HackerTrans
TopNewTrendsCommentsPastAskShowJobs

hWuxH

no profile record

comments

hWuxH
·2 ay önce·discuss
What's the threat model where not storing them all at once provides any benefit? If someone has admin it's already game over. Can just hook the browser to retrieve all passwords on demand.
hWuxH
·2 ay önce·discuss
If passwords are fetched remotely on-demand, you steal the account API key from memory. If they're encrypted, you steal the master password or decryption key. ... So what's your solution?
hWuxH
·geçen yıl·discuss
> What if this is not about closing off an API. Maintaining a stable API is difficult

That's why any sane software uses a stable public API and an internal one that can be closed off or has breaking changes all the time.

> MQTT has no versioning and limited hierarchy in the pub / sub model

It's currently handled like this: https://github.com/Doridian/OpenBambuAPI/blob/main/mqtt.md. Would it be a far stretch to add an "api_version":x field and a "internal_" prefix for some commands?
hWuxH
·geçen yıl·discuss
I wouldn't call it more or less secure. You're just on your own and should expect this (internal) API to have breaking changes at any time.
hWuxH
·geçen yıl·discuss
> Right now, the printer's local MQTT server can only be accessed from the local IP using an 8 digit password obtained through through the physical display.

The problem is hackers don't need to play by the rules (accessing the display).

8 digits that never change is a joke in terms of security, it could be brute-forced within hours/days by sending a network request for each possible combination.

mitm: afaik Bambu Studio/Connect/Handy validate the printer's certificate during the TLS handshake, but most third party software probably doesn't (barely found documentation about it).

And there are a few other (although not as fundamental) weaknesses like no mutual authentication, access control or revocation of specific clients. Due to the nature of MQTT, every client can see messages sent by other clients once authenticated.
hWuxH
·geçen yıl·discuss
Everything was sent in plaintext early on. But since 2022/2023 it's TLS: https://wiki.bambulab.com/en/security-incidents-cloud-traffi...
hWuxH
·geçen yıl·discuss
ppl always get caught up on the x509. They're actually a good thing and are absolutely necessary to prevent mitm since they use self-signed certs. BambuStudio also works that way.

The issue is introducing further measures which don't provide any security benefit to the user (can be spoofed): only allowing critical commands from BambuConnect.
hWuxH
·geçen yıl·discuss
> Username/password over TLS would do that better than what Bambu Lab is proposing

Already works that way and isn't affected by this update: https://wiki.bambulab.com/en/security-incidents-cloud-traffi..., https://github.com/Doridian/OpenBambuAPI/blob/main/mqtt.md#l...
hWuxH
·geçen yıl·discuss
- what the key is used for: signing critical operations, most notably print and gcode commands: https://git.devminer.xyz/archive/bambu-connect/src/commit/47..., list of known MQTT commands: https://github.com/Doridian/OpenBambuAPI/blob/main/mqtt.md

- what the firmware does: verify these operations, meaning it can reject MQTT messages with an invalid/missing signature from third party software

- the big flaw with that approach: by extracting the key, third party software can get full access again

- improvement to security: none (that obfuscation layer doesn't prevent anything if the printer/cloud were vulnerable)

authentication stays the same as before: https://git.devminer.xyz/archive/bambu-connect/src/commit/47...