On Thursday, HP Chief Govt Enrique Lores addressed the corporate’s controversial observe of bricking printers when customers load third-party ink. “We have seen that viruses will be embedded in ink cartridges,” he instructed CNBC. [the virus can] Go to the printer, [and then] From Printer, go to Community. “
This dire state of affairs might assist clarify why HP, which was hit with one other lawsuit this month over its dynamic safety system, insists on deploying it to its printers.
To analyze, I turned to Ars Technica Senior Safety Editor Dan Goodin for assist. He instructed me that he was unaware of any assaults actively used within the wild that would use ink cartridges to contaminate printers.
Gooding additionally raised the problem with Mastodon, and cybersecurity professionals, a lot of whom have experience in embedded machine hacking, have been apparently skeptical.
Proof from HP
Not surprisingly, Lores’s claims come from analysis backed by HP. The corporate’s bug bounty program requested Bugcrowd researchers to find out whether or not the cartridge may very well be used as a cyber menace. HP believes that the ink cartridge microcontroller chip used to speak with the printer could also be an entry level for assaults.
As described in a 2022 article by analysis agency Actionable Intelligence, one of many researchers on the undertaking discovered a approach to hack into printers through third-party ink cartridges. Based on reviews, researchers have been unable to carry out the identical hack utilizing HP ink cartridges.
Shivaun Albright, chief technical professional for printing safety at HP, mentioned on the time:
Albright added that after the ink cartridges have been eliminated, the malware “remained within the printer’s reminiscence.”
HP admitted it had no proof such hacks have been happening within the wild. Nevertheless, the corporate says that as a result of the chips utilized in third-party cartridges are reprogrammable (their “code will be modified through discipline reset instruments,” in line with Actionable Intelligence), they’re much less safe. Low. The chips are mentioned to be programmable, so they’ll nonetheless work within the printer after firmware updates.
HP additionally questioned the safety of the third-party ink firm’s provide chain, particularly in comparison with the safety of its personal provide chain, which is ISO/IEC licensed.
So HP did discover a theoretical method by which the cartridges may very well be hacked, and it could make sense for the corporate to difficulty a bug bounty to determine this danger.However its answer to this menace has been introduced ahead This means a doable menace. HP added cartridge security coaching to its bug bounty program in 2020, and the above examine was launched in 2022. HP began utilizing dynamic safety in 2016, ostensibly to resolve an issue it was making an attempt to show existed a number of years later.