HP CEO Enrique Lores recently addressed the issue of the company’s practice of rendering printers unusable when loaded with third-party ink. In an interview with CNBC Television, Lores expressed concern over the possibility of embedding viruses in third-party ink cartridges, which could then infect the printer and potentially spread to the network. This explanation shed light on HP’s deployment of Dynamic Security, a system that prevents printers from functioning if non-HP ink cartridges are installed.
As a result of this practice, HP has faced legal challenges, including a recent lawsuit seeking class-action certification. The lawsuit alleges that HP failed to inform customers that firmware updates issued in 2022 and 2023 could result in non-HP ink cartridges being blocked and printer features not working.
In response to concerns over the security implications of hacked ink cartridges, experts have expressed skepticism about the likelihood of such attacks occurring in the wild. Dan Goodin, Ars Technica’s Senior Security Editor, stated that he was not aware of any active attacks capable of infecting printers through a ink cartridge. Additionally, cybersecurity professionals with expertise in embedded device hacking were also skeptical of the feasibility of this type of attack.
However, HP has backed its concerns with research from Bugcrowd, which found that ink cartridge microcontroller chips, used to communicate with the printer, could potentially be a gateway for attacks. A researcher in the Bugcrowd program reportedly found a method to hack a printer using a third-party ink cartridge, while being unable to perform the same hack with an HP cartridge. This raised concerns about the security of reprogrammable chips used in third-party ink cartridges, which could be modified to inject malicious code into the printer.
Despite HP’s findings, there is no evidence of such hacks occurring in the wild. However, HP has raised concerns about the security of third-party ink companies’ supply chains, suggesting that the reprogrammable nature of their chips makes them less secure compared to HP’s own supply chain, which is ISO/IEC-certified.
Following these developments, it is evident that HP’s use of Dynamic Security was implemented before the company could conclusively demonstrate a legitimate security risk from third-party ink cartridges. While there is acknowledgement of a theoretical vulnerability, cybersecurity professionals believe that the resources and skills required to execute such an attack are typically reserved for high-profile targets, rather than individual consumers and businesses.
In conclusion, while HP’s concerns about hacked ink cartridges are backed by research, the practicality and likelihood of such attacks remain uncertain. As the debate over printer security and ink cartridge usage continues, it is essential for companies to weigh their approach to protecting their products while also ensuring the freedom of consumers to choose third-party alternatives.