Bambu private keys leaked less than 24 hours after announcement

In January 2025, Bambu Lab introduced an authorization control system^[1] for its X1-series 3D printers, aiming to enhance security by restricting critical operations to authorized applications, notably their own "Bambu Connect" app. As part of this change, certificate files and private keys responsible for decrypting communications were stored in the code of the updated software files.

Private keys found edit

Shortly after this implementation, security researcher [hWuxH] successfully extracted the X.509 certificate and private key from the Bambu Connect application. The application, built on the Electron framework, employed obfuscation techniques to protect its code. However, these measures proved insufficient, allowing the de-obfuscation of the main.js file and the exposure of sensitive cryptographic materials.^[2]

Company's response edit

Bambu Lab clarified that the firmware update was optional and emphasized their commitment to maintaining an open ecosystem. They introduced a "Developer Mode" to facilitate continued use of third-party applications, acknowledging the community's desire for flexibility while balancing security considerations.^[3]

References edit

[1] ttps://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/?

[2] ttps://hackaday.com/2025/01/19/bambu-connects-authentication-x-509-certificate-and-private-key-extracted/

[3] ttps://www.theverge.com/2025/1/21/24349031/bambu-3d-printer-update-authentication-filament-subscription-lock-answers

[1]

[2]

[3]