Last Thursday, HP CEO Enrique Lores addressed the company’s controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, “We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network.”
That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.
To investigate, I turned to Ars Technica senior security editor Dan Goodin. He told me that he didn’t know of any attacks actively used in the wild that are capable of using a cartridge to infect a printer.
Goodin also put the question to Mastodon, and cybersecurity professionals, many with expertise in embedded-device hacking, were decidedly skeptical.
HP’s Evidence
Unsurprisingly, Lores’ claim comes from HP-backed research. The company’s bug bounty program tasked researchers from Bugcrowd with determining if it’s possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.
As detailed in a 2022 article from research firm Actionable Intelligence, a researcher in the program found a way to hack a printer via a third-party ink cartridge. The researcher was reportedly unable to perform the same hack with an HP cartridge.
Shivaun Albright, HP’s chief technologist of print security, said at the time:
A researcher found a vulnerability over the serial interface between the cartridge and the printer. Essentially, they found a buffer overflow. That’s where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer. And that gives them the ability to inject code into the device.
Albright added that the malware “remained on the printer in memory” after the cartridge was removed.
HP acknowledges that there’s no evidence of such a hack occurring in the wild. Still, because chips used in third-party ink cartridges are reprogrammable (their “code can be modified via a resetting tool right in the field,” according to Actionable Intelligence), they’re less secure, the company says. The chips are said to be programmable so that they can still work in printers after firmware updates.
HP also questions the security of third-party ink companies’ supply chains, especially compared to its own supply chain security, which is ISO/IEC-certified.
So HP did find a theoretical way for cartridges to be hacked, and it’s reasonable for the company to issue a bug bounty to identify such a risk. But its solution for this threat was announced before it showed there could be a threat. HP added ink cartridge security training to its bug bounty program in 2020, and the above research was released in 2022. HP started using Dynamic Security in 2016, ostensibly to solve the problem that it sought to prove exists years later.