Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
HP Security

HP CEO Evokes James Bond-Style Hack Via Ink Cartridges (arstechnica.com) 166

An anonymous reader quotes a report from Ars Technica: Last Thursday, HP CEO Enrique Lores addressed the company's controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, "We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network." That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.

Dynamic Security stops HP printers from functioning if an ink cartridge without an HP chip or HP electronic circuitry is installed. HP has issued firmware updates that block printers with such ink cartridges from printing, leading to the above lawsuit (PDF), which is seeking class-action certification. The suit alleges that HP printer customers were not made aware that printer firmware updates issued in late 2022 and early 2023 could result in printer features not working. The lawsuit seeks monetary damages and an injunction preventing HP from issuing printer updates that block ink cartridges without an HP chip. [...]

Unsurprisingly, Lores' claim comes from HP-backed research. The company's bug bounty program tasked researchers from Bugcrowd with determining if it's possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks. [...] It's clear that HP's tactics are meant to coax HP printer owners into committing to HP ink, which helps the company drive recurring revenue and makes up for money lost when the printers are sold. Lores confirmed in his interview that HP loses money when it sells a printer and makes money through supplies. But HP's ambitions don't end there. It envisions a world where all of its printer customers also subscribe to an HP program offering ink and other printer-related services. "Our long-term objective is to make printing a subscription. This is really what we have been driving," Lores said.

This discussion has been archived. No new comments can be posted.

HP CEO Evokes James Bond-Style Hack Via Ink Cartridges

Comments Filter:
  • Your Samsung SAS Drive is not "certified" to work on the HP DL380 Gen 11 Servers. HPE: We do not recommend using 3rd party hardware on HP servers. Anyway to disable this "feature"? HPE: "No."
    • by meandmatt ( 2741421 ) on Monday January 22, 2024 @05:13PM (#64180469)
      I am going to use them to mine bit coin. its like printing money.
    • by Amiga Trombone ( 592952 ) on Monday January 22, 2024 @05:40PM (#64180543)

      I've had some experience with those HP DL380 Gen 11 Servers. My recommendation is to keep the SAS drive, and buy another server.

      • We bought several DL380 and DL360 generations over the years. They were all designed to last at least 5 years, and a new generation came out every 3 years. In reality, the older models lasted for many many years beyond that, the newer ones don't, and so, unless you threw them all out after their 5 year warranty period (like a good IT operation should, but corporate reality often is much different, as we all know), you'd see all the DL360 generations failing very close to one another.

        Every new generation las

      • by MrNaz ( 730548 )

        Is this real? Do you have a link to verify this?

        I run a small MSP and I've used HPE servers from Gen 6 to Gen 10 and I've always used Intel or Micron enterprise SSDs with no issue. If that has changed then I need to hit the streets looking for a new line of servers to recommend.

    • by sconeu ( 64226 )

      The old Motorola MVME147 SBC would not accept a CDC 300MB hard drive with stock firmware, the drive had to have custom Motorola blessed firmware.

    • by ebunga ( 95613 )

      Having dealt with a raid controller issue that literally involved waking up the CEO of a major computer manufacturer at 3am to let them know there was a Very Big Problem that could cause Very Big Data Loss with Very Big Customers, I'm okay with them flagging uncertified drives as uncertified.

      • I am not OK with them flagging drives as uncertified if that also includes refusal to function with said uncertified drives. There is zero justifiable excuse to block functionality. If they want to throw up a one time disclaimer during boot, fine.

    • IBM has been doing this forever.

      • No one wonders why both IBM and HP equipment -- and software (looking at you Red Hat) will never cross my door or wires again.

        Monopolistic behavior, rather than heterogeneity and standards-based products, die. So do their vendors. They become hated, even after the free trips to the golf course, the schmooze-fest conferences, and those luscious quarterly filings to goose Wall Street.

        Not with my dimes.

  • by Narcocide ( 102829 ) on Monday January 22, 2024 @05:05PM (#64180433) Homepage

    Dumb circular logic argument.

  • Simple solution (Score:5, Insightful)

    by simlox ( 6576120 ) on Monday January 22, 2024 @05:06PM (#64180435)
    Remove the unneeded microchip from the cartridges.
    • by jenningsthecat ( 1525947 ) on Monday January 22, 2024 @05:48PM (#64180583)

      Remove the unneeded microchip from the cartridges.

