9.7 C
United States of America
Sunday, April 21, 2024

HP CEO evokes James Bond-style hack through ink cartridges Categorical Instances

Must read

Final Thursday, HP CEO Enrique Lores addressed the corporate’s controversial observe of bricking printers when customers load them with third-party ink. Chatting with CNBC Tv, he mentioned, “We have now seen you could embed viruses within the cartridges. By way of the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the community.”

That scary state of affairs might assist clarify why HP, which was hit this month with one other lawsuit over its Dynamic Safety system, insists on deploying it to printers.

Dynamic Safety stops HP printers from functioning if an ink cartridge with out an HP chip or HP digital circuitry is put in. HP has issued firmware updates that block printers with such ink cartridges from printing, resulting in the above lawsuit (PDF), which is searching for class-action certification. The go well with alleges that HP printer prospects weren’t made conscious that printer firmware updates issued in late 2022 and early 2023 might end in printer options not working. The lawsuit seeks financial damages and an injunction stopping HP from issuing printer updates that block ink cartridges with out an HP chip.

However are hacked ink cartridges one thing we should always really be involved about?

To analyze, I turned to Ars Technica Senior Safety Editor Dan Goodin. He advised me that he did not know of any assaults actively used within the wild which are able to utilizing a cartridge to contaminate a printer.

Goodin additionally put the query to Mastodon, and cybersecurity professionals, many with experience in embedded-device hacking, had been decidedly skeptical.

One other commenter, going by Graham Sutherland / Polynomial on Mastodon, referred to serial presence detect (SPD) electrically erasable programmable read-only reminiscence (EEPROM), a type of flash reminiscence used extensively in ink cartridges, saying:

I’ve seen and completed some really wacky {hardware} stuff in my life, together with hiding information in SPD EEPROMs on reminiscence DIMMs (and changing them with microcontrollers for comparable shenanigans), so consider me after I say that his declare is wildly implausible even in a lab setting, not to mention within the wild, and not to mention at any scale that impacts companies or people somewhat than chosen political actors.

HP’s proof

Unsurprisingly, Lores’ declare comes from HP-backed analysis. The corporate’s bug bounty program tasked researchers from Bugcrowd with figuring out if it is doable to make use of an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, that are used to speak with the printer, might be an entryway for assaults.

As detailed in a 2022 article from analysis agency Actionable Intelligence, a researcher in this system discovered a strategy to hack a printer through a third-party ink cartridge. The researcher was reportedly unable to carry out the identical hack with an HP cartridge.

Shivaun Albright, HP’s chief technologist of print safety, mentioned on the time:

A researcher discovered a vulnerability over the serial interface between the cartridge and the printer. Basically, they discovered a buffer overflow. That’s the place you’ve got an interface that you could be not have examined or validated effectively sufficient, and the hacker was capable of overflow into reminiscence past the bounds of that specific buffer. And that provides them the power to inject code into the system.

Albright added that the malware “remained on the printer in reminiscence” after the cartridge was eliminated.

HP acknowledges that there is not any proof of such a hack occurring within the wild. Nonetheless, as a result of chips utilized in third-party ink cartridges are reprogrammable (their “code may be modified through a resetting device proper within the subject,” in accordance with Actionable Intelligence), they’re much less safe, the corporate says. The chips are mentioned to be programmable in order that they’ll nonetheless work in printers after firmware updates.

HP additionally questions the safety of third-party ink firms’ provide chains, particularly in comparison with its personal provide chain safety, which is ISO/IEC-certified.

So HP did discover a theoretical method for cartridges to be hacked, and it is affordable for the corporate to problem a bug bounty to establish such a danger. However its answer for this risk was introduced earlier than it confirmed there might be a risk. HP added ink cartridge safety coaching to its bug bounty program in 2020, and the above analysis was launched in 2022. HP began utilizing Dynamic Safety in 2016, ostensibly to unravel the issue that it sought to show exists years later.

Additional, there is a sense from cybersecurity professionals that Ars spoke with that even when such a risk exists, it will take a excessive degree of assets and expertise, that are normally reserved for focusing on high-profile victims. Realistically, the overwhelming majority of particular person shoppers and companies should not have severe considerations about ink cartridges getting used to hack their machines.

- Advertisement -spot_img

More articles


Please enter your comment!
Please enter your name here

- Advertisement -spot_img

Latest article