Bambu Lab, the company behind my favorite 3D printers, has given itself one hell of a week. Now, I have answers to some of my burning questions, answers that you might also appreciate. But first, some history.
As of last Thursday, some creators have vowed to stop buying Bambu printers, even removing some of their 3D models from its online repository, after the company revealed it would be adding a new owner authentication mechanism that could prevent you from using third-party tools for it. remote control your printer.
While you’d still be able to stick a file to an SD card and physically put it in your printer or use Bambu’s proprietary cloud, the old way of printing remotely from a third-party cutter would be no more – if you haven’t downloaded a new proprietary Windows and Mac “Bambu Connect” desktop application to act as the intermediary between your cutter and the Bambu hardware.
“Unauthorized third-party software will be prevented from executing critical operations” – Bambu
While Bambu was clear early on that this would be one optionally update, one that you can simply choose not to install, the company also positioned it as a necessary one to secure printers against remote hacking. However, some owners immediately saw it as a possible bridge to enshittification.
They noted how Bambu printers can already detect if you’re using an official filament roll, and envisioned a future where Bambu could prevent you from using third-party filament altogether. They noted how Bambu already appears to be planning a subscription service for its print farm software, one that requires regular cloud activations, and envisioned a future where your Bambu printer stops working if you don’t pay.
Bambu has denied these and many other such fears in a subsequent blog post “setting the record straight” and explained that its new tool does not require internet access or a user account – and also returns very little, pledged to provide a – “Developer Mode” at your own risk that maintains local access to your printer without any new owner authentication at all. Unfortunately, this mode may also disable your ability to access your printer via the cloud.
Meanwhile, Bambu did itself no favors by preventing people from using the Wayback Machine to review its changing statements, allegedly censoring criticism of the company in its subreddit, and claiming that the Orca Slicer developer was working with Bambu on a seamless way to continue printing directly from its popular third-party cutter when they had not promised their support.
It also hasn’t helped the belief that Bambu’s own security around its new Bambu Connect app is such that hackers have already extracted its private key and authentication certificate, or that users have discovered that Bambu gives itself the right to block jobs print updates until a printer has finished automatically downloading firmware updates in the Terms of Use.
Anyway, I think the real question here is: ARE these change a stepping stone to mercy, or at least a walled garden, don’t they?
Here are the questions I sent to Bambu and the answers I received, via spokesperson Nadia Yaakoubi:
1) Will Bambu publicly commit to never requiring a subscription in order to control its printers and print from them over a home network?
For our current product line, yes. We will never require a subscription to control or print from our printers on a home network. However, there may be specific business scenarios in the future that require exceptions, e.g. a 3DP vending machine, but these will apply to completely different applications and customer needs. If such a product line is introduced, we will clearly communicate this prior to its launch.
1c) Will Bambu publicly commit to never installing any existing printer functionality after a subscription?
2) Will Bambu publicly commit to never restrict the use of third party filament in any way, shape or form?
For our current product line, yes. We have no plans to restrict the use of third-party filament in any way.
3) Will Bambu publicly commit to never monitoring files and prints transmitted between users and their printers over a home network?
Let’s be clear about how this works:
- LAN mode: Nothing is transmitted through our servers.
- Cloud mode: Users control their privacy through “stealth printing”. When enabled, no print history is recorded and files are not stored in the cloud.
- Cloud features: For features like reprinting, files are temporarily stored in the cloud to allow users to access their print history. Under no circumstances do we view the printed file/pattern without the express consent of our clients.
Bambu has also agreed to add a new Developer mode. Some users are worried that the move is just temporary and that Bambu could simply remove developer mode and claim that it was too risky for security or say that not enough users decided to use it to justify keeping it.
4) Will Bambu publicly commit to keep Developer mode with local MQTT, live streaming and FTP forever and never remove it in any future updates or shipping batches of the X1, P1, A1 and A1 Mini?
yes. However, if a serious security issue arises in the future, we may need to make adjustments to address it. Users can always choose whether to update their printer’s firmware or not.
5) Will Bambu publicly commit to providing and keeping the local Developer mode available on any future printers it releases?
We cannot commit to features for printers that do not exist in the future. However, we will clearly communicate all relevant details before customers make their purchase decisions.
6) Will Bambu publicly commit that its current and future printers will forever be remotely controllable on a LAN without user accounts or Internet access?
For current models: Yes. For future products, while we intend to maintain this functionality, we believe that committing to a specific technical approach indefinitely is not responsible. However, we will clearly communicate all relevant details before customers make their purchase decisions.
Bambu has announced that Bambu Connect will integrate with third-party slicers like Orca, but some users are confused as to why an app like Bambu Connect is needed at all when you can instead add more secure authentication to the printer itself, with practices industry standards such as the printer generates a secure token/API key instead of creating a proprietary broker authentication application.
7) Did Bambu consider and reject interoperable ways of securing its printers, such as tokens?
7b) Will Bambu commit to changing its authentication system to an interoperable one? If Bambu rejected interoperable secure verification systems, why?
If the software communicates and interacts with our cloud system, it’s reasonable that we have a say in how it works. As noted in our blog post, unauthorized third-party software has created ongoing challenges to the stability of our cloud services and machines for a long time.
While we believe that most developers act with good intentions, users are often unaware of the hidden complexities within such software and security requirements. This lack of transparency of all software makes interoperable secure verification systems insufficient to fully resolve these issues. Our goal is to protect the entire ecosystem of Bambu Lab products, giving every user the confidence that our products are secure and easy to use—without worries about complex network configurations. And with the changes made, we’re one step closer to integrating third-party access in a secure way.
8) Is it true that the developer of Orca Slicer was not actually working with Bambu for the integration and that Bambu announced their inclusion without approval?
We have been in ongoing discussions with SoftFever, the developer of Orca Slicer, since January 14th regarding the firmware update and possible integration into the new version. “Working with” can be vague. To be more specific, messages were exchanged, files were sent and their receipt was confirmed along with an indication that they would be reviewed.
9) The will Panda Touch and similar accessories still work in developer mode?
We guarantee to keep the port/channel open, but implementations are in the hands of third-party developers.
9b) Does Bambu answer that company’s questions?
Since release, we’ve received many inquiries from third-party software developers, including BigTreeTech, via devpartners@bambulab.com. We are currently in the process of finalizing our response. It’s worth noting that we warned third-party developers in a blog post from March 2024: “If you are developing a device that controls the entire printer, including heating elements and drive systems, please do not expect long-term support unless it has been approved by us in advance. This is particularly applicable to for-profit organizations.”
10) Will you allow users to revert to the old firmware, for reasons such as if they accidentally update without realizing the limitations?
yes. Firmware rollback was and will always be available.
11) Does leaking the private key change any of your plans?
No, this does not change our plans and we have taken immediate action.