      Exactly this. Dumb silicon, maybe an IRED and a sensor, are all that's needed if you want the cartridge to measure ink levels. Putting that much computing power onto every single ink cartridge is beyond stupid.

      Unless, of course, the plan from the very beginning was to lock out third parties. But no company would ever design their products with that in mind, right?

      This is where legislators should be creating a good rep for themselves by banning these practices. I think voters would remember that come election time, perhaps enough to counter the brib... er, 'election contributions' from the bend-over-and-grease-up hacks who depend on corporate campaign donations.

      • by AmiMoJo ( 196126 )

        The cartridges don't contain liquid ink sloshing about in a tank, they have a sponge that contains the ink. Gravity makes it flow don as the tank is depleted. It would actually be quite difficult to meter.

        Which is why you don't buy an inkjet with cartridges. If you must get one, get one with proper tanks that you can simply look at to determine how full they are.

        Lasers have a similar issue. There is no easy way to measure the amount of toner left in the cartridge, so they just keep a count of how much the p

    • Re: (Score:3, Interesting)

      by bussdriver ( 620565 )

      How about they protect consumers by disabling the printer from running unsigned cartridges that might be unsafe? Or update the firmware with an antivirus to protect me!

      This is like the previous CEO who hired private investigators to spy on members of the board in the name of terrorism... then ran for President... later didn't she get the CEO job back again? I wonder how.... she didn't make the company better... hmm... She managed to avoid jail easily so she was certainly a qualified GOP candidate.

    • by sg_oneill ( 159032 ) on Monday January 22, 2024 @11:35PM (#64181197)

      Yep. My trusty old Brother laser printer has been chugging away for a decade, with no DRM chip, runs great. Its on its second round of toner and I print on it almost every day. Thats about 5 years of regular use for a toner cartrige. There are third party toners available, but the reason I use the brother ones is they actually respect me as a customer and make solid battle-tested products.

      HP *used* to be like that. The original HP laser printers where straight up works of design brilliance. But at some point the corporate droids took over and started inflicting this loss-leader DRM shit and they lost sight of what originally made HP a great company.

      And thats kind of tragic. At least the singaporeans (Brother) still seem to get the value of looking after and trusting the customer.

      • I bought 3rd party toner before I knew you could just keep resetting the carts. My advice: don't bother. The genuine brother ones have better print quality.

        I actually used mine enough to fill up the waste toner box. Naturally it finally conked at 9pm during a crucial print job, after weeks of me ignoring the messages. Fortunately it's also not DRM'd and there are youtube online for those unwise enough to attempt it. Basically you unscrew it, open the clips then remove the semi hazardous dust. A terrible ide

        • by AmiMoJo ( 196126 )

          Brother is indeed Japanese.

          I need some new colour toner for my Ricoh laser, but have been putting it off. I might look at remanufactured carts, because refilling them looks easy but messy. Toner is a bugger to clear up as well, and will trash your vacuum cleaner if you are not careful, but I expect you already know that.

          I'd buy the genuine carts if they were not so expensive, but at least the black remanufactured one I'm running now seems to be every bit as good as the original.

          • Toner is a bugger to clear up as well, and will trash your vacuum cleaner if you are not careful, but I expect you already know that.

            Oh yeah horrible stuff, I'd never go near it with my normal vacuum cleaner. I have a Bosch Gas35-H which should be good up to and including asbestos, and I always use it with the £20 bags with the extra filter in. I fully plan on never knowingly encountering asbestos but in an old house (too old for asbestos in construction really) with potentially old lead paint,

            • by AmiMoJo ( 196126 )

              Yeah, you can reset the Ricoh carts with an Arduino. If I ever go that route I'll have to make a little thing with pogo pins to do it. That said, even the raw toner seems to be getting expensive now, and is only available in massive quantities.

              It would be a shame to replace it because it works, but I do keep an eye out for deals on more compact Brother colour lasers. Or even just a mono one, I don't really use colour these days.

              • Yeah, you can reset the Ricoh carts with an Arduino. If I ever go that route I'll have to make a little thing with pogo pins to do it. That said, even the raw toner seems to be getting expensive now, and is only available in massive quantities.

                I've never tried refilling one. The reset on the Brother just tells the printer to reset it's use counter to 0, so it acts as if it has toner. That generally works several times, and more if you are just printing text (images do start noticeably degrade after a while)

                • by AmiMoJo ( 196126 )

                  Ah, I see. I should try that, I bet there is still some toner in there. Unfortunately this printer seems to consume some every time you turn it on, so even if you don't actually print anything the cartridges are slowly emptied. Or maybe they aren't, only one way to find out.

