People in the EU have been requesting to see what data bambu has taken and what they've done with it. And some users found that bambu has provided their data to 20+ different companies.
@@3DMusketeers It was actually a comment thread on a reddit post from 3dprinting last week how people were saying bambu was sending their data to unknown companies. Likely advertisement marketing or something. But yesterday during nero's live chat..someone in the chat had also mentioned it. It was at 1:07:33 in the live stream.
I get why you feel like you're shouting at the clouds a bit regarding data security, but I agree with you/think it needs to be talked about. Data security for consumers is death by a thousand cuts. Since the legal protections are often void or lessened with a EULA, its incumbent on users to raise awareness and encourage 'speaking with your wallet', because companies have no moral quandaries about slowly taking more and more from their 'customers/data-mines'.
We have four Bambu X1-C’s. Our Attorneys found stuff in the terms of service, and a work around, they wrote Bambu Labs a letter basically telling them to pound sand on their TOS. They signed the agreement with the demands from our attorneys. I’ll ask our attorney and see if they can legally release the letter and if so I will send you a copy. We are a Military contractor 3D printing firm in Alaska. A lot of what we print is very sensitive.
Yeah.... That doesn't mean they are not collecting your data and informing government with this information. I truly hope these are not connected to any sort of network.
The new printers all support send data back to Prusa, not sure what data but they are pretty open that it part of what they are using to make printers “smarter”
@@joshuamiller7231 well, if Prusa sticks to open source, I should be able to check the source code and see what exactly they send and where. And as I understand it, the printer functions fine and you can even upgrade it without ever connecting it.
I wonder how this ToS complies with strict data laws like the EU's GDPR Edit: Here, as far as I know, companies must provide all the data to you that they collect from you if you ask for it. Wonder if Bambu does that
This is the main thing keeping me from gettin a Bambu printer. And we know that CCP does not holt a good record to be trusted. Especially if every single Chinese company is required by law to cooperate with the government and provide those sensitive data to CCP. Makes you wonder. Tinfoil hat off for a second. Is it possible that TikTok, Bambu, milions of home things from robot vacuum cleaners and cat cameras were designed to pretty much monitor the planet in real time? Tinfoil hat back on. No, they surely wouldn't do this.
These companies have enough data to almost predict the future using history, statistics and live information input. We know Google and Facebook and pre Elon Twitter had/has special relations with the US gov can’t see China not doing the same. The big difference is what the US gov admits to and what the communist Chinese gov openly does.
Yeah no chance the cameras and such we all have are there 100% for good, it is why we dont have cameras inside our house (other than ones we can control for things like filming), and any printers with them are immediately disabled.
Unfortunately most people buying their machine either don’t know about this or simply don’t care. Bambu should be more explicit about this when people register their accounts. I wonder how much of their income comes from selling user data, would be interesting to see statistics on this.
You are dead on point about Privacy! Years ago a company I worked for a company that established an Ip connection for a manufacturing company in China. Months later we found the company trying to access our network facilities. We disconnected from the IP address and put up a new firewall. I have used DJI drones for years and very careful what DJI has access to my data.
I have given you some critique in the past but I love the fact that you are not anti-bamboo but not pro bamboo either. You take a rather objective stance and I really respect that. I would like to see more content for this updated with possible fixes and patches that do not connect to bamboo servers in any way. Orca slicer with third-party patches has been known to work
If you need a video on those things, you need more than that video. If it doesn't apply to contracts you are fulfilling, just don't go down the rabbit hole, but the information is freely available in government docs.
honestly, I'd like to see a video or 2 on these too. It'd be nice to have like a mid-level view/understanding of them (i.e. some of the finer points and details but not having to read government documents and the definitions contained within them)
@@alanpreston1822 I fully understand them, since I'm subject to them (and GDPR for that matter). However, @grant is excellent at making videos about them, which would allow my senior IT laziness to manifest fully by just sending someone a link.
I am certainly no expert, and we only run a level 2 facility here. We were working towards level 3 but had a contract fall through a bit over 3 years ago... so that was put on pause due to expenses of going 3, 4, and 5.
I'm (reasonably) sure that the Bambu engineers intended for the update before printing thing to be entirely related to "we really need to install firmware updates when the printer is not printing." I'm equally sure that the Bambu senior management, legal team, and PRC political officer are happy to have it written such that they reserve the right to brick your machine if they wish to do so, after stealing every bit of IP data they can get their hands on. And honestly, how much can we trust that any China-based company will follow their own TOS anyway? There's no legal recourse for the average person whose data has been compromised and even government-level complaints that get escalated to the WTO get largely ignored. I'm not so worried about Bambu Lab selling our data to random con men or even that worried about them having their own servers infiltrated by individual criminals, I'd be absolutely worried about models being collected via keyword search for Chinese national defense purposes. And yes, you are right - we have plenty of devices in our homes that listen to what we say and do, use that information for targeted ads plus unknown other sundry items, and we tend to also carry them in our pockets and take them everywhere we go. Not having one more device that does this is a good thing.
Erasure (Art. 17 GDPR) Right: You may request us to erase certain of your personal data. For example, you can ask us to erase the personal data: which is no longer needed by us in relation to the purpose for which they were collected or otherwise processed; (So... if they collected it for the purpose of "keeping it forever", they can keep it forever.) In certain situations, Bambu Lab is unable to delete your personal data in responding to your requests, including: when such personal data is still necessary to be processed to achieve the purpose we collected it for; (You mean like... keeping it forever?) Bambu Lab’s interest in using the data overrides your interest in having it deleted (e.g., when we need to process the personal data to protect our services from fraud); (Or... their interest in keeping it forever?) Bambu Lab has a legal obligation to keep relevant personal data; or (This may sound crazy, but this is a China-based company that is at the legal whims of China's policies. If their government told them to keep all data collected forever, they'd legally have to keep it... FOREVER.)
Having some experience with dji, your issues with bambu remind me a lot of my dealings with them. Unfortunately the drone industry doesn't have the plethora of alternatives that 3d printing does. I hope you all can keep them a little more honest than what's happened with dji.
The Qidi’s seem to be fixed, just saw what I think is the first new update review to the xplus3 and seems everything is fixed and really good. We need to get the Xmax3 in your hands for review. These might be a great the bambu replacement.
@@3DMusketeers yeah the xplus3 was the model they used mostly for reviewers before so not surprised that’s what you got, but that’s great news! Now with the lower pricing and improvements I’m really hoping that these can be a cheaper option that’s on par with (maybe better?) bambu. Looking forward to the video/stream.
So as far as the update before printing, I have had it stop me from printing once until I updated. I wish I had taken pitures at the time, but I was in a rush to get something done, so agreed.
Thinking back on it, I think this was about the time the security vulnerability was fixed. It's possible that the reason it was foreced was due to the level of the vulnerability. I have seen other devices do similar (looking at you samsung). I have not seen this again since then, and I am constantly ignoring the updates.
I keep mine on its own vlan, and the Wifi network it is on is for IoT devices, and it's the only one I have currently. So isolated in the event of a breach. Thats not something everyone has the hardware and knowledge to do. Still wish it were more open.
I am not saying they are or plan to do this, but this is how a 3D printer (another computer on your network) could have total access to everything unprotected. Hacking everything else might not be as hard as you think. This is done by making something called a "reverse shell." Your router is setup by default to reject any incoming data not asked for. Get that? If the data isn't asked for the router is setup by default to reject it. If it is asked for, then the incoming data requested will be accepted. This is where a reverse shell comes in. A good example of this is putting a Raspberry PI on your network polling a IP address of another computer. This computer accepts the polling, and makes a connection. Any command made inside this reverse shell on the connecting computer makes it look like the command is inside the network of the polling computer. If you paid attention, you would release that the router of the polling computer now thinks that any request or sent data came from inside your network, and bypassed security. To make this happen could take a update to your 3D printer, which really is another computer on your network. You're right about China. It's law that the Chinese government can and has demanded data from Chinese companies, which have to hand it over by law. To get around this you can buy a Wi-Fi router, and make a connection to the Wi-Fi part of it on your computer. Then connect the printer to it. Have an either net cable from this router to your net work with access to the WWW. Set up and update your printer with this cable in place. Disconnect the cable, and your computer still has access tot he printer. You printer doesn't. It is possible to go through your computer, but highly unlikely. To make it more secure make sure nothing is on your network on the WWW, when doing downloads. In the real world you are a drop in the ocean, but even drops have things happen to them.
Because we are ITAR controlled, we cant do that, however, the average user that wants some more security can :) We recently upgraded our router to one that can do full monitoring and have a fail over and WOW it has been nice!
As a contrasting video I'd love for you to cover an example of a privacy policy for another internet connected service that is pro-consumer and pro-privacy. These privacy concerns are not limited to Bambu or other Chinese companies -- these privacy policies almost look the same as every other software / Internet related privacy policy I've seen for all companies and countries. You brought up some great points that apply to all policies: what are users supposed to do if you disagree with a change in policy, what systems are in place to ensure you can remove your data if you no longer agree? How can a consumer protect their purchases -- is it legal for companies to change their privacy policies as a bait and switch tactic?
ooooh thats a good one. I think Peopoly is the best example I can think of.. Legal will depend on where you are, but how can consumers protect themselves? They first have to understand it and they fundamentally dont :/
What you really should do with the Bambu printers BEFORE you do anything else: 1.) Pull the internet connection cabel from your router. (so your network does not have internet) 2.) Set the printer to LAN only mode. 3.) Connect it to your WiFi. (we are however not really believing this and will make sure it is really lan only in the next step) 4.) Go to your router or firewall and block any connection from or to the internet for the printer. (for Fritzbox users it is called Device Blocking) 5.) Now you can reattach your router to the internet. > This will block it from the internet and not rely on their promisses but on the promise of your Firewall / Router manufacture you already trust anyway ;). Important: After that you will loose a couple of features, but I would say those are pretty much not that important for most people. (should be the same as with LAN only mode described by Bambuu) If you still want to see what is going on with your printer from outside your network, you can use a VPN connection to your network.
