Security is very important for Bambu Lab, and we prioritize security at every level of our services, from cloud services to mobile applications, hardware, and firmware security.
In this post, we'll dive deeper into how we ensure the security of our clients' 3D printers and explain the measures we take to safeguard against potential threats.
¶ Application security for Bambu Handy
Overall, this security architecture provides a robust and layered approach to protecting user data and the mobile application from security threats. By combining code encryption, virtual machine execution, HTTPS communication, and cloud security, the mobile application is protected against various types of attacks, such as data theft, code tampering, and interception of sensitive data.
This sensitive data, such as user preferences, configuration data, and point data, is encrypted (converted into a secret code) to ensure that it can not be accessed by unauthorized individuals or programs.
¶ Bambu Handy App Permissions:
- Phone - For App security and risk verification
- Storage - For uploading account content, avatars, or other media for Customer Support
- Camera - For video recording, and scanning QR codes
- Location - For device pairing purposes
- Notification - For push notifications
- Internet - For enabling internet communication and device pairing purposes
- Bluetooth - For device pairing purposes
¶ Device Security
Bambu Lab printers are shipped from the factory with the JTAG, serial, and USB ports disabled, to avoid the risk of an attacker acquiring and modifying the firmware through the debug interface.
For every step in the boot process, the firmware is encrypted and signed to ensure its integrity and confidentiality, and it can be run only after it's verified and decrypted.
Remote System Updates can be delivered to provide bug fixes and vulnerability patches. Every update package is signed and encrypted before releasing for code integrity, and the printer always verifies the signature of the update package before the update.
These device security features help prevent the installation and execution of malware on Bambu Lab printers ensuring the reliability of the printer software.
¶ Data Security
Users can export printer diagnostic and device logs through the SD card. These logs are used to locate, analyze and assess the causes of system failures. When the logs are exported, all the information is encrypted with an AES algorithm to ensure the confidentiality and security of the data
¶ Communication Security
The connection between all clients and cloud services uses TLS (Transport Layer Security) while also using certificate validation for cloud services.
Connections to the cloud service can be done via Wi-Fi connectivity which supports WPA Personal and WPA2 Personal authentication and encryption.
WPA2 authenticates each connection and provides 128-bit AES encryption to help ensure the confidentiality of data sent over the air. WPA2 is a commonly used encryption protocol that ensures user data is always protected when sending and receiving communications over a Wi-Fi network connection.
The Bambu Lab P1 series supports Bluetooth Low Energy (BLE) for printer network configuration and binding through the Handy app, and it makes use of AES-CMAC and P-256 elliptic curves, while also using AES-CCM protocols to ensure safe pairing.
LAN mode can also be used on Bambu Lab printers to allow the printer to function without the need for Cloud communication. The control of the printer is made through a local deployment of the control protocol and the MQTT server deployed inside the printer.
To allow secure communication, the MQTT server supports access code authentication and communication data encryption using TLS. Live video is also possible using the same protocols.
File uploads and downloads are possible with the use of FTPS and TLS encryption for secure file transfers.
¶ IoT Security
To provide the remote control features of the printers, Bambu Lab uses IoT services including device login, device information synchronization, firmware/software updates, user device binding, remote printing, slicing parameter management, cloud slicing, failure detection, and other functions.
Every device has a unique built-in 128-bit ID and password, which are randomly generated at the factory. When the device performs a binding action, the communication is done via HTTPS API, to get validation from the server.
Printers can be connected to a user account in the following 3 ways:
- Scanning a QR code shown on the printer
- Connecting to the printer via LAN through an SSDP message.
- Connecting through a Bluetooth connection
All three connection methods use secure authentication methods like HTTPS and TLS.
3D models can be sent to the printer using a LAN network connection or through our cloud services if a stable Internet connection is available.
When the files are sent to the printer through our cloud services, the .3mf files are sent to a temporary private storage location through an HTTPS secure channel. The uploaded file contains the validity period and the relevant authentication signature, and can only be used for uploading to maximize data security.
After the file is uploaded to the cloud, the printer obtains the print file address from the MQTT print command, downloads it locally, and parses it before starting the print process.
When it comes to the Video streaming service, the cloud connection acts as a security broker to validate the request and offer the stream to Bambu Handy and Studio. Both the video stream and the file transfers are protected with TLS encryption.
¶ Cloud Security
Bambu Lab provides users with a variety of Cloud Services to enrich product features, which are developed in accordance with the principles of Security by Design and Privacy by Design to fully protect user data security and strictly abide by privacy compliance legal requirements.
To protect user accounts, Bambu Lab implemented multiple login protections to detect malicious behavior for abnormal logins, collision attacks, or malicious registrations. Accounts also support binding with third-party accounts using the OAuth2.0 protocol, which ensures that information related to Bambu lab accounts are not passed to third parties.
Account registration and login requests are transmitted using HTTPS encryption while the login and password information is saved using PBKDF2 encryption.
When it comes to the infrastructure used for Cloud as a Service, Bambu Lab hosts its services in Amazon AWS for overseas customers and Alibaba Cloud for China. AWS is ISO 270001/27017/27018, SOC2 certified while Alibaba Cloud is ISO 27001 certified with CSA Start certification and SOC 2 independent audit.
In order to ensure the security of cloud services, network requests will pass through multiple security protection mechanisms before reaching back-end services, including Web Application Firewall (WAF),
DDoS protection, HTTPS protection and others.
The server-side operation and maintenance are operated by Bambu Lab's professional operation team. The team follows the best practices of resource management and authorization management recommended by Amazon AWS and Alibaba Cloud following the principles of Need-to-Know and Minimum Authorisation.
All the permissions and operations performed on the server side are limited by strict standard operating procedures (SOPs), with control and audit mechanisms.