      • by Gilmoure ( 18428 )

        I was working college IT support at the time when the first HP LJ 2500s came out. Started to see serious design/build issues with them, compared to the previous LJ M series. Been downhill ever since then.

  • by rsilvergun ( 571051 ) on Monday January 22, 2024 @05:08PM (#64180445)
    that makes it possible for a virus to be stored on an ink cartridge!???

    This is why I hate CEOs. There is no way in hell the interviewer didn't think that, but it's a CEO, a modern day equivalent to the King, so you better not question them, or else.
    • There is no way in hell the interviewer didn't think that,

      Really? My impression of the few interviews I've seen on MSNBC is that they carefully select interviewers who don't think otherwise there is always a chance that they might ask a good question by accident. Many of these CEOs would not last two seconds in front of a real interviewer who could not only think but had done their job preparing for the interview.

  • To bring dire straits to your environment, Crush your corporation with a mild touch, Trash your whole computer system And revert you to papyrus. -Deltron 3030
  • by dohzer ( 867770 ) on Monday January 22, 2024 @05:11PM (#64180455)

    Viruses? Hackers? Shit... I better purchase new secure ink cartridges!

  • by Fly Swatter ( 30498 ) on Monday January 22, 2024 @05:11PM (#64180457) Homepage
    Please treat their products as such, so that we can help them fix this threat.
    • by kmoser ( 1469707 )

      HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.

      So? I never hired HP to secure my hardware, so at best they are doing unauthorized pentesting on my printer.

  • yes mr bond are plan is to drive up the cost of ink needed to print the required documents

  • by jacks smirking reven ( 909048 ) on Monday January 22, 2024 @05:12PM (#64180465)

    At this point if you don't know anything about printers or computers and have nobody to ask well, sorry for you for purchasing an HP. I feel like people just vastly overestimate their printer needs.

    Need a basic ass printer? Brother laser. The Toyota Camry of printers; boring and reliable. One of these honestly covers 90% of print needs for 90% of people.

    Really really worried about a lack of color just in case? Invest a little more now and get a Brother color laser, you can grab a HL-L3220CDW for $250 and it will beat the pants off whatever inkjet crap HP is selling and your cost per page will be dirt cheap.

    Actually need to print photos? Get a real dye sublimation photo printer like a DNP. If $500 seems steep for just a photo printer then you probably don't actually need to print photos as much as you think you do.

    • Exactly what you said.

      At work, real HP Laserjet printers- the higher end ones. None of this chip nonsense and certainly would NEVER consider inkjet. We use third-party cartridges in all of them. They are reliable and feature-packed.

      At home, I use a Brother mono laser. Cheap, enough features, none of the nonsense. Use third-party toner. I don't print/scan much, and when I do, 95% of the time black and white is fine. This was after years of replacing HP color inkjets and finally giving up- at least one

      • True, should have made clear this only applies to residential market. When going commercial, like you said, HP may as well be a different brand entirely. Much like Sony versus Sony Broadcast, just a whole different class of gear.

        Similar example is Rigid where the power tools you see at Home Depot are made by an TTI, the Chinese conglomerate who also owns Milwaukee but the actual commercial plumbing tools are made by Emerson in the USA.

    • Pretty much agree with this, for photo printing I find those kiosks at the Kmart to be good enough, I don't think I spent more than $12.00 on family photo printing in the last year... It amazes me that we have fully open-source 3D printers in this day and age, yet no one has attempted to just build a simple inkjet printer with no authentication process for ink cartridges, or maybe just some mad scientist process where you just tie some generic ink refill bottle to an IV drip of some sort, or an open-sourc
      • by jacks smirking reven ( 909048 ) on Monday January 22, 2024 @09:53PM (#64181085)

        Epson has a tank refillable system which amongst all the inkjet models I have heard is the "least worst" series and manufacturer.

        Epson Ecotank [epson.com]

        In regards to your question I think it's because printing is actually pretty difficult and tricky and pretty unglamorous at that, between the physical moving and alignment of the paper to the processing and postprocessing of images, fonts and formats and all that sort of printer specific language shit has to talk.

        I always say that probably like 40-60% of all the man hours in history spent on IT support and help desking has probably been related to printers.

        I mean honestly when I look inside my laser printers and see the amount of roller, gears, motors and so many plastic parts to the assembly it's one of those modern miracles I was able to buy it for what, like $120? Fuckin' magic is what it is.