First off, what a great and comprehensive take on the data privacy concerns. It's almost March 2024 and I have similar concerns wondering if Bambu addressed them as I consider Prusa XL, K1, and/or Arco. I don't want my network to be a botnet nor do I want my printer accessible from outside my network. Is it possible to access all features in LAN Mode yet? Is it possible to update Bambu firmware without being connected to the internet? If not, I need to consider VLANs/DMZ + WIFI password update prior to connecting/disconnecting. Any other updates to consider? Thank you & well-done, subscribed!
We recently showed exactly what is in the logs, I recommend you watch that video too :) It is not possible to access all features with LAN mode. It is NOT possible to update a Bambu offline officially. A firmware called X1Plus is on the horizon, which we also did a video on, but it is not publicly available yet
@@3DMusketeers Thank you for your response and being a champion in this area or concern. I may consider P1S if my concerns are addressed otherwise I'm a hard no. I'll check out your other videos now thank you!
I had initially intended to buy one before watching your video, but now I've decided against it. I think I'll wait and see what the XL version from Prusa has to offer, and if not, then I'll consider the MK4 as an alternative. 🤔
Thank you for this. I have only been at the 3D printing since the beginning of this year (2023). I have and E3V2 and looking to upgrade to a faster printer P1S was in my view, but I've heard too much about possible data collection, and now I'm starting to looking elsewhere for a printer. I love what I've read about the P1S, but I can't dive in knowing there may be a DJI type of thing going on. I started using Octoprint not too long ago but it keeps disconnecting from my printer so I just pulled the plug on it for now. It's a hobby for me so the network connection I could care less about. Maybe I'll look at Sovol, I've read some decent things about them. I thought I saw that a core XY would be coming out. I've got the E3V2 dialed in but man is it slow.
I'm working for one well known telecom company based in Europe (not Huawei 🤣).We have a lot of mandatory trainings and accientaly the one today was about personal informations and GDPR. And as I can see,Bambu lab doesn't comply with GDRP at all :( ...and my new X1 is on it's way to me....
The P1S cant really see much with the camera other than a small sliver of my wall. You could run a packet sniffer and see how the network is being used and utilize a dual NIC PC as a "pass through."
This is a HUGE deal! I almost didn't purchase the X1 Carbon because of the security issues. But when I learned that it's capable of printing from LAN, I made the purchase. However..... It was impossible to activate the printer without connecting via phone. I went a whole week before ultimately activating it, then setting it for LAN. Still, we can't send models to the printer without logging on to the software... which must communicate with Bambu Lab's servers. Even if this is only intended to provide great service to the user, this comes off as truly shady. I turn off the machine and the VM (where I use the software) off after every use. At the very least, I get added peace of mind. Thank you for covering this 😎
About to buy a X1-C. I will lock it down hard and only allow updates thru a dedicated path. My biggest concern is them disabling the printer. I'm not sure they can include timebombs legally. I will ALWAYS be in LAN mode and divorced from their cloud just like all my IoT.
Maybe someone can try to use it a way PRC don’t like and see if something odd happen. I would really like to see what they are sending and the data amount, I can understand a crash log and the setting when it happening can be interesting, but why use encryption for this.?
I would like to correct one thing. Bambu does not need a SSID and password to use a client as a botnet. All it needs is an internet connection for that, and that would be easily identified and found with wireshark. Network analysis has been done on bambu printers, and this is not something that was found long term.
@@3DMusketeers As someone who does network engineering, spreading assumed but not correct information annoys me. That is not how that works. Not only would a update for all printers need done to enable them to send remote commands to act against a target IP as a bot, but it would not give them access to your network. Just because a device in on your router's network does not imply devices on it will care about what another sends to them. Having access to one's LAN in a client-only device context is not very powerful, hence why in actual hacking, none make use of it. Instead they make use of hosts, via spoof networks. Any nefarious network activity can easily be observed, and majority modern routers also automatically detect bot activity and lock the device from the internet in detection of it, such as with ASUS routers. The only things we cannot analyze is encrypted data, but in bambu's case, this is not entirely the case, as the logs seem to be basically just the MQTT data from what we have seen, which we CAN read. You can access it via username bblp on port 8883 without SSL and TLS. The password is the LAN Only access code on your printer's screen. I have a video I did where I went over such info and explained it in simpler context.
@@3DMusketeers Sure, but always remember local files != networked files. From looking at the length of networked data, it only looks like MQTT gets networked in terms of large data amounts. The rest seem too small to be that relevant. While local files are interesting; I agree, it is not conclusive of privacy. It's like me FTP'ing to my android phone and seeing the mass in there to conclude danger.
Oh yeah, I agree. I was talking more about the cool stuff you'll find. As for security, we know what is packaged up and I'm not very comfortable with it. Mind you, I'm a business that deals with NDAs and ITAR. The average consumer won't likely care and that's a different chat for a different day
@@3DMusketeers That is exactly how the Bambu subreddit is. You get dogpiled and accused of nonsense if you raise any concerns about privacy or data security. The old "If you have nothing to hide, then you have nothing to fear" fallacy.
@@rDigital2A 1000% agree. "my requirements are a printer I can keep up to date without connecting to a network" BambuBois: "why would you need that, or it even be a concern?"
It's too good to be true. Besides, there was a semi-recent fiasco with Bambu printers randly printing. Mark my words, there will be a major uproar once people do find out what really happens. But then again, people are very stupid; Microsoft has been doing it for decades with Windows...
In the medical space, and for HIPAA compliance, we have to de-identify when sharing. Our health is just part of us and it's protected. Why not the remainder of our being? I believe companies like this should have something in their terms for similar occasions. Only use specific identifiers when interacting with the individual and de-identify when used for other purposes. The specific instances should also be limited and called out.
I love this idea. Capitalism, in its purest form, would not allow for this though.. I am glad we have it for medical records, but all these people doing the 23&me things are just sharing their geneology with insurance providers who can use it for reasons not to cover treatments because there is an existing risk.. I hate it.
Damn, I was about to buy the X1C, but since I am designing my own models foe business, they can keep their crap. Having the ability to siphon off my work is unacceptable. Time to reconsider a Prusa, but now I need to look into their privacy policy.
Its defo sus. What is the functionality limitations when you don't connect it to the internet aka air gapped. Can you still just use SD card and print while air gapped
you can use the SD card but you cannot update, no camera (other than like timelapses) no ai detection, no alerts, etc. No nothing that would need the internet obviously.
one idea on firmware updating while using the machines offline: Can´t you just reset the printer before getting it online and updating the firmware while using a "fake" account?
We dont know if a factory reset actually deletes anything, since we cannot read the logs. It is not about the account, it is about what the printer can do on an open network, what it downloads, and how it installs it all.
This is why you need to add them to a separate ssid on your router with no connection to your network. Gaming routers do this and I have two 3d printers on their own ssid's with internet access but no network access. I can turn them off via smart plugs via tuya.
@@3DMusketeers Its something that goes for all IOT devices. they should all be on a dedicated IOT lan segment on its own SSID and nothing on that lan segment should be able to talk to other lan segments or other devices in its own IOT lan segment. It should be 100% isolated and all it should be able to do is get out to the internet, you can then also implement a dns sinkhole to log and stop it resolving any url's addresses you don't want it talking to. That si probably the least extreme approach to Trust is good CONTROL IS BETTER! I wonder if we can identify and block the talk home server addresses but still let it access the update servers to get new firmware. it is concerning that they encrypt the payload back to their servers and wont disclose the content of what they are collecting, but at the same time we would all be screaming at them if they was sending data back unencrypted. I think what is needed is an independent review permitted by Bambu, by trusted industry security experts. A brute force hacking the aes encryption and releasing the method would then be a security vulnerability they would have to patch, so i can see whey they are not keen to divulge on that front and it could be seen as them actually caring about protecting privacy of customers from another perspective. regardless if the vendor cannot provide the necessary guarantees one would expect for commercial use then that's just a market they will not be able to compete in. For average joe in his basement that doesn't care about a dude in china seeing him in his underpants they can have a very nice printer and do some pretty cool little projects.
So can you use it offline, third party slicer and SD card, without creating an account or ever having to update the firmware? Presumably the current firmware works well enough as long as it doesn't have a timer in it saying it needs to be updated at some point. What's the best alternative to the P1S without the same concerns with China?
Not updating the firmware will get you into all manners of BS if you need support and if you make videos about it, fanboys will tell you are a moron, so there is that lol.. To be clear though, NOW there is a 3rd party slicer, previously there was not, and we dont know what orca collects.
No hate here. After watching NBR's vid, I was TOTALLY against purchasing a Bambu machine. I did opt for a Creality K1max. I just hope they don't have the same stuff.
