Talk:Bambu Lab Authorization Control System

I am not a bambu labs customer. I planned to be. But I spoke on their official facebook forum about a problem with a sunlu printer asking if anyone on there may know because the sunlu paths to help were fruitless. Immediately, people were crying that I had mentioned another printer brand and how that was irrelevant but I was pleading to the experts for a bit of help. Moments later, Bambu Lab staff banned me from the group. I binned the plan to become a customer right there. Some of the customer base and indeed the company, are toxic. Now I see this plan to own their customer base and I sure this is illegal with not logical reason - remember an airgapped network has only it's own security issues, one way traffic is a thing - except a poor excuse. Good luck in changing them. I dare say they will refuse all the way.

I am a year long anycubic customer and I feel vibes over there of ignorance and wonder what they plan on doing in the future.—The preceding unsigned comment was added by 81.78.58.48 (talk • contribs) 18:07, 19 January 2025 (UTC)Reply

A few things that should be added to the article:

• Bambu Lab published a press release from January 18, 2025 after all the heat they got from the initial blog post https://drive.google.com/drive/folders/11wl_DqAbSLPVMLZ_8jhlz4lGPLGFQPcp
• And here's a Mastodon user saying that this auth control system is a "DMCA trap", he also mentions precedents in the 3D printing market of ChiTu and Stratasys https://mas.to/@zzt/113848144602929391

The ChiTu/Chirtubox issue seems to be referring to this https://3dprintingindustry.com/news/chitu-systems-and-chitubox-a-lesson-in-fighting-open-source-3d-printing-194783/

Stratatsys may be this event https://arstechnica.com/gadgets/2024/08/stratasys-sues-bambu-lab-over-patents-used-widely-by-consumer-3d-printers/ — Lomanic (talk) 20:56, 19 January 2025 (UTC)Reply

Not sure if its worth adding here but a draft complaint letter to the EU highlighting the consumer protection laws Bambu are likely violating has been posted here: https://old.reddit.com/r/3Dprinting/comments/1i5lp86/eu_bambulab_customers_let_your_reps_deal_with_this/

Some of the citations in here seem off, specifically with regard to the claims Bambu is making regarding the cyber attacks which prompted these changes. One article is about an attack on Anycubic printers exclusively , and the other is from 2018, several years before Bambu even released their first printer. I appreciate the desire to highlight bad business practices, but how is this relevant at all to Bambu?

These articles were the ones Bambu themselves have linked in their bog post as examples of attacks they aim to prevent with this update. Kostas (talk) 14:08, 20 January 2025 (UTC)Reply

Bambu Lab's recent statement [1] as of January 20, 2025 seems like a half-hearted attempt to address the concerns of their customers, but it ultimately falls short in several key areas. The key issue remains that Bambu Lab wants to decide what use of the printer is "authorized" or which software/accessories are "legitimate".

The company has announced a "Developer Mode" that supposedly restores some of the functionality that was lost in the recent changes, but they've labeled it as "unsupported." This raises questions about whether this mode will be sufficient to allow customers to return their devices if they're not functioning properly, and whether it might break or degrade at any point in the future.

The statement only mentions Developer Mode for a few specific models, without confirming whether it will be available for all future models. This omission is significant, as it leaves customers wondering whether they'll be able to access this feature if they purchase a newer model.

Another issue is the lack of clarity around print farm software support. While Bambu Lab claims to be working with developers to implement proper authorization controls, they haven't specified whether there are any requirements or fees involved, or whether this option is open to open-source solutions.

The company's claims about their collaboration with Orca Slicer also seem misleading. The developer behind Orca Slicer has stated that they were negotiating for an authorization key to allow their software to communicate with Bambu Lab's devices, but were told that this wouldn't be supported. Instead, users would have to use Bambu Lab's own slicer or go through their Bambu Connect application. As @fever_soft on Twitter noted, "'Working with' is sort of misleading, and I’m growing tired of being used in the PR game now." [2] In an earlier statement, the developer wrote "I was negotiating for an authorization key to allow OrcaSlicer to communicate with their device like BambuStudio does, but today I was told they won't support this. Only their slicer can send prints directly; others must use their Bambu Connect" [3]

Bambu Lab's Terms of Service also contradict their claims about user control over firmware updates. The terms state that printers may refuse service without updates and that firmware may update itself, which directly contradicts the company's assertion that users are in control. As stated in their Terms of Service, "Your Bambu Lab product will automatically search for and download new update packages (...) Due to the importance of these updates, your product may block new print job before the updates is installed" [4]

The need for the proprietary Bambu Connect application in LAN mode is also a concern. This application contains a key with an expiration date, which raises questions about what will happen to air-gapped machines once the key expires. Bambu Lab hasn't explained how users will be able to keep their printers functional without having to update Bambu Connect constantly.

