Reverse engineering Bambu Connect: Difference between revisions

Line 81:

The private key is used to digitally sign critical operations, such as print jobs and G-code commands. The printer can validate whether received MQTT commands are signed by Bambu Connect using the app's public key, rejecting any unsigned or improperly signed commands.

Bambu Lab's authorization control system that is meant to increase security is built on the assumption that third-party software does not have access to the private key and thus cannot create valid signatures.

Bambu Lab's authorization control system that is meant to increase security is entirely built on the assumption that third-party software does not have access to the private key and thus cannot create valid signatures.

However, since the private key has already been leaked, third-party software can now send ~~critical operations~~, while risks or dangerous situations<ref>https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/</ref> are still not addressed by Bambu Lab.

However, since the private key has already been leaked, third-party software can now send print jobs and G-code commands again, while risks or dangerous situations<ref>https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/</ref> are still not addressed by Bambu Lab.

===Purpose of the certificates===

@@ Line 81: / Line 81: @@
 The private key is used to digitally sign critical operations, such as print jobs and G-code commands. The printer can validate whether received MQTT commands are signed by Bambu Connect using the app's public key, rejecting any unsigned or improperly signed commands.
-Bambu Lab's authorization control system that is meant to increase security is built on the assumption that third-party software does not have access to the private key and thus cannot create valid signatures.
+Bambu Lab's authorization control system that is meant to increase security is entirely built on the assumption that third-party software does not have access to the private key and thus cannot create valid signatures.
-However, since the private key has already been leaked, third-party software can now send critical operations, while risks or dangerous situations<ref>https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/</ref> are still not addressed by Bambu Lab.
+However, since the private key has already been leaked, third-party software can now send print jobs and G-code commands again, while risks or dangerous situations<ref>https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/</ref> are still not addressed by Bambu Lab.
 ===Purpose of the certificates===