Last Thursday, HP CEO Enrique Lores addressed the company’s controversial practice of bricking printers when users load them with third-party ink. talking to CNBC Televisionsaid, “We found that you can put viruses into cartridges. Through the cartridge, [the virus can] go to printer [and then] switch from printer to network.”
This scary scenario may help explain why HP is hitting with someone else this month lawsuit over its Dynamic Security systeminsists on putting it on printers.
I reached out to Ars Technica’s senior security editor Dan Goodin to find out. He told me that he is not aware of any attacks being actively used in the wild that could use a cartridge to infect a printer.
Goodin too asked the question to Mastodonand cybersecurity experts, many with experience in hacking embedded devices, were strongly skeptical.
Proof of HP
Not surprisingly, Lores’ claim comes from HP-backed research. The company’s bug bounty program tasked Bugcrowd researchers with determining whether an ink cartridge could be used as a cyber threat. HP claimed that sophisticated cartridge microcontroller chips used to communicate with the printer could be an entry point for attacks.
In detail a 2022 articles A software researcher from research firm Actionable Intelligence found a way to hack a printer using a third-party ink cartridge. The researcher was reportedly unable to perform the same hacking operation with the HP cartridge.
Shivan Albright, chief technologist for print security at HP, said at the time:
After the cartridge was removed, the malware “remained in memory in the printer,” Albright added.
HP admits that there is no evidence that such a hack has occurred in the wild. Still, because the chips used in third-party ink cartridges are reprogrammable (their code, according to Actionable Intelligence, “can be changed via a field reset tool”), they’re less secure, the company says. The chips are said to be programmable so they can still work in printers after firmware updates.
HP also questions the security of the supply chains of its third-party ink companies, especially compared to the security of its own supply chain. ISO/IEC certified.
So HP found a theoretical way to hack cartridges, and it’s reasonable for the company to issue a bug bounty to identify such a risk. However, the solution to this threat has been announced before showed that it could be a danger. HP added ink cartridge safety training to its bug bounty program in 2020, and the above study was released in 2022. HP started using Dynamic Security in 2016 to solve a problem it apparently tried to prove existed years later.