HP CEO Says They Brick Printers That Use Third-Party Ink Because of Hackers

Last Thursday, HP CEO Enrique Lores addressed the company's controversial practice of bricking printers when users load them with third-party ink.
That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.
To investigate, I turned to Ars Technica senior security editor Dan Goodin.
He told me that he didn't know of any attacks actively used in the wild that are capable of using a cartridge to infect a printer.
Goodin also put the question to Mastodon, and cybersecurity professionals, many with expertise in embedded-device hacking, were decidedly skeptical.
Unsurprisingly, Lores' claim comes from HP-backed research.
The company's bug bounty program tasked researchers from Bugcrowd with determining if it's possible to use an ink cartridge as a cyberthreat.
HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.
As detailed in a 2022 article from research firm Actionable Intelligence, a researcher in the program found a way to hack a printer via a third-party ink cartridge.
The researcher was reportedly unable to perform the same hack with an HP cartridge.
A researcher found a vulnerability over the serial interface between the cartridge and the printer.
That's where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer.
That gives them the ability to inject code into the device.
HP acknowledges that there's no evidence of such a hack occurring in the wild.
Still, because chips used in third-party ink cartridges are reprogrammable, they're less secure, the company says.
The chips are said to be programmable so that they can still work in printers after firmware updates.
HP also questions the security of third-party ink companies' supply chains, especially compared to its own supply chain security, which is ISO/IEC-certified.
So HP did find a theoretical way for cartridges to be hacked, and it's reasonable for the company to issue a bug bounty to identify such a risk.
HP added ink cartridge security training to its bug bounty program in 2020, and the above research was released in 2022.
HP started using Dynamic Security in 2016, ostensibly to solve the problem that it sought to prove exists years later.


This Cyber News was published on www.wired.com. Publication date: Tue, 23 Jan 2024 21:43:04 +0000


Cyber News related to HP CEO Says They Brick Printers That Use Third-Party Ink Because of Hackers