Computers and software have totally redefined what an "agreement" or "contract" is. In what other situation is it acceptable that ONE part just redefines the legal contract? You buy a car and the company redefines the terms of use to require a monthly fee or "the car will be permantly disabled if you exceed speed limits more than twice" or whatever. HOW can we consumers or the courts and judges play this game with these "consent" of "terms of use" to be able to use what you actually have bought...?
Bambu EULA=You ARE the product! We will make money off of you by selling all the data we collect from the product you bought but technically we still own and can dictate how you use.
I have a bambu X1C and since i am aware of all those data they retrieve, i only use orca slicer with sd card. Edit : im in the EU , printers are shipped from germany and if im right, bambu servers in EU are in germany too.
Yall should be saving copies of the log files, because they may decide at some point (particularly if the encryption is defeated) to cover their ass and stop collecting something they arent supposed to.
So I guess the real question is, why don’t other manufacturers develop, produce and release a product that meets or exceeds the specifications of the Bambu labs printers who are “more” trustworthy? There is a reason the Bambu labs printers are popular, they meet a want customers have been asking for for years, ease of use, quality and speed. Instead manufacturers cling to more of the same as what came before. Not only that but many printers require quite a bit of tuning that you have to do periodically and continuously, to work and in many cases should be upgraded out of the box to perform better though they do “work” out of the box….. usually. It also seems like a lot of the issues involve the use of the cloud printing feature, which due to my personal preference I don’t use, I load files directly onto my sd card. I’ve also found that the camera feature mostly useless unless I want a Timelapse video, which I generally don’t.
@@3DMusketeers I think that the benchmark was always what prusa set, all the other manufacturers concentrated on clones that were close to what has been considered the standard. And no one can argue that prusa doesn’t make a very good machine. As a matter of fact I still recommend a prusa to people that ask, but I also recommend the p1p, because even the security issues aside it’s a very capable printer at a good price point that’s simple to use. I’d sure like to see more innovation in fdm printers, and there is clearly room for improvement. Seems like I’m seeing more improvements in resin printers then I am fdm. Prusa has something going for it with the XL but price and availability are an issue. I’d like to get one but I’ll hold off for a while and if I can get one second hand for a decent price I might but it’s doubtful I’ll buy one retail. I just can’t justify it. I might also look into a rat rig or a voron as I’d like to have something with both speed and build volume. But that’s a project for another time as I don’t “need” it. Maybe we will see better things in the future but it’s clear to me that Bambu and prusa are going at each other and people are picking sides.
do you think there will ever be a "crack" or something (specialy x1c) to be full featured free of Bambu? and Du you know if the X1E has the legal abillity to be complete free?
Personally, I think any privacy policy, terms of service, end user agreement, etc. are all worthless. Cause at the end of the day you don't know what happens what a business does behind closed doors. Also, with how invasive governments are with businesses and individuals, I just work on the premise everything is compromised. I apply this mindset with "open source" software and hardware. Cause historically speaking, there have been lots of open source systems that were purposefully compromised. The upside of open source is good for inspection purposes, and for business continuity purposes. Once I made shift with my mindset, it allowed me to plan and position myself accordingly.
The situation is made worse by this release, the A1 an entry level printer aimed at younger customers, I foresee many A1 printers ending up in childrens bedrooms, the A1 will collect images, ether directly or via mirrored images may well include indecent images of your children. Collecting such images is illegal in many countries and Bambu labs need to ammend privacy policy or risk being guilty of creating indecent images of children in many countries!
My BL X1C was hacked by someone last night. Started trying to rub the nozzle on the plate for over 2 hours before I noticed. I have contacted BL but no response yet..😢
There is a term for 'believing' what you read to be truth: *Blind Faith* - These people have *no* reason to be truthful in their 'disclosure' - none whatsoever. Not only that, there is *no* recourse if it proves to be false, and finally - and most importantly - there is *no* way to verify anything they say.
Rather pay Prusa for the premium for privacy and security. I guess if something is too good to be true it usually is. Gotta wonder why Bambu are able to make printers so cheaply.
I totally agree with you. Thanks for this video. Would you like to do a video with me about the GDPR part? I live in Europe and would like to do a video about this on my channel and of course i want to give you credits.
Cracking AES is not a trivial matter and the serial number doesn't need to be part of the key and the key can and should change with every handshake. Your best bet is to intercept the data before it is encrypted but again that may also not be a trivial hack.
It's encrypted on the spintrol MCU. I'm guessing it's a non changing hardware key or it would be a pain in the ass to read them at the factory. I'll have to check to see if the MCU does support spinning keys.
Ive beem considerong buy a printer again. Been about 2 years sense i last printed. Was eying the Bambu Carbon X1. Then i ran across videos like this and now im not so sure. Also considering Prusa Mk4 also. But the bambu looks so nice.
We know what encryption it is?! That's huge, and reduces my search space by several orders of magnitude. Will DM you later. This might be possible in our lifetime...
As an innovator, I find the model data to be the most troubling. If I make a new toy that I intend to place copyright on, its pre-leaked to a country that consistently pirates people's work. Even more troubling is this looks like a case of industrial espionage. People who want to create new things will be the first to buy a rapid prototyping machine. Do you want sketchy people to see what you're making?
We designed and have been selling a product on etsy that didn't exist before we created it; we have now found it being sold on Amazon by 24+ different Chinese companies and to top it off they are using our product images and videos for their advertisement and also customer review images. Our product is not public so they most likely stole our file. Amazon claims they'll investigate and block those sellers 😂
well you have lot of great point but if i may give some feedback : the main issu in those maters is they can make a 1min video addressing all those point and trying to convince people all those are not much issues. Your video is almost half an hour. So who's message do you think the mass will get ? Been using linux and FOSS for about 25years and that's something i see time and time again. A big company make 1min spot with a cool well dressed dude telling you "it's fine" in a confident stance. And on the other side a guy that sit all curved wearing a goofy tshirt or sweeter too large for him that takes pages and pages to explain in lot's of unnecessary details why "it is not ok". And off course one is lying and the last one is the good guy in the story. But that doesn't mater because nobody will listen to him except those who are already convinced. It's like trying to fight a fully armored knight that run at you with a huge sharp spike, by sitting and making lots and lots of move with a butter knife. That is not chevaleresque. Seen that time and time again against IBM, Microsoft, Google, NVIDIA, Apple, Amazon, ... you name it. 25years and still the same story.
So I'm going to have to add firewall rules to blacklist every connection to the printer outside of my LAN and leave it on its own VLAN with a VM that is also separated from my network. lovely.
@@3DMusketeers hshshshshs If I may.... In terms of data security I could care less after interning over DJI in the past. I get their point of getting this data and they only use significant flight log information, statistics and whatnot "BLACKBOX with the intent to sell other data for socmed and ads" for external cash flow, DJI alone back then even during the DIY era production was extremely expensive they could not just rely on tradional means. I was already done with my internship when they started profitting from these data selling to manufacture cheaper drones while paying employees generously. I think the same goes for Bambu. Anyways thats just my opinion from experience it could be different now but until we haven't seen bad stuff happening from the millions of DJI drones sold and thousands of bambu printers sold everything thats to be worried about is pretty much meh.
We have seen bad things from DJI, you dont end up on the banned list for the US Govt for NOT doing something wrong.. What exactly, I know it involves selling the data to bad actors, but specifically I am not aware.
@@3DMusketeers I'm in the drone industry as well so I know the reason why its banned its an appropriate move for the US gov. You dont want DJI getting into high position government emplyees assuming some of the said data is sold to bad actors as per rumors other than that you wont see any other DJI user Pro/Com/Private complaining and just to add since US gov service cannot own and use DJI products they just outsource these drone shots or topo scanning for gov use pretty much nonsense but at least people are given high paying work while still using DJI products. Hope you get the drone side but yeah everything else is superstition in my opinion based on my take and experience of how some of these data is used to improve the product, manufacturing, material, software and user experience.
I'd like to hear bambulab's justification for not allowing offline firmware updates. You know... like basically every other 3d printer on the market can. If they'd allow that, I'd buy one. It is literally the only thing holding me back from ordering one right now. That they seem unwilling to do that is a big red flag, in my eyes. I can't think of any good non-nefarious reasons for why they'd want to force you to connect your printer to the internet at some point.
We got it specifically to see if they would be useful for this and have now gone down such a deep hole of trying to understand it's both frightening, frustrating, and incredibly interesting.
@3DMusketeers you'd think for itar sensative stuff a more vetted and professional fdm manufacturer would be required. I'd assume some sort of external clearance would be required before it was even to be set into the contractors facility. Then again whos to say these comments arnt all from bots on the bamboo side anyways. This is china we are dealing with
There isn't actually a vetting process yet, but I think that's to let people make their own decisions. There's a vetting process for the businesses, like ours, but for people we buy from, no, not really :/ there are recommendations but it's not realistic often for startups like ours.
This is certainly a legitimate issue and while I do not want to minimize it, people need to be aware that Bambu's products are but one of the numerous products in most people's homes that cannot be trusted. ANY web related product - from pc motherboards to modems and routers to home security cameras and even your smartphone that are made in China or consist of Chinese IC chips has the potential to spy on the user. And since there are very few US made alternatives (especially at competitive cost), there is little most people can do to mitigate the concern. Who is to say that your router is not capturing every purchase you make and associating that with other data to personally identify your bank records? Or that your router isn't sharing your Intellectual Property data before you even upload it to the Bambu cloud service? The point is YES - this is a concern. But I don't think it's fair to necessarily jump on the Bambu bandwagon while everything else in your home is potentially doing the same.