    • by antdude ( 79039 )

      What about a All-In-One model including old school fax?

    • Need a basic ass printer? Brother laser. The Toyota Camry of printers; boring and reliable. One of these honestly covers 90% of print needs for 90% of people.

      My usual website for buying tech lists 24 Brother black and white laser printers. What is wrong with Brother ?

  • by nightflameauto ( 6607976 ) on Monday January 22, 2024 @05:12PM (#64180467)

    "Our long-term objective is to make printing a subscription. This is really what we have been driving," Lores said.

    And the PR department explodes. He said the quiet part out-loud. I wonder if that'll be enough to cancel the golden parachute once he's done destroying what's left of HP? Probably not.

  • Loading code (Score:5, Interesting)

    by imunfair ( 877689 ) on Monday January 22, 2024 @05:23PM (#64180507) Homepage

    Uh, if your printer is literally loading code from ink cartridges you have the weirdest and most vulnerable DRM setup I've ever heard of, and need to burn the company down and start from scratch because something is terribly wrong with the way you design and manage products.

    Alternatively and far more likely: The CEO was lying to defend their terrible ink DRM practices that can brick the item you own.

  • In other words (Score:5, Insightful)

    by dcooper_db9 ( 1044858 ) on Monday January 22, 2024 @05:40PM (#64180547)

    HP printers are vulnerable to viruses. Buy from a company that doesn't have this problem.

  • If a printer can be compromised by a malicious cartridge, then the printer is either very badly designed, or maliciously programmed by the manufacturer. Just fix it and stop giving excuses.

    Unless of course none of the above are true and the CEO is simply lying.

    Uh, don't all three alternatives look quite ugly from a legal perspective?

  • by ebunga ( 95613 ) on Monday January 22, 2024 @05:44PM (#64180563)

    They're knowingly and willfully embedded exploitable computer technology into their print cartridges despite the fact previous generations of print cartridges did not require that technology. They should stop embedding exploitable technology and go back to SAFE, reliable technology.

    • They're knowingly and willfully embedded exploitable computer technology into their print cartridges despite the fact previous generations of print cartridges did not require that technology. They should stop embedding exploitable technology and go back to SAFE, reliable technology.

      That's what I thought. Who designs a printer where someone can sneak a virus onto a network with an ink cartridge? If you did that then why tell the world your products are vulnerable to this?

      Here's another thought... what about fake cartridges? I don't mean "fake" as in someone knowingly bought a cheaper cartridge from a third party, but "fake" as in it would appear to be a legitimate HP product without doing destructive analysis. Or rather not knowing it isn't a legit HP product until some malicious p

  • ok then where is the code to make self refills work?

  • Now what ford said you can only use ford gas stations with the same BS like (non ford gas pumps can load code into the car)

    • Now what ford said you can only use ford gas stations with the same BS like (non ford gas pumps can load code into the car)

      This makes me wonder if an EVSE can somehow inject code into an EV.

      I guess anything is possible so perhaps the question is more on if any EV manufacturer considered the possibility of a malicious EVSE trying to do something bad to the vehicle and did some kind of testing or study to protect against this. Certainly someone can do damage with the charge port as the vector, just as someone can damage a gasoline vehicle by putting something other than gasoline in the tank, so this is more than just a question

  • The company's bug bounty program tasked researchers from Bugcrowd with determining if it's possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.

    All we need is an excuse to win our lawsuit. It doesn't matter if it is only theoretical and users don't care. It doesn't matter if it isn't the reason for the DRM - we can just say it is.

  • HP made really good DeskJet 500's back in the early 1990's. It's too bad that their current printers are virus riddled plastic garbage heaps today.

  • by msauve ( 701917 ) on Monday January 22, 2024 @06:24PM (#64180679)
    HP, just allow cartridges with no chip to be used, then there's no security issue. If the ink runs out in the middle of the page, I'll replace the cartridge and reprint. Problem solved. But somehow, I don't think that's the real issue. You're just being disingenuous.
  • That Blofeld guy is really just phoning it in anymore.

  • I was wondering how my HP Laserjet got Covid.

  • If they didn't put so many smarts in the cartridge they couldn't have viruses in the first place.

  • ...the first few times you got burned by an HP printer, ok...annoying, stupid company. Right? The next couple dozen times, that's on you.

    Why do people keep giving them money for their printers?

