Reverse engineering Bambu Connect: Difference between revisions

Line 83:

The private key is used to digitally sign critical operations, such as print jobs and G-code commands. The printer can validate whether received MQTT commands are signed by Bambu Connect using the app's public key, rejecting any unsigned or improperly signed commands.

Bambu Lab's authorization control system that is meant to increase security is entirely built on the assumption that ~~attackers~~ do not have access to the private key and thus cannot create valid signatures.

Bambu Lab's authorization control system that is meant to increase security is entirely built on the assumption that others do not have access to the private key and thus cannot create valid signatures.

However, since the private key has already been leaked, third-party software can now ~~send print jobs~~ and ~~G-code commands again, while risks or dangerous situations<ref>[https://archive.is/x7QjG "Firmware Update Introducing New Authorization Control System"] - archive.~~is ~~- archived 2025-01-24</ref> are still not addressed by Bambu Lab~~.

However, since the private key has already been leaked, third-party software can now regain access to the lost functionality, and it is clear that the overall security characteristics have neither improved nor worsened compared to previous updates.

===Purpose of the certificates===

@@ Line 83: / Line 83: @@
 The private key is used to digitally sign critical operations, such as print jobs and G-code commands. The printer can validate whether received MQTT commands are signed by Bambu Connect using the app's public key, rejecting any unsigned or improperly signed commands.
-Bambu Lab's authorization control system that is meant to increase security is entirely built on the assumption that attackers do not have access to the private key and thus cannot create valid signatures.
+Bambu Lab's authorization control system that is meant to increase security is entirely built on the assumption that others do not have access to the private key and thus cannot create valid signatures.
-However, since the private key has already been leaked, third-party software can now send print jobs and G-code commands again, while risks or dangerous situations<ref>[https://archive.is/x7QjG "Firmware Update Introducing New Authorization Control System"] - archive.is - archived 2025-01-24</ref> are still not addressed by Bambu Lab.
+However, since the private key has already been leaked, third-party software can now regain access to the lost functionality, and it is clear that the overall security characteristics have neither improved nor worsened compared to previous updates.
 ===Purpose of the certificates===