud infrastructure might lead to future monetization of these now-mandatory services,<ref name="bambulab-forum-3643/5" /> with subscriptions required for features that once worked with local access.


It should be noted, however, that so far '''no changes have been made or indicated for those not using the cloud service'''. Past firmware updates made it possible to avoid using the cloud service completely by allowing pairing the slicer via IP address and access key and doing offline firmware updates without having to sign the printer into the service, not even temporarily, keeping local functionality unchanged.
It should be noted, however, that so far '''no changes have been made or indicated for those not using the cloud service'''. Past firmware updates made it possible to avoid using the cloud service completely by allowing pairing the slicer via IP address and access key and doing offline firmware updates without having to sign the printer into the service, not even temporarily, keeping local functionality unchanged.
Line 260: Line 260:
==TOS restricting development of third party devices and accessories==
==TOS restricting development of third party devices and accessories==


It is understood that the following section has been part of the Bambu Lab TOS at least since January 2024<ref>https://archive.is/uVLEG</ref>, with some users suggesting that the purpose is to restrict development, while others argue that this is a standard clause used by companies around the world<ref>[https://archive.is/wip/kKlFU https://archive.is/kKlFU]</ref>.
It is understood that the following section has been part of the Bambu Lab TOS at least since January 2024,<ref>https://archive.is/uVLEG</ref> with some users suggesting that the purpose is to restrict development, while others argue that this is a standard clause used by companies around the world<ref>[https://archive.is/wip/kKlFU https://archive.is/kKlFU]</ref>.


“ 3.1 You may not use Bambu Lab technology or Bambu Lab intellectual property to develop software or design, develop, manufacture, sell, or license third-party devices/accessories associated with Bambu Lab Product without Bambu Lab's prior consent.”<ref> https://archive.is/KZqib </ref>
“ 3.1 You may not use Bambu Lab technology or Bambu Lab intellectual property to develop software or design, develop, manufacture, sell, or license third-party devices/accessories associated with Bambu Lab Product without Bambu Lab's prior consent.”<ref> https://archive.is/KZqib </ref>
Retrieved from "https://consumerrights.wiki/wiki/Bambu_Lab_Authorization_Control_System"