My home is secured, but we are ITAR controlled, so there's that. We run a custom built router which is amazing! But yes, for the average user, it's one of many. Given their investors though (dji) I have good reason to be worried lol
If you know, you know, if you don't it is fine to keep it that way lol. There is a bad actor in this community that calls people sock puppets, he inspired the shirt by Sam Prentice: b.link/PuppetResearch
@3DMusketeers A DMZ allows you to isolate a device on your network from your local network. It sounds like when you send jobs to it from the phone app or slicer, it goes to the cloud and gets pushed down to the printer from the cloud. Or I could be misunderstanding it.
@3DMusketeers That'd work. I don't think I'd care if it reached the internet as long as it was segmented. I guess you could connect, update, and then disconnect. My firewall does region blocking, so it probably wouldn't be able to update, haha.
Bambulab can take whatever info they want as long as they dont share it with my government. Its our government who is more of a threat than any other one.
FINALLY THIS VIDEO. YESSSS!!!! And Yes, the reason i dont get Bambu are because of this and they dont ship here. While prusa ship to a lot of country. And yes, please do prusa and creality please.
Also What about COPPA I know many kids that want 3d printers parents are likely to buy something like an A1 or A1 mini over the more expensive printers. And those printers have exposed cameras that can see everything and they will most likely have it in their rooms and lots of the time people forget to cover the camera or just forget. What will happen if they accidentally catch a vid of a CHILD changing. What if that data gets Leaked or they got hacked. I would certainly have zero trust in a company if they’re printer got my privates exposed.
That is not something I have considered. I think Bambu would say "well you have a way to block the camera" but yeah.. that is a whole new avenue there..
With the X1+ f/w, BLs own blog, seems like a lot of data was collected way more than necessary🤔. No need to decrypt the log file anymore, the logging routines are wide open and visible under linux. We will know the extent of "DEBUG" log data soon.😂
Any free cloud service, VPN, online storage etc. should be used with caution. It may seem free on the surface, but you are really paying in different ways.
@@3DMusketeers Oh, I almost forgot to tell you this: I checked the logs in my router for the the Bambu Lab machine, and the printer is connecting to several different servers. 1 is in Germany, 1 is in Netherlands or somewhere near there, and a 3rd is connecting to some US based server. None of which are registered to Bambu Labs. I also looked up the ratings for some of them, and some users reported them as dangerous for several reasons.
@@3DMusketeers Yep. USA, I'm and not using VPN. I screenshot each IP address, so its on my computer at home. I can post on discord or somewhere if you have a place for that.
The software section will also apply to the mobile app, for which their terms are completely sensible and fair since it is proprietary. Playing devil's advocate, you could read that as applying to that software, rather than the open source desktop software.
@@3DMusketeers If they have collected data, they must make it readable for me upon request, otherwise I can sue them under European law. In addition, upon request, they must delete all of the data they have from me. If this is not done, there will be severe penalties and high demands for compensation. This is perhaps also a reason why the collection of model data in the EU only relates to MakerWorld and not to the use of the printer. I don't mean to say that there isn't any possibility that they could still collect things that they aren't allowed to. But I think the hurdle is significantly greater.
@@3DMusketeers My P1s is coming now and I'll try it out a month after I use it to request my data. They actually have to give them out otherwise they will be threatened with a sales ban in Europe
The simple fact that it's a cloud driven machine made by a Chinese company is enough to make me suspicious. having encrypted log files and closed ecosystem isn't helping their case either! GDPR (EU/UK) works for us within the EU/UK but if the cloud server is in China GDPR does not apply. Also ( I think I'm right in saying) The Chinese government can seize any data stored on a pubic or private server in China if they feel like it. This is why I got rid of my Huawei phone.
The ATF and big brother want to know who printing ghost buns😅 thats why ALL the new 3D printers are not open source. All the shops removed open source printers from sales. Except few you know who😅.
Wait I am a kid and I have a x1c and more and it has been smooth so not exactly I also have friends with printers and there experience has been smooth so I guess kid should have printers if they want one (and know how to operate one and have done research)
Ha ha ha ha it was a bit in a recent, now private, podcast episode. We got threats from Bambu fans about it and bambu made a less than kind reply on their website about it. Is what it is...
![[UA] NAVI проти G2 Esports | Blast Premier Fall Final](http://i.ytimg.com/vi/QWlIm4FGESQ/mqdefault.jpg)
People in the EU have been requesting to see what data bambu has taken and what they've done with it. And some users found that bambu has provided their data to 20+ different companies.
anyone you can put me in contact with?
@@3DMusketeers It was actually a comment thread on a reddit post from 3dprinting last week how people were saying bambu was sending their data to unknown companies. Likely advertisement marketing or something. But yesterday during nero's live chat..someone in the chat had also mentioned it. It was at 1:07:33 in the live stream.
ok I will check.
Any updates on this?
Definitely would LOVE to see you check what the Creality K1’s policies contain. 10/10 would watch.
I don't have a K1 but I can try..
I get why you feel like you're shouting at the clouds a bit regarding data security, but I agree with you/think it needs to be talked about. Data security for consumers is death by a thousand cuts. Since the legal protections are often void or lessened with a EULA, its incumbent on users to raise awareness and encourage 'speaking with your wallet', because companies have no moral quandaries about slowly taking more and more from their 'customers/data-mines'.
appreciate it!
We have four Bambu X1-C’s. Our Attorneys found stuff in the terms of service, and a work around, they wrote Bambu Labs a letter basically telling them to pound sand on their TOS. They signed the agreement with the demands from our attorneys. I’ll ask our attorney and see if they can legally release the letter and if so I will send you a copy. We are a Military contractor 3D printing firm in Alaska. A lot of what we print is very sensitive.
Hm. I wonder how your agreement with Bambu stands up against their demands from their government.
theres no chance that you actually trust to have these machines online.. right?
Your attorneies have no authority in China haha.
well, I intend to read something if it happens to show up in my inbox..
Yeah.... That doesn't mean they are not collecting your data and informing government with this information. I truly hope these are not connected to any sort of network.
This is basically why I decided to buy a Prusa rather than a Bambu. It would be interesting, though, to hear your take on Prusa.
fun problem, we have yet to find a privacy policy for PS, we have found them for the website and blog though
@@3DMusketeers I'd guess for the printer (at least the non-connected ones) there would be no need. Slicer, yes. Hm.
yeah, sent an email, will see!
The new printers all support send data back to Prusa, not sure what data but they are pretty open that it part of what they are using to make printers “smarter”
@@joshuamiller7231 well, if Prusa sticks to open source, I should be able to check the source code and see what exactly they send and where. And as I understand it, the printer functions fine and you can even upgrade it without ever connecting it.
I wonder how this ToS complies with strict data laws like the EU's GDPR
Edit: Here, as far as I know, companies must provide all the data to you that they collect from you if you ask for it. Wonder if Bambu does that
I don't live in the EU so I have no clue :/
Short answer: Who will check it? Even if they give you data they collect, you'll never know if and which one they did not provide.
Good thing i saw this video before purchasing lol. Thank you for this video & taking your time to explain the terms!
Absolutely!
This is the main thing keeping me from gettin a Bambu printer. And we know that CCP does not holt a good record to be trusted. Especially if every single Chinese company is required by law to cooperate with the government and provide those sensitive data to CCP. Makes you wonder.
Tinfoil hat off for a second. Is it possible that TikTok, Bambu, milions of home things from robot vacuum cleaners and cat cameras were designed to pretty much monitor the planet in real time? Tinfoil hat back on. No, they surely wouldn't do this.
These companies have enough data to almost predict the future using history, statistics and live information input. We know Google and Facebook and pre Elon Twitter had/has special relations with the US gov can’t see China not doing the same. The big difference is what the US gov admits to and what the communist Chinese gov openly does.
Yeah no chance the cameras and such we all have are there 100% for good, it is why we dont have cameras inside our house (other than ones we can control for things like filming), and any printers with them are immediately disabled.
As for predicting the future, maybe, but at best it is a statistical guess. Remember, when something is free, you are the product
They're trying to catch up to Google, Facebook, apple, Microsoft, even car manufacturers are getting in on this.
I cant say I blame them there...
Unfortunately most people buying their machine either don’t know about this or simply don’t care. Bambu should be more explicit about this when people register their accounts. I wonder how much of their income comes from selling user data, would be interesting to see statistics on this.
bingo.. its a shame
You are dead on point about Privacy! Years ago a company I worked for a company that established an Ip connection for a manufacturing company in China. Months later we found the company trying to access our network facilities. We disconnected from the IP address and put up a new firewall. I have used DJI drones for years and very careful what DJI has access to my data.
Sometimes it sucks being right...
I have given you some critique in the past but I love the fact that you are not anti-bamboo but not pro bamboo either. You take a rather objective stance and I really respect that. I would like to see more content for this updated with possible fixes and patches that do not connect to bamboo servers in any way. Orca slicer with third-party patches has been known to work
Orca in stealth mode is about all you can do. Then sneakernet the files
I'd like you to do an ITAR video with a side of CUI, and what happens if you fall afoul of them.
If you need a video on those things, you need more than that video. If it doesn't apply to contracts you are fulfilling, just don't go down the rabbit hole, but the information is freely available in government docs.
honestly, I'd like to see a video or 2 on these too. It'd be nice to have like a mid-level view/understanding of them (i.e. some of the finer points and details but not having to read government documents and the definitions contained within them)
@@alanpreston1822 I fully understand them, since I'm subject to them (and GDPR for that matter). However, @grant is excellent at making videos about them, which would allow my senior IT laziness to manifest fully by just sending someone a link.
