I’m surprised this isn’t a bigger part of the story.

Bambu’s authentication is just the client saying “I am Bambu Studio”. The server completely trusts that with no additional authentication.

It’s like setting up a website with a user login, and if someone puts in “admin” in the username field without a password, the system says “sounds good” and lets you in. And then the website owners getting mad that someone hacked their system.

Blatant incompetence. I can’t believe they’re using their stupidity as an argument.

That’s a fair point. I think home assistant initiates the connection, but I’m not sure how status updates work from the smart switch to home assistant. Could be home assistant polling, web sockets, or the switch broadcasting.

I get the security aspect of it, but in my case I can’t see a reason to go through the hassle. My smart switches talk to home assistant running on my server. I want new devices to be able to access the plex server without manual config. And my server is arguably the most sensitive machine on my network, so if I can’t protect that, I don’t think it’s worth protecting anything.