HP CEO Says They Brick Printers That Use Third-Party Ink Because of Hackers - Last Thursday, HP CEO Enrique Lores addressed the company's controversial practice of bricking printers when users load them with third-party ink. That frightening scenario could help explain why HP, which was hit this month with another lawsuit over ...
9 months ago Wired.com
Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds - Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole board's recommendation of probation. A federal jury convicted the former Uber CISO months earlier on two charges of fraud ...
11 months ago Darkreading.com
ProcessUnity Introduces Industry's All-In-One Third-Party Risk Management Platform - PRESS RELEASE. BOSTON-(BUSINESS WIRE)- ProcessUnity, provider of comprehensive end-to-end third-party risk management and cybersecurity solutions to leading enterprises, today announced the completed integration of the Global Risk Exchange. The newly ...
9 months ago Darkreading.com
Check if you're in Google Chrome's third-party cookie phaseout test - Google has started testing the phasing out of third-party cookies on Chrome, affecting about 1% of its users or approximately 30 million people. Learn how to check if you are part of the initial test. Third-party cookies, which track users' browsing ...
9 months ago Bleepingcomputer.com
What Are the Cybersecurity Threats When Allowing Third-Party Cookies on Mac? - Let's explore the dangers of allowing third-party cookies on a Mac. Let's learn what third-party cookies are. Third-party cookies are small files that websites use to track your activity. These cookies can follow you across multiple sites, gathering ...
4 months ago Securityboulevard.com
Rootkit Turns Kubernetes from Orchestration to Subversion - As software development focuses on continuous integration and deployment, orchestration platforms like Kubernetes have taken off, but that popularity has put them in attackers' crosshairs. Most successful attacks - at least those publicly reported - ...
1 year ago Darkreading.com
Booking.com hackers increase attacks on customers - Hackers are increasing their attacks on Booking.com customers by posting adverts on dark web forums asking for help finding victims. Cyber-criminals are offering up to $2,000 for login details of hotels as they continue to target the people who are ...
11 months ago Bbc.com
Third-party risk management best practices and why they matter - With organizations increasingly relying on third-party vendors, upping the third-party risk management game has become imperative to prevent the fallout of third-party compromises. SecurityScorecard recently found that 98% of organizations are ...
9 months ago Helpnetsecurity.com
Third-party breaches hit 90% of top global energy companies - A new report from SecurityScorecard reveals a startling trend among the world's top energy companies, with 90% suffering from data breaches through third parties over the last year. This sheds light on the need for these energy companies to adopt a ...
9 months ago Securityintelligence.com
CVE-2019-6332 - A potential security vulnerability has been identified with certain HP InkJet printers. The vulnerability could be exploited to allow cross-site scripting (XSS). Affected products and versions include: HP DeskJet 2600 All-in-One Printer series model ...
4 years ago
CISOs and Their Companies Struggle to Comply With SEC Disclosure Rules - About six months ago, CISO Steve Cobb noticed that the contract language proposed by public companies had some notable additions. In the case of a breach, publicly traded companies wanted more control over how their third-party providers responded to ...
6 months ago Darkreading.com
Cyber Insights 2023: Criminal Gangs - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. Despite some geopolitical overlaps with state attackers, the majority of ...
1 year ago Securityweek.com
Russian hackers wiped thousands of systems in KyivStar attack - The Russian hackers behind a December breach of Kyivstar, Ukraine's largest telecommunications service provider, have wiped almost all systems on the telecom operator's network. Following the incident, Kyivstar's mobile and data services went down, ...
10 months ago Bleepingcomputer.com
How to manage third-party risk in the cloud - The increasing levels of access and integration within cloud environments create risks and potential new avenues of compromise for cloud customers. Organizations can hope their cloud service providers are secure, but that's not always the case. It's ...
8 months ago Techtarget.com
Top 3 Priorities for CISOs in 2024 - As the new year begins, CISOs gather with their security teams and corporate management to scope out top priorities for 2024 and how to address these issues. This year - with a multitude of new privacy laws, Securities and Exchange Commission ...
10 months ago Darkreading.com
AnyDesk says hackers breached its production servers, reset passwords - AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company's production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack. AnyDesk ...
9 months ago Bleepingcomputer.com
Law Firms and Legal Departments Get Singled Out For Cyberattacks - Cyberattackers are doubling down on their attacks against law firms and corporate legal departments, moving beyond their historical activity of hacking and leaking secrets to targeting the sector with financial attacks, such as ransomware and ...
11 months ago Darkreading.com
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
1 year ago Hackread.com
Russian hackers use Ngrok feature and WinRAR exploit to attack embassies - After Sandworm and APT28, another state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks. APT29 is tracked under different names and has been targeting embassy entities with a BMW car ...
11 months ago Bleepingcomputer.com
Classes cancelled as 'sinister' school cyber-attacks rise - BBC. Cancelled lessons and snaking lunchtime queues are among the ways pupils are being affected by an increasing number of cyber attacks on schools. New figures from the Information Commissioner's Office show 347 cyber incidents were reported in the ...
6 months ago Bbc.com
Third-Party Security Assessments: Vendor Risk Management - As businesses rely more heavily on external vendors to provide critical services and support, the importance of effective vendor risk management strategies becomes paramount. This article explores the significance of third-party security assessments, ...
9 months ago Securityzap.com
Holiday Hackers: How to Safeguard Your Service Desk - Hackers really don't take holidays, but they will take advantage of them. Many of these cyberattacks will zero in on the service or help desk to gain entry into network systems. Recovering accounts because of forgotten passwords is one of the ...
11 months ago Bleepingcomputer.com
Third-party breaches shake the foundations of the energy sector - 90% of the world's largest energy companies experienced a third-party breach in the past 12 months, according to SecurityScorecard. Powering the global economy and everyday activities, the energy sector's significance makes it a key focus for cyber ...
11 months ago Helpnetsecurity.com
Why Have Big Cybersecurity Hacks Surged in 2023? - Payments made to hackers who hold systems hostage for ransom increased by almost half through September, according to blockchain analytics firm Chainalysis Inc., totaling almost $500 million in payouts. In just the past few months, hackers have ...
11 months ago Bloomberg.com
Top 10 Endpoint Security Best Practices That Help Prevent Cyberattacks - Endpoints are one of the hackers` favorite gates to attacking organizations` networks. Setting foot into only one of the connected devices can open the way for threat actors to deploy malware, launch phishing attacks, and steal data. Antiviruses are ...
1 year ago Heimdalsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)