@@sunderoo yup, pretty much this.
I am certainly no expert, and we only run a level 2 facility here. We were working towards level 3 but had a contract fall through a bit over 3 years ago... so that was put on pause due to expenses of going 3, 4, and 5.
I'm (reasonably) sure that the Bambu engineers intended for the update before printing thing to be entirely related to "we really need to install firmware updates when the printer is not printing." I'm equally sure that the Bambu senior management, legal team, and PRC political officer are happy to have it written such that they reserve the right to brick your machine if they wish to do so, after stealing every bit of IP data they can get their hands on. And honestly, how much can we trust that any China-based company will follow their own TOS anyway? There's no legal recourse for the average person whose data has been compromised and even government-level complaints that get escalated to the WTO get largely ignored. I'm not so worried about Bambu Lab selling our data to random con men or even that worried about them having their own servers infiltrated by individual criminals, I'd be absolutely worried about models being collected via keyword search for Chinese national defense purposes.
And yes, you are right - we have plenty of devices in our homes that listen to what we say and do, use that information for targeted ads plus unknown other sundry items, and we tend to also carry them in our pockets and take them everywhere we go. Not having one more device that does this is a good thing.
but to stay on the bleeding edge, how? you know?
Erasure (Art. 17 GDPR)
Right:
You may request us to erase certain of your personal data. For example, you can ask us to erase the personal data:
which is no longer needed by us in relation to the purpose for which they were collected or otherwise processed;
(So... if they collected it for the purpose of "keeping it forever", they can keep it forever.)
In certain situations, Bambu Lab is unable to delete your personal data in responding to your requests, including:
when such personal data is still necessary to be processed to achieve the purpose we collected it for;
(You mean like... keeping it forever?)
Bambu Lab’s interest in using the data overrides your interest in having it deleted (e.g., when we need to process the personal data to protect our services from fraud);
(Or... their interest in keeping it forever?)
Bambu Lab has a legal obligation to keep relevant personal data; or
(This may sound crazy, but this is a China-based company that is at the legal whims of China's policies. If their government told them to keep all data collected forever, they'd legally have to keep it... FOREVER.)
dang.. well, that sucks.. So GDPR does not have the teeth I was expecting?
Having some experience with dji, your issues with bambu remind me a lot of my dealings with them. Unfortunately the drone industry doesn't have the plethora of alternatives that 3d printing does. I hope you all can keep them a little more honest than what's happened with dji.
I am so curious if you know that Bambu is ex dji people?? Not sure if I mentioned it here LOL
Nate is super cool. He deserves to get a ton of subs.
The faces though.. lol
The Qidi’s seem to be fixed, just saw what I think is the first new update review to the xplus3 and seems everything is fixed and really good. We need to get the Xmax3 in your hands for review. These might be a great the bambu replacement.
If you're talking about Clough42's video with the update fixes - yep. That box has regained my interest.
Well, there is a x-plus3 in my garage, I tried for a Max, but they said no.. so we will see after the Plus if I can get a max!
@sunderoo it has my interest for sure
@@3DMusketeers yeah the xplus3 was the model they used mostly for reviewers before so not surprised that’s what you got, but that’s great news! Now with the lower pricing and improvements I’m really hoping that these can be a cheaper option that’s on par with (maybe better?) bambu. Looking forward to the video/stream.
Joel got the Max lol. But he is cooler than me. appreciate it!
So as far as the update before printing, I have had it stop me from printing once until I updated. I wish I had taken pitures at the time, but I was in a rush to get something done, so agreed.
ok, that is what I expected..
Thinking back on it, I think this was about the time the security vulnerability was fixed. It's possible that the reason it was foreced was due to the level of the vulnerability. I have seen other devices do similar (looking at you samsung). I have not seen this again since then, and I am constantly ignoring the updates.
wouldnt even know updates are available as my machine isnt online lol
I keep mine on its own vlan, and the Wifi network it is on is for IoT devices, and it's the only one I have currently. So isolated in the event of a breach. Thats not something everyone has the hardware and knowledge to do. Still wish it were more open.
agreed
Yay, I inspired a thing!
that you did
@nathanbuildsrobots why is your video privat? Layers😮?
I am not saying they are or plan to do this, but this is how a 3D printer (another computer on your network) could have total access to everything unprotected. Hacking everything else might not be as hard as you think.
This is done by making something called a "reverse shell." Your router is setup by default to reject any incoming data not asked for. Get that? If the data isn't asked for the router is setup by default to reject it. If it is asked for, then the incoming data requested will be accepted. This is where a reverse shell comes in. A good example of this is putting a Raspberry PI on your network polling a IP address of another computer. This computer accepts the polling, and makes a connection. Any command made inside this reverse shell on the connecting computer makes it look like the command is inside the network of the polling computer. If you paid attention, you would release that the router of the polling computer now thinks that any request or sent data came from inside your network, and bypassed security. To make this happen could take a update to your 3D printer, which really is another computer on your network.
You're right about China. It's law that the Chinese government can and has demanded data from Chinese companies, which have to hand it over by law.
To get around this you can buy a Wi-Fi router, and make a connection to the Wi-Fi part of it on your computer. Then connect the printer to it. Have an either net cable from this router to your net work with access to the WWW. Set up and update your printer with this cable in place. Disconnect the cable, and your computer still has access tot he printer. You printer doesn't. It is possible to go through your computer, but highly unlikely. To make it more secure make sure nothing is on your network on the WWW, when doing downloads.
In the real world you are a drop in the ocean, but even drops have things happen to them.
Because we are ITAR controlled, we cant do that, however, the average user that wants some more security can :)
We recently upgraded our router to one that can do full monitoring and have a fail over and WOW it has been nice!
As it happens Bambu asked me to PLEASE put pants on when using their printers!! Great video tho, very interesting information!
Weird I figured they would thank you for not wearing them, that's what I do ;)
@@3DMusketeers are you watching me Grant, you bloody tease !!
They did say they provide the data to 3rd parties ;)
As a contrasting video I'd love for you to cover an example of a privacy policy for another internet connected service that is pro-consumer and pro-privacy.
These privacy concerns are not limited to Bambu or other Chinese companies -- these privacy policies almost look the same as every other software / Internet related privacy policy I've seen for all companies and countries.
You brought up some great points that apply to all policies: what are users supposed to do if you disagree with a change in policy, what systems are in place to ensure you can remove your data if you no longer agree? How can a consumer protect their purchases -- is it legal for companies to change their privacy policies as a bait and switch tactic?
ooooh thats a good one. I think Peopoly is the best example I can think of..
Legal will depend on where you are, but how can consumers protect themselves? They first have to understand it and they fundamentally dont :/
Thanks for putting in the effort to looking into this stuff for us.
absolutely!
What you really should do with the Bambu printers BEFORE you do anything else:
1.) Pull the internet connection cabel from your router. (so your network does not have internet)
2.) Set the printer to LAN only mode.
3.) Connect it to your WiFi. (we are however not really believing this and will make sure it is really lan only in the next step)
4.) Go to your router or firewall and block any connection from or to the internet for the printer. (for Fritzbox users it is called Device Blocking)
5.) Now you can reattach your router to the internet.
> This will block it from the internet and not rely on their promisses but on the promise of your Firewall / Router manufacture you already trust anyway ;).
Important: After that you will loose a couple of features, but I would say those are pretty much not that important for most people. (should be the same as with LAN only mode described by Bambuu)
If you still want to see what is going on with your printer from outside your network, you can use a VPN connection to your network.
The only issue with that is the software ALSO sends data to the cloud.. so.. yeah..
@@3DMusketeers So we need to add the end point of the connection to the firewall blocklist too. Shouldnt be too hard ;).
I just use Orca and have it not send info, that normally does it fine for me. But yes, the endpoint block is right.
Nice. Finally someone that cares.
seems I am not the majority, which worries me
First off, what a great and comprehensive take on the data privacy concerns.
It's almost March 2024 and I have similar concerns wondering if Bambu addressed them as I consider Prusa XL, K1, and/or Arco.
I don't want my network to be a botnet nor do I want my printer accessible from outside my network.
Is it possible to access all features in LAN Mode yet?
Is it possible to update Bambu firmware without being connected to the internet? If not, I need to consider VLANs/DMZ + WIFI password update prior to connecting/disconnecting.
Any other updates to consider? Thank you & well-done, subscribed!
We recently showed exactly what is in the logs, I recommend you watch that video too :)
It is not possible to access all features with LAN mode.
It is NOT possible to update a Bambu offline officially. A firmware called X1Plus is on the horizon, which we also did a video on, but it is not publicly available yet
@@3DMusketeers Thank you for your response and being a champion in this area or concern. I may consider P1S if my concerns are addressed otherwise I'm a hard no. I'll check out your other videos now thank you!
Absolutely!
I had initially intended to buy one before watching your video, but now I've decided against it. I think I'll wait and see what the XL version from Prusa has to offer, and if not, then I'll consider the MK4 as an alternative. 🤔
I would also expand your looking beyond Prusa, there are other brands out there to consider too :)
Thank you for this. I have only been at the 3D printing since the beginning of this year (2023). I have and E3V2 and looking to upgrade to a faster printer P1S was in my view, but I've heard too much about possible data collection, and now I'm starting to looking elsewhere for a printer. I love what I've read about the P1S, but I can't dive in knowing there may be a DJI type of thing going on. I started using Octoprint not too long ago but it keeps disconnecting from my printer so I just pulled the plug on it for now. It's a hobby for me so the network connection I could care less about. Maybe I'll look at Sovol, I've read some decent things about them. I thought I saw that a core XY would be coming out. I've got the E3V2 dialed in but man is it slow.
