First of all, I would like to thank Roy Sigurd for his blog post about our network security. It is a wake-up call for the whole team here in Bambu Lab. In his detailed blog, many network security risks and concerns were raised. We read the blog on the day it was published and found merit in parts of the concerns raised, that we should act on immediately.
We admit that the security design of the whole Bambu Lab system was not the best from the very beginning. The honest reason is simply that the initial team has a background in robotics, but very little experience in network security. We now understand, thanks to the community contributions, that we have underestimated this issue, and there is no excuse for this.
In the early days, we even struggled to make the network and IOT system work, let alone secure it at the same time. Later on, we did realize this was a problem and decided to dedicate more resources, both internal and external, to address this problem. Unfortunately, it is now apparent that those actions were neither fast nor efficient enough.
In this blog, I will frankly and transparently answer all the concerns raised by Roy and let everyone know what we are going to do to tackle them in the coming days. We will use quotes to try and answer every concern.
"BambuStudio uses FTP and MQTT (the latter also cleartext) to communicate to the printer if in LAN mode. SFTP (SSHs FTP version) is well proven and secure."
When in LAN mode, where everything is local, we use FTP and MQTT to upload 3MF and then send the commands to the printer. The LAN mode was developed in a rush to meet the request of customers who do not wish to connect to the cloud due to seurity concerns. These services are not applied to public network communications. To accelerate the development of LAN mode, we made the erroneous assumption that "the LAN on the user's side is secured", which is not always the case and could lead to potential security risks for the printers within that unsecured network. We are putting additional resources on TLS/SSL for FTP and MQTT, and a scheduled release for an update on this issue in January 2023. Besides, we will close FTP port in the next firmware if LAN mode is not activated.
"The printer doesn’t have an ethernet port and wifi isn’t secure with PSK"
It is important to point out that this statement is not entirely accurate as the printer supports Wi-Fi security protocols, including WPA/WPA2-PSK. If the WLAN is protected by WPA/WPA2-PSK, which is generally the default security protection nowadays on wireless routers, the WLAN connection should be relatively safe.
"BambuStudio opens a connection to the cloud server over HTTP, meaning it’s all cleartext"
The Bambu Lab cloud service includes the following:
- The printer's control and status monitoring, such as movement controls, temperature controls, status report, etc. This is done via MQTTS, secured by TSL/SSL, to prevent the printer from being controlled by unauthorized entities.
- File transfers, such as sending 3MF files to the machines, which are indeed being sent through HTTP. The reason for this is due to an earlier firmware version (before August) not supporting HTTPS. Enforcing HTTPS on the server and Bambu Studio would disable cloud printing altogether for those printers. We had planned an update on this, but when the alarm by Roy was raised, we scrambled and enforced HTTPS on the cloud (November 25th) in order to rectify that immediately. This means that users with a firmware earlier than August will now be unable to connect to the cloud services unless the firmware is updated. Please update your firmware to the latest version as soon as possible, to ensure that the functionality is unaffected.
"Authentication is OSSAccessKeyId=xxx in the URL, again, all in cleartext."
This may be a misunderstanding. The OSSAccessKeyId in the file transfer link is the key name and not the key itself, which is only used as the basis for the server to find the corresponding key. We implemented the protection mechanism to the transmission url, which is based on the AWS S3 compatible cloud storage service protocol.
For the specific protocol, please refer to: https://docs.aws.amazon.com/AmazonS3/latest/userguide/PresignedUrlUploadObject.html.
We believe that there are no security issues in this particular area, but if there are any concerns in this regard, we will listen carefully and take the necessary measures to apply more hardening measures.
- The security of the LAN mode depends on the security of the WLAN at the moment. It is vulnerable if the LAN is not properly secured. We will work on an improvement for this by January 2023 and we will share an update when that becomes available.
- The HTTP connection to the cloud vulnerability has now been fixed.
- The cleartext keyID is a misunderstanding.
I would like to thank Roy for raising these concerns, and all the community members who point out any shortcomings from our side. This is a path of growth for us and with every step, we learn and improve, all thanks to you. If you want to discuss anything security related with us, we now have a dedicated email address where we can be reached: firstname.lastname@example.org. We take every reported issue very seriously and we will take all the necessary measures to improve the security aspect of our products.