The implementation of Bambu Connect has also added inconvenience for users of third-party software, which is acknowledged in the statement but downplayed as a minor issue. However, this change has made it more cumbersome for users to use third-party software, without adding any real security benefits.

There's also no clear commitment to long-term support for Bambu Connect across all operating systems and versions, which is crucial for the longevity of the printers. The private key contained in the application has an expiration date, which means that a new version of Bambu Connect (and possibly the printer firmware) will be necessary at some point.

Bambu Lab's statement also fails to address the root causes of user concerns, instead trying to downplay the backlash as a "mix of valuable feedback and unfortunate misinformation." The company hasn't clarified whether they'll try to charge customers for subscriptions or additional fees after the sale of the device, which is a major concern for users. In fact, their Bambu Farm Manager Service Agreement states "BAMBU LAB MAY OFFER THE SERVICES AND SOFTWARE WITHOUT CHARGE, FOR A FEE, OR MAY CHARGE A FEE TO CERTAIN USERS OR FOR CERTAIN USES (E.G. COMMERCIAL USES). BAMBU LAB RESERVES THE RIGHT TO AND MAY CHANGE THE LICENSE AND FEE STRUCTURE, CONDITIONS, AND WHICH USERS OR USES REQUIRE A FEE" [5]

The situation with the Panda Touch accessory remains unresolved. Bambu Lab's changes have locked down devices, making it harder for users to install third-party upgrades, and the company hasn't addressed the concerns of existing customers who have purchased this accessory. As the manufacturer BigTreeTech noted on Twitter, "At this point we are still waiting to hear back from Bambu Lab regarding our request for the Panda Touch to be able to retain full functionality after the new firmware updates are installed." [6]

References:

[1] https://blog.bambulab.com/updates-and-third-party-integration-with-bambu-connect/

[2] https://x.com/fever_soft/status/1881240944680603806

[3] https://x.com/fever_soft/status/1880630570809795034

[4] https://bambulab.com/en/policies/terms (Last updated as of 24 April, 2024)

[5] https://bambulab.com/fr/policies/bambu-farm-manager-service-agreement (Last updated: 3 Jan, 2025)

[6] https://x.com/BigTreeTech/status/1881261442948898941

To regain the trust of their customers, Bambu Lab could

• Remove the need for the proprietary Bambu Connect application and its questionable "security by obscurity" scheme altogether in LAN mode, and allow any kind of software to directly control the devices as it has been before the changes
• Commit to Developer Mode a supported feature (as in: if it ceases to work properly, then it is a bug that will get fixed)
• Promise that Developer Mode allowing unfettered access to all functions of the devices will be and remain a supported feature for all current and future models and versions
• Clarify that they will not try to charge money from companies making third-party aftermarket hardware upgrades nor from software developers developing e.g., print farm software
• Give a clear commitment that all features of their current and future devices can be controlled by third-party and open source software without the need for any kind of "agreements" or "partnerships" with Bambu Lab, and especially without any form of NDAs or payments
• Allow the end user to perform firmware installations, including firmware downgrades and installing third-party firmware, without requiring the manufacturer's signatures or permissions
• Provide clear instructions on how to install third-party firmware on all components of the system

On the Discord there was mentioned that patent infringement litigation with Stratasys may be partially responsible for these changes.

The other more sinister reason could be DEMANDS that are subject to non disclosure by some three letter agency to provide logs of printed parts. A filename, print duration and video snapshots would be able to determine if your printer is printing a Liberator or a water pistol. There have been calls in the USA to require licensing of 3D printers again by ignorant politicians who think plugging a leak on the Titanic will raise the ship somehow. This reason is the most likely when the actions are not rational and the company is not prepared (able in their own eyes) to back down.

Security that is forced from the top down is ALWAYS a control move.

KalleMP

87.95.124.98 17:39, 21 January 2025 (UTC)Reply