Love my SV06 (plus or not plus) they are amazing bang for the buck.
Bambu is not interested in your articulated snakes or rainbow silk prints. The UA-cam app collects more data on you.
I'm working for one well known telecom company based in Europe (not Huawei 🤣).We have a lot of mandatory trainings and accientaly the one today was about personal informations and GDPR. And as I can see,Bambu lab doesn't comply with GDRP at all :( ...and my new X1 is on it's way to me....
Well, you can ask them for a list of everywhere your data has been sent because of being in the EU!
The P1S cant really see much with the camera other than a small sliver of my wall.
You could run a packet sniffer and see how the network is being used and utilize a dual NIC PC as a "pass through."
its all encrypted. So it would not matter. We have what we need now, we will be updating this soon-ish
Would connecting to the Net via VPN make any difference?
nope
Now for the big question. If I am using Orca slicer does the printer still send data and design to Bambu?
yes. You have to go into the settings and turn that off. It is called Stealth Mode.
This is a HUGE deal! I almost didn't purchase the X1 Carbon because of the security issues. But when I learned that it's capable of printing from LAN, I made the purchase. However.....
It was impossible to activate the printer without connecting via phone. I went a whole week before ultimately activating it, then setting it for LAN. Still, we can't send models to the printer without logging on to the software... which must communicate with Bambu Lab's servers. Even if this is only intended to provide great service to the user, this comes off as truly shady. I turn off the machine and the VM (where I use the software) off after every use. At the very least, I get added peace of mind.
Thank you for covering this 😎
happy to cover it! Glad you enjoyed!
About to buy a X1-C. I will lock it down hard and only allow updates thru a dedicated path. My biggest concern is them disabling the printer. I'm not sure they can include timebombs legally. I will ALWAYS be in LAN mode and divorced from their cloud just like all my IoT.
If you keep your printer offline Bambu will have no access to it at all.
Maybe someone can try to use it a way PRC don’t like and see if something odd happen. I would really like to see what they are sending and the data amount, I can understand a crash log and the setting when it happening can be interesting, but why use encryption for this.?
they claim it is to protect their IP, while in contrast they go out and steal IP from others...
I would like to correct one thing.
Bambu does not need a SSID and password to use a client as a botnet. All it needs is an internet connection for that, and that would be easily identified and found with wireshark. Network analysis has been done on bambu printers, and this is not something that was found long term.
Not yet. It takes one bad actor to gain access to the server and poof, they are in.
@@3DMusketeers As someone who does network engineering, spreading assumed but not correct information annoys me.
That is not how that works. Not only would a update for all printers need done to enable them to send remote commands to act against a target IP as a bot, but it would not give them access to your network. Just because a device in on your router's network does not imply devices on it will care about what another sends to them.
Having access to one's LAN in a client-only device context is not very powerful, hence why in actual hacking, none make use of it. Instead they make use of hosts, via spoof networks.
Any nefarious network activity can easily be observed, and majority modern routers also automatically detect bot activity and lock the device from the internet in detection of it, such as with ASUS routers.
The only things we cannot analyze is encrypted data, but in bambu's case, this is not entirely the case, as the logs seem to be basically just the MQTT data from what we have seen, which we CAN read. You can access it via username bblp on port 8883 without SSL and TLS. The password is the LAN Only access code on your printer's screen.
I have a video I did where I went over such info and explained it in simpler context.
I've gained access via ftp although ssh works as well. I highly recommend you look into it. The data you can find is truly fascinating.
@@3DMusketeers Sure, but always remember local files != networked files. From looking at the length of networked data, it only looks like MQTT gets networked in terms of large data amounts. The rest seem too small to be that relevant.
While local files are interesting; I agree, it is not conclusive of privacy.
It's like me FTP'ing to my android phone and seeing the mass in there to conclude danger.
Oh yeah, I agree. I was talking more about the cool stuff you'll find. As for security, we know what is packaged up and I'm not very comfortable with it. Mind you, I'm a business that deals with NDAs and ITAR. The average consumer won't likely care and that's a different chat for a different day
Yes, we want to know those things. I'm sick of the people that just give up when it comes to data security in the name of convenience and laziness.
Man, if people were not so rude in my comments about it often I would likely be talking about it more..
@@3DMusketeers That is exactly how the Bambu subreddit is. You get dogpiled and accused of nonsense if you raise any concerns about privacy or data security. The old "If you have nothing to hide, then you have nothing to fear" fallacy.
just look at the comments on my other bambu videos........
@@rDigital2A 1000% agree. "my requirements are a printer I can keep up to date without connecting to a network" BambuBois: "why would you need that, or it even be a concern?"
its frustrating at best..
It's too good to be true. Besides, there was a semi-recent fiasco with Bambu printers randly printing. Mark my words, there will be a major uproar once people do find out what really happens. But then again, people are very stupid; Microsoft has been doing it for decades with Windows...
I hope it happens sooner rather than later
In the medical space, and for HIPAA compliance, we have to de-identify when sharing. Our health is just part of us and it's protected. Why not the remainder of our being? I believe companies like this should have something in their terms for similar occasions. Only use specific identifiers when interacting with the individual and de-identify when used for other purposes. The specific instances should also be limited and called out.
I love this idea. Capitalism, in its purest form, would not allow for this though.. I am glad we have it for medical records, but all these people doing the 23&me things are just sharing their geneology with insurance providers who can use it for reasons not to cover treatments because there is an existing risk.. I hate it.
Damn, I was about to buy the X1C, but since I am designing my own models foe business, they can keep their crap. Having the ability to siphon off my work is unacceptable. Time to reconsider a Prusa, but now I need to look into their privacy policy.
Prusa, being in the EU has a much more business friendly privacy policy :) But their machines are easy to air gap as well, so there is that benefit
Its defo sus. What is the functionality limitations when you don't connect it to the internet aka air gapped. Can you still just use SD card and print while air gapped
you can use the SD card but you cannot update, no camera (other than like timelapses) no ai detection, no alerts, etc. No nothing that would need the internet obviously.
@@3DMusketeers Is there not a way to manually flash firmware updates? And what do you mean by ai detection?
Nopeeeeeee no way to flash updates.
It can detect print failures with the camera. That doesn't work if it's offline
Damn. that sucks.@@3DMusketeers
indeed it does
So then what printer company would you use?
depends on your needs really..
one idea on firmware updating while using the machines offline: Can´t you just reset the printer before getting it online and updating the firmware while using a "fake" account?
We dont know if a factory reset actually deletes anything, since we cannot read the logs. It is not about the account, it is about what the printer can do on an open network, what it downloads, and how it installs it all.
The only thing I can hope for is these guys left DJI because of the security issues they didn’t agree with that the company was facing??? 😂
thats a LONG shot lol
I should make a QR code sticker linked to this video and slap them on every Bambu box at my local micro center....
I am fairly certain that is vandalism, but hey, you do you.
@@3DMusketeers Just a joke 🤦♂
This is why you need to add them to a separate ssid on your router with no connection to your network. Gaming routers do this and I have two 3d printers on their own ssid's with internet access but no network access. I can turn them off via smart plugs via tuya.
This does not address the issue of them sending "diagnostic data" home.
@@sunderoo No but it does stop them from snooping in your network and to stop any "man in the middle" hacks
@@PinkGirl2242 But it's not a solution to the whole problem.
While yes, this stops man in the middle issues, theoretically, the data is still a big problem
@@3DMusketeers Its something that goes for all IOT devices. they should all be on a dedicated IOT lan segment on its own SSID and nothing on that lan segment should be able to talk to other lan segments or other devices in its own IOT lan segment. It should be 100% isolated and all it should be able to do is get out to the internet, you can then also implement a dns sinkhole to log and stop it resolving any url's addresses you don't want it talking to. That si probably the least extreme approach to Trust is good CONTROL IS BETTER! I wonder if we can identify and block the talk home server addresses but still let it access the update servers to get new firmware. it is concerning that they encrypt the payload back to their servers and wont disclose the content of what they are collecting, but at the same time we would all be screaming at them if they was sending data back unencrypted. I think what is needed is an independent review permitted by Bambu, by trusted industry security experts. A brute force hacking the aes encryption and releasing the method would then be a security vulnerability they would have to patch, so i can see whey they are not keen to divulge on that front and it could be seen as them actually caring about protecting privacy of customers from another perspective. regardless if the vendor cannot provide the necessary guarantees one would expect for commercial use then that's just a market they will not be able to compete in. For average joe in his basement that doesn't care about a dude in china seeing him in his underpants they can have a very nice printer and do some pretty cool little projects.
So can you use it offline, third party slicer and SD card, without creating an account or ever having to update the firmware? Presumably the current firmware works well enough as long as it doesn't have a timer in it saying it needs to be updated at some point. What's the best alternative to the P1S without the same concerns with China?
Not updating the firmware will get you into all manners of BS if you need support and if you make videos about it, fanboys will tell you are a moron, so there is that lol..
To be clear though, NOW there is a 3rd party slicer, previously there was not, and we dont know what orca collects.
