[hWuxH]

> Right now, the printer's local MQTT server can only be accessed from the local IP using an 8 digit password obtained through through the physical display.

The problem is hackers don't need to play by the rules (accessing the display).

8 digits that never change is a joke in terms of security, it could be brute-forced within hours/days by sending a network request for each possible combination.

mitm: afaik Bambu Studio/Connect/Handy validate the printer's certificate during the TLS handshake, but most third party software probably doesn't (barely found documentation about it).

And there are a few other (although not as fundamental) weaknesses like no mutual authentication, access control or revocation of specific clients. Due to the nature of MQTT, every client can see messages sent by other clients once authenticated.