Last Thursday, HP CEO Enrique Lores addressed the company's controversial practice of bricking printers when users load them with third-party ink.
That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.
To investigate, I turned to Ars Technica senior security editor Dan Goodin.
He told me that he didn't know of any attacks actively used in the wild that are capable of using a cartridge to infect a printer.
Goodin also put the question to Mastodon, and cybersecurity professionals, many with expertise in embedded-device hacking, were decidedly skeptical.
Unsurprisingly, Lores' claim comes from HP-backed research.
The company's bug bounty program tasked researchers from Bugcrowd with determining if it's possible to use an ink cartridge as a cyberthreat.
HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.
As detailed in a 2022 article from research firm Actionable Intelligence, a researcher in the program found a way to hack a printer via a third-party ink cartridge.
The researcher was reportedly unable to perform the same hack with an HP cartridge.
A researcher found a vulnerability over the serial interface between the cartridge and the printer.
That's where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer.
That gives them the ability to inject code into the device.
HP acknowledges that there's no evidence of such a hack occurring in the wild.
Still, because chips used in third-party ink cartridges are reprogrammable, they're less secure, the company says.
The chips are said to be programmable so that they can still work in printers after firmware updates.
HP also questions the security of third-party ink companies' supply chains, especially compared to its own supply chain security, which is ISO/IEC-certified.
So HP did find a theoretical way for cartridges to be hacked, and it's reasonable for the company to issue a bug bounty to identify such a risk.
HP added ink cartridge security training to its bug bounty program in 2020, and the above research was released in 2022.
HP started using Dynamic Security in 2016, ostensibly to solve the problem that it sought to prove exists years later.
This Cyber News was published on www.wired.com. Publication date: Tue, 23 Jan 2024 21:43:04 +0000