No hate here. After watching NBR's vid, I was TOTALLY against purchasing a Bambu machine. I did opt for a Creality K1max. I just hope they don't have the same stuff.
they do. and in fact creality cloud is SO MUCH WORSE
My ASUS router allows me to block devices from Internet access. I'm in LAN mode already, but a little extra caution doesn't hurt.
you may be interested in the video we are posting later today
Computers and software have totally redefined what an "agreement" or "contract" is. In what other situation is it acceptable that ONE part just redefines the legal contract? You buy a car and the company redefines the terms of use to require a monthly fee or "the car will be permantly disabled if you exceed speed limits more than twice" or whatever. HOW can we consumers or the courts and judges play this game with these "consent" of "terms of use" to be able to use what you actually have bought...?
that one I do not know alas...
Bambu EULA=You ARE the product! We will make money off of you by selling all the data we collect from the product you bought but technically we still own and can dictate how you use.
more or less, from what I can read...
I have a bambu X1C and since i am aware of all those data they retrieve, i only use orca slicer with sd card.
Edit : im in the EU , printers are shipped from germany and if im right, bambu servers in EU are in germany too.
the servers start in the EU, they end up in china. Any chance you can do a GDPR request to see where your info is going?
I just ordered a P1s and I’m just learning about the privacy policy, is this the best way to get around the data issues?
never put your printer on a network, have the slicer on an air gapped computer, and transfer data via sd cards
Yall should be saving copies of the log files, because they may decide at some point (particularly if the encryption is defeated) to cover their ass and stop collecting something they arent supposed to.
oh, we have
Is there any printer that does not require air gapped to be secure?
No, but most printers are air gapped in nature as they don't have connections
So I guess the real question is, why don’t other manufacturers develop, produce and release a product that meets or exceeds the specifications of the Bambu labs printers who are “more” trustworthy?
There is a reason the Bambu labs printers are popular, they meet a want customers have been asking for for years, ease of use, quality and speed. Instead manufacturers cling to more of the same as what came before. Not only that but many printers require quite a bit of tuning that you have to do periodically and continuously, to work and in many cases should be upgraded out of the box to perform better though they do “work” out of the box….. usually.
It also seems like a lot of the issues involve the use of the cloud printing feature, which due to my personal preference I don’t use, I load files directly onto my sd card. I’ve also found that the camera feature mostly useless unless I want a Timelapse video, which I generally don’t.
I dont disagree here. Why didnt they? Because I am not sure they recognized the market need. Otherwise I have no clue lol
@@3DMusketeers I think that the benchmark was always what prusa set, all the other manufacturers concentrated on clones that were close to what has been considered the standard. And no one can argue that prusa doesn’t make a very good machine. As a matter of fact I still recommend a prusa to people that ask, but I also recommend the p1p, because even the security issues aside it’s a very capable printer at a good price point that’s simple to use.
I’d sure like to see more innovation in fdm printers, and there is clearly room for improvement. Seems like I’m seeing more improvements in resin printers then I am fdm.
Prusa has something going for it with the XL but price and availability are an issue. I’d like to get one but I’ll hold off for a while and if I can get one second hand for a decent price I might but it’s doubtful I’ll buy one retail. I just can’t justify it. I might also look into a rat rig or a voron as I’d like to have something with both speed and build volume. But that’s a project for another time as I don’t “need” it. Maybe we will see better things in the future but it’s clear to me that Bambu and prusa are going at each other and people are picking sides.
do you think there will ever be a "crack" or something (specialy x1c) to be full featured free of Bambu? and Du you know if the X1E has the legal abillity to be complete free?
No and no, it does not.
Are the log files going out automatically?
Nope. Not that we saw, not currently. Subject to change though
Personally, I think any privacy policy, terms of service, end user agreement, etc. are all worthless. Cause at the end of the day you don't know what happens what a business does behind closed doors. Also, with how invasive governments are with businesses and individuals, I just work on the premise everything is compromised. I apply this mindset with "open source" software and hardware. Cause historically speaking, there have been lots of open source systems that were purposefully compromised. The upside of open source is good for inspection purposes, and for business continuity purposes. Once I made shift with my mindset, it allowed me to plan and position myself accordingly.
Absolutely true
I am REALLY waiting for someone above my skill set to make up a slicer profile for K1 and K1max I tried it just does not work out very well
try orca slicer?
The situation is made worse by this release, the A1 an entry level printer aimed at younger customers, I foresee many A1 printers ending up in childrens bedrooms, the A1 will collect images, ether directly or via mirrored images may well include indecent images of your children.
Collecting such images is illegal in many countries and Bambu labs need to ammend privacy policy or risk being guilty of creating indecent images of children in many countries!
yup, now Bambu has gotten ahead of this with a camera cover, but it will nerf many of the features of the printer.
My BL X1C was hacked by someone last night. Started trying to rub the nozzle on the plate for over 2 hours before I noticed. I have contacted BL but no response yet..😢
Do you have any photos or video for it?
@@3DMusketeers yes, many I have forwarded to Bambu
Send it to me too if you dont mind!
There is a term for 'believing' what you read to be truth: *Blind Faith* - These people have *no* reason to be truthful in their 'disclosure' - none whatsoever. Not only that, there is *no* recourse if it proves to be false, and finally - and most importantly - there is *no* way to verify anything they say.
Good thing we just did our log file video where we show exactly what is in a decrypted log file :)
Rather pay Prusa for the premium for privacy and security. I guess if something is too good to be true it usually is. Gotta wonder why Bambu are able to make printers so cheaply.
yup
You know, a Prusa Printer and a Raspberry pi with touchscreen are good enough for me. Its not really that hard to set either up.
exactly
anyone got a link to the Nathan Builds Robots video? I cant find it on his page...
im not sure what you are referencing
I totally agree with you. Thanks for this video. Would you like to do a video with me about the GDPR part? I live in Europe and would like to do a video about this on my channel and of course i want to give you credits.
you can if you want, I just dont know how I could help you on that one lol
Cracking AES is not a trivial matter and the serial number doesn't need to be part of the key and the key can and should change with every handshake. Your best bet is to intercept the data before it is encrypted but again that may also not be a trivial hack.
It's encrypted on the spintrol MCU. I'm guessing it's a non changing hardware key or it would be a pain in the ass to read them at the factory. I'll have to check to see if the MCU does support spinning keys.
If the unit is expecting to see the servers public key, interception won't work. IIRC, anyway.
that is the issue^^
they burned that option when they sold it to them the contract was presented after the sale not before!
no, every company does it like that alas..
Ive beem considerong buy a printer again. Been about 2 years sense i last printed. Was eying the Bambu Carbon X1. Then i ran across videos like this and now im not so sure. Also considering Prusa Mk4 also. But the bambu looks so nice.
while it has nice fit and finish, my experience has been terrible to say the least.
We know what encryption it is?! That's huge, and reduces my search space by several orders of magnitude. Will DM you later. This might be possible in our lifetime...
it is AES for sure
As an innovator, I find the model data to be the most troubling. If I make a new toy that I intend to place copyright on, its pre-leaked to a country that consistently pirates people's work.
Even more troubling is this looks like a case of industrial espionage. People who want to create new things will be the first to buy a rapid prototyping machine.
Do you want sketchy people to see what you're making?
oh its BADDDDDD We finally cracked it.. video soon
We designed and have been selling a product on etsy that didn't exist before we created it; we have now found it being sold on Amazon by 24+ different Chinese companies and to top it off they are using our product images and videos for their advertisement and also customer review images. Our product is not public so they most likely stole our file. Amazon claims they'll investigate and block those sellers 😂
I would be interested to see how Prusa stacks up
me too, awaiting one that we cannot find. So far though, it does not make for compelling content, nothing of major issue.
well you have lot of great point but if i may give some feedback : the main issu in those maters is they can make a 1min video addressing all those point and trying to convince people all those are not much issues. Your video is almost half an hour. So who's message do you think the mass will get ?
Been using linux and FOSS for about 25years and that's something i see time and time again. A big company make 1min spot with a cool well dressed dude telling you "it's fine" in a confident stance. And on the other side a guy that sit all curved wearing a goofy tshirt or sweeter too large for him that takes pages and pages to explain in lot's of unnecessary details why "it is not ok". And off course one is lying and the last one is the good guy in the story. But that doesn't mater because nobody will listen to him except those who are already convinced. It's like trying to fight a fully armored knight that run at you with a huge sharp spike, by sitting and making lots and lots of move with a butter knife. That is not chevaleresque.
Seen that time and time again against IBM, Microsoft, Google, NVIDIA, Apple, Amazon, ... you name it. 25years and still the same story.
Alas brevity isnt my thing. I prefer to present things as we see them. We could maybe do a super cut of it but even at 1min it'll be tough
So I'm going to have to add firewall rules to blacklist every connection to the printer outside of my LAN and leave it on its own VLAN with a VM that is also separated from my network. lovely.
Pretty much, yes, and good luck updating machines that can't update via USB or SD LOL...
While I'm here printing NDA gun parts for prototyping over the cloud 😂
you do you boo
@@3DMusketeers hshshshshs If I may.... In terms of data security I could care less after interning over DJI in the past. I get their point of getting this data and they only use significant flight log information, statistics and whatnot "BLACKBOX with the intent to sell other data for socmed and ads" for external cash flow, DJI alone back then even during the DIY era production was extremely expensive they could not just rely on tradional means. I was already done with my internship when they started profitting from these data selling to manufacture cheaper drones while paying employees generously. I think the same goes for Bambu. Anyways thats just my opinion from experience it could be different now but until we haven't seen bad stuff happening from the millions of DJI drones sold and thousands of bambu printers sold everything thats to be worried about is pretty much meh.
