Last Thursday, HP CEO Enrique Lores addressed the corporate’s controversial apply of bricking printers when customers load them with third-party ink. Speaking to CNBC Television, he mentioned, “We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network.”

That scary state of affairs might assist clarify why HP, which was hit this month with one other lawsuit over its Dynamic Security system, insists on deploying it to printers.

To examine, I turned to Ars Technica senior safety editor Dan Goodin. He instructed me that he did not know of any assaults actively used within the wild which can be able to utilizing a cartridge to contaminate a printer.

Goodin additionally put the question to Mastodon, and cybersecurity professionals, many with experience in embedded-device hacking, have been decidedly skeptical.

HP’s Evidence

Unsurprisingly, Lores’ declare comes from HP-backed analysis. The firm’s bug bounty program tasked researchers from Bugcrowd with figuring out if it is doable to make use of an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, that are used to speak with the printer, could possibly be an entryway for assaults.

As detailed in a 2022 article from analysis agency Actionable Intelligence, a researcher in this system discovered a solution to hack a printer through a third-party ink cartridge. The researcher was reportedly unable to carry out the identical hack with an HP cartridge.

Shivaun Albright, HP’s chief technologist of print safety, mentioned on the time:

A researcher discovered a vulnerability over the serial interface between the cartridge and the printer. Essentially, they discovered a buffer overflow. That’s the place you’ve got an interface that you could be not have examined or validated properly sufficient, and the hacker was in a position to overflow into reminiscence past the bounds of that individual buffer. And that offers them the flexibility to inject code into the gadget.

Albright added that the malware “remained on the printer in memory” after the cartridge was eliminated.

HP acknowledges that there is no proof of such a hack occurring within the wild. Still, as a result of chips utilized in third-party ink cartridges are reprogrammable (their “code can be modified via a resetting tool right in the field,” based on Actionable Intelligence), they’re much less safe, the corporate says. The chips are mentioned to be programmable in order that they will nonetheless work in printers after firmware updates.

HP additionally questions the safety of third-party ink corporations’ provide chains, particularly in comparison with its personal provide chain safety, which is ISO/IEC-certified.

So HP did discover a theoretical method for cartridges to be hacked, and it is cheap for the corporate to problem a bug bounty to determine such a threat. But its resolution for this menace was introduced earlier than it confirmed there could possibly be a menace. HP added ink cartridge safety coaching to its bug bounty program in 2020, and the above analysis was launched in 2022. HP began utilizing Dynamic Security in 2016, ostensibly to resolve the issue that it sought to show exists years later.