Bambu private keys leaked less than 24 hours after announcement
In January 2025, Bambu Lab introduced an authorization control system[1] for its X1-series 3D printers, aiming to enhance security by restricting critical operations to authorized applications, notably their own "Bambu Connect" app. As part of this change, certificates and private keys responsible for distinguishing authorized applications from third-party applications were stored in the source code of Bambu Connect, Bambu Handy, and the network plugin.
Private keys found[edit | edit source]
Shortly after this implementation, security researcher [hWuxH] successfully extracted the X.509 certificate and private key from the Bambu Connect application. The application, built on the Electron framework, employed obfuscation techniques to protect its code. However, these measures proved insufficient, and the main.js file was deobfuscated, exposing sensitive cryptographic material which allow third parties to circumvent the imposed restrictions.[2]
Company's response[edit | edit source]
Bambu Lab clarified that the firmware update was optional and emphasized their commitment to maintaining an open ecosystem. They introduced a "Developer Mode" to facilitate continued use of third-party applications, acknowledging the community's desire for flexibility while balancing security considerations.[3]
References[edit | edit source]
- ↑ Kidd, Bambu (16 Jan 2025). "Firmware Update Introducing New Authorization Control System". Bambu Lab Blog. Retrieved 20 Apr 2025.
{{cite web}}: CS1 maint: url-status (link) - ↑ Posch, Maya (19 Jan 2025). "Bambu Connect's Authentication X.509 Certificate And Private Key Extracted". Hackaday. Retrieved 20 Apr 2025.
{{cite web}}: CS1 maint: url-status (link) - ↑ Hollister, Sean (22 Jan 2025). "Here's what Bambu will — and won't — promise after its controversial 3D printer update". The Verge. Retrieved 20 Apr 2025.
{{cite web}}: CS1 maint: url-status (link)