We have seen bad things from DJI, you dont end up on the banned list for the US Govt for NOT doing something wrong.. What exactly, I know it involves selling the data to bad actors, but specifically I am not aware.
@@3DMusketeers I'm in the drone industry as well so I know the reason why its banned its an appropriate move for the US gov. You dont want DJI getting into high position government emplyees assuming some of the said data is sold to bad actors as per rumors other than that you wont see any other DJI user Pro/Com/Private complaining and just to add since US gov service cannot own and use DJI products they just outsource these drone shots or topo scanning for gov use pretty much nonsense but at least people are given high paying work while still using DJI products. Hope you get the drone side but yeah everything else is superstition in my opinion based on my take and experience of how some of these data is used to improve the product, manufacturing, material, software and user experience.
I could be on a witch hunt and not know it, but I would prefer to find the truth, no matter what it tells us!
I'd like to hear bambulab's justification for not allowing offline firmware updates. You know... like basically every other 3d printer on the market can.
If they'd allow that, I'd buy one. It is literally the only thing holding me back from ordering one right now. That they seem unwilling to do that is a big red flag, in my eyes. I can't think of any good non-nefarious reasons for why they'd want to force you to connect your printer to the internet at some point.
They have remained silent. We also did a follow up on what's in the log files for the Bambu. It's more than I'm comfortable with
Look at them ALL!!
Huh?
“Are there other companies whose privacy policies you want us to look at? Let us know in the comments! “@@3DMusketeers
Im so surprised that a contractor would even have a bamboo lab. Talk about the government always playing catch up.....
We got it specifically to see if they would be useful for this and have now gone down such a deep hole of trying to understand it's both frightening, frustrating, and incredibly interesting.
@3DMusketeers you'd think for itar sensative stuff a more vetted and professional fdm manufacturer would be required. I'd assume some sort of external clearance would be required before it was even to be set into the contractors facility. Then again whos to say these comments arnt all from bots on the bamboo side anyways. This is china we are dealing with
There isn't actually a vetting process yet, but I think that's to let people make their own decisions. There's a vetting process for the businesses, like ours, but for people we buy from, no, not really :/ there are recommendations but it's not realistic often for startups like ours.
why do they use google Ireland and meta Ireland? whats with Ireland?
taxes
This is certainly a legitimate issue and while I do not want to minimize it, people need to be aware that Bambu's products are but one of the numerous products in most people's homes that cannot be trusted. ANY web related product - from pc motherboards to modems and routers to home security cameras and even your smartphone that are made in China or consist of Chinese IC chips has the potential to spy on the user. And since there are very few US made alternatives (especially at competitive cost), there is little most people can do to mitigate the concern. Who is to say that your router is not capturing every purchase you make and associating that with other data to personally identify your bank records? Or that your router isn't sharing your Intellectual Property data before you even upload it to the Bambu cloud service?
The point is YES - this is a concern. But I don't think it's fair to necessarily jump on the Bambu bandwagon while everything else in your home is potentially doing the same.
My home is secured, but we are ITAR controlled, so there's that. We run a custom built router which is amazing! But yes, for the average user, it's one of many. Given their investors though (dji) I have good reason to be worried lol
is that joe's new shirt LMAO?
Sam Prentice sells them :)
what is the puppet research shirt about?
If you know, you know, if you don't it is fine to keep it that way lol. There is a bad actor in this community that calls people sock puppets, he inspired the shirt by Sam Prentice: b.link/PuppetResearch
Remember, even the "infamous" Windows telemetry lets you review data collected.
bingo
Maybe DMZ it. Most people don't have the equipment or knowledge to do that. Still doesn't protect your print info though.
DMZ? I am not even sure what you are talking about, sorry!
@3DMusketeers A DMZ allows you to isolate a device on your network from your local network. It sounds like when you send jobs to it from the phone app or slicer, it goes to the cloud and gets pushed down to the printer from the cloud. Or I could be misunderstanding it.
most people separate VLans for it, but then the printer is unable to update, I might as well use sneakernet at that point.
@3DMusketeers That'd work. I don't think I'd care if it reached the internet as long as it was segmented. I guess you could connect, update, and then disconnect. My firewall does region blocking, so it probably wouldn't be able to update, haha.
I would go to jail if I did that. ITAR is strict and non forgiving.
I would love to hereabout this from an attourney's POV.
me too..
Bambulab can take whatever info they want as long as they dont share it with my government. Its our government who is more of a threat than any other one.
they all basically are..
FINALLY THIS VIDEO. YESSSS!!!!
And Yes, the reason i dont get Bambu are because of this and they dont ship here. While prusa ship to a lot of country.
And yes, please do prusa and creality please.
interesting!
up next self destructing drives .......cheers
I mean, it could be done!
Also What about COPPA I know many kids that want 3d printers parents are likely to buy something like an A1 or A1 mini over the more expensive printers. And those printers have exposed cameras that can see everything and they will most likely have it in their rooms and lots of the time people forget to cover the camera or just forget. What will happen if they accidentally catch a vid of a CHILD changing. What if that data gets Leaked or they got hacked. I would certainly have zero trust in a company if they’re printer got my privates exposed.
That is not something I have considered. I think Bambu would say "well you have a way to block the camera" but yeah.. that is a whole new avenue there..
With the X1+ f/w, BLs own blog, seems like a lot of data was collected way more than necessary🤔. No need to decrypt the log file anymore, the logging routines are wide open and visible under linux. We will know the extent of "DEBUG" log data soon.😂
Yes we will. We will be detailing it all that we can figure out in a future video. Stay tuned
Any free cloud service, VPN, online storage etc. should be used with caution. It may seem free on the surface, but you are really paying in different ways.
bingo!
@@3DMusketeers Oh, I almost forgot to tell you this: I checked the logs in my router for the the Bambu Lab machine, and the printer is connecting to several different servers. 1 is in Germany, 1 is in Netherlands or somewhere near there, and a 3rd is connecting to some US based server. None of which are registered to Bambu Labs. I also looked up the ratings for some of them, and some users reported them as dangerous for several reasons.
ooof that is not great! Are you in the US?
@@3DMusketeers Yep. USA, I'm and not using VPN. I screenshot each IP address, so its on my computer at home. I can post on discord or somewhere if you have a place for that.
ah ok, yeah in the states it is harder to get any info and such from them...
The software section will also apply to the mobile app, for which their terms are completely sensible and fair since it is proprietary. Playing devil's advocate, you could read that as applying to that software, rather than the open source desktop software.
while fair, no distinction is made, so in my opinion we have to look at it as a whole.
I like thats different in EU, because here you can force a company to show you what they collected, what they used it for and to delete all of it 👌
its "encrypted for your safety"
@@3DMusketeers If they have collected data, they must make it readable for me upon request, otherwise I can sue them under European law.
In addition, upon request, they must delete all of the data they have from me. If this is not done, there will be severe penalties and high demands for compensation.
This is perhaps also a reason why the collection of model data in the EU only relates to MakerWorld and not to the use of the printer.
I don't mean to say that there isn't any possibility that they could still collect things that they aren't allowed to.
But I think the hurdle is significantly greater.
By all means feel free to try, it has not worked so far
@@3DMusketeers My P1s is coming now and I'll try it out a month after I use it to request my data. They actually have to give them out otherwise they will be threatened with a sales ban in Europe
I will be very curious to see what you get!
The simple fact that it's a cloud driven machine made by a Chinese company is enough to make me suspicious. having encrypted log files and closed ecosystem isn't helping their case either! GDPR (EU/UK) works for us within the EU/UK but if the cloud server is in China GDPR does not apply. Also ( I think I'm right in saying) The Chinese government can seize any data stored on a pubic or private server in China if they feel like it. This is why I got rid of my Huawei phone.
I believe you are right. If you are in the EU/UK you can request the data under GDPR too, so there is that
The ATF and big brother want to know who printing ghost buns😅 thats why ALL the new 3D printers are not open source. All the shops removed open source printers from sales. Except few you know who😅.
I dont think that basically any of that is true. Maybe the letter bois.. but thats it..
Lmao I got an add for the Bambu X1C in this video
yeah they have since started running a ton of ads all over, I am fine with this lol
EU GDPR related video please!!
Only if I can find an expert on it first.
I view Bambu as a "poison apple" and to me the juice isn't worth the squeeze.
for some, it is, that is why we see so many out there. On top of it, they are likely not as educated in the matter as we may like.
Wait I am a kid and I have a x1c and more and it has been smooth so not exactly I also have friends with printers and there experience has been smooth so I guess kid should have printers if they want one (and know how to operate one and have done research)
sure, why not. If you know the risks and are fine with it, go ahead. But know what data is being collected
@@3DMusketeers oh I was not talking about the data and I am aware but I was talking about handling one
@@3DMusketeers also on the first comment I meant experience not expense, which was on my so hopefully he’s still knew what I meant
Great vid! Definitely would be a good podcast
Ha ha ha ha it was a bit in a recent, now private, podcast episode. We got threats from Bambu fans about it and bambu made a less than kind reply on their website about it. Is what it is...
@@3DMusketeers sad, I actually enjoyed this type of content. I'm just glad someone finally decrypted their ass recently
Yeppp seems they aren't a huge fan of it nor are their fans........