  • The attack vector is the HP DRM function in the printer cartridge, nothing to do with anything required for actual printing.

    If there is an attack vector that can be exploited by simply sending printer cartridges to a company, you shouldn't use that product on your network.

    There should be a policy in every company to not insert random USB drives mailed to them.
    If an HP ink cartridge is just as risky, there should be a policy not to install any HP cartridge.

  • by khchung ( 462899 ) on Monday January 22, 2024 @07:01PM (#64180777) Journal

    If HP printers could be infected with virus from ink cartridges, it could also very well be infected with virus from a document to be printed. After all, printing a document involved reading document and interpreting the content, and who can say that a carefully crafted document cannot trigger a buffer overflow and let the virus in?

    So the right solution is don't buy HP printers.

    Oh yeah, BTW, hands up if you are old enough to remember RIAA saying bootlegged CD could damage your CD player. This is the just the same FUD from HP.

  • ... updates that block printers ...

    Translation: HP sees its job as putting monopoly-enhancing software in hardware, not making that software survive real-world abuse, such as a virus: Because profits.

  • How the true greed of corporations like HP rears its ugly head... they aren't content to sell you something that you actually own. They want to keep their hooks in it. All for them, nothing for you.

    Creeps.

  • "Don't buy our insecure crap, no other company has that problem".

    • HP bitch mouthpiece Lores sez ..."make printing a subscription". Tell me he's a kidder ...  but tell me again where that baseball bat needs to be inserted ...
  • They've sucked for decades. Why does anyone buy their shit when Brother etc exist?

  • Never thought I'd see a CEO use "we suck" as an excuse. "We need to be a monopoly because we suck." Jeeze.

  • Don't put a fucking computer chip in the ink in the first place. Eliminate the attack vector. Problem solved.
  • Erm, isn't the obvious solution to not have any electronics in ink cartridges? I mean, it's an ink cartridge; something that holds ink... for printers. Why does it need electronics & malware inside?
  • "The DRM we ourselves needlessly introduced into cartridges is an attack vector so we shall 'protect' users from potential harm by bricking their printers". Of course if they were THAT concerned they would disable the DRM checks entirely.

  • by stevenm86 ( 780116 ) on Tuesday January 23, 2024 @04:18AM (#64181455)
    This is HP giving itself a black eye and intentionally trying to pass it off as trendy new make-up.

    If it's possible to infect a network via an ink cartridge, that is not the fault of the cartridge, but of HP's *profoundly* shitty firmware, if that firmware reads data from the cartridge and treads that data as if it were trusted. The whole *point* of talking to the cartridge is to interrogate it and confirm that it is genuine. By its very nature, this problem requires the printer to communicate with an untrusted device (the cartridge) and validate its response. If you cannot do this without hitting some sort of buffer overflow or code execution vulnerability, then you have failed. Miserably. Completely.

    Even *if* this demo somehow convinces to intentionally only buy what you believe is "genuine HP" crap, this demo *still* show how vulnerable HP's printers are to a supply chain attack. And we know those are not uncommon.

    If I cared about printing, I would pick up one of these printers and see if it's possible to root the firmware using a carefully-crafted cartridge payload, then patch the firmware to skip the auth checks once and for all.

    Fun fact, a week ago I was trying to get my mother's Epson to accept aftermarket ink, which resulted in discovering Linux and Busybox in the printer's firmware (GPL request sent, awaiting reply). But that's just the "connectivity" portion of the printer (wifi and such); the actual printing / cartridge / UI junk probably runs in a separate execution domain. This article is starting to give me ideas.
  • Lores is right to make the claim. I personally got an STD from my HP ink cartridge while printing a tattoo on my Johnson. So beware of viruses, and drinking while posting on Slashdot.
  • I donâ(TM)t understand why ink cartridges need embedded programming.

    I donâ(TM)t understand why that programming interface needs to be powerful enough to compromise the printer in some dangerous way.

    And I donâ(TM)t understand why this exploit canâ(TM)t be patched effectively on the printer side.

    I mean ⦠I understand why HP did all these things (money), but I donâ(TM)t understand why anyone would indulge their obvious lies and manipulation and pretend this situation is anyt

  • 10 on 10 for honesty as chilling as it is. But the unasked question: what else are you doing in your products to maximize your profits?

  • They are clearly making excuses. Just let users explicitly accept the risk. Put a warning label saying "Use of 3rd party ink cartridge is a security hazard." and call it a day.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...