HP Opens a New Front on Its War Against Hackers: Printer Cartridges

Expands successful “bug bounty” program to office-class HP Original Ink and Toner cartridges

8892

10/02/2020

Jamie Bsales

 

The pressing need for robust IT-infrastructure security safeguards is well understood, as the legion of reports about network hacks, data breaches, ransomware attacks, and phishing scams grows monthly. While network and cloud infrastructures—and the endpoints attached to them—garner most of the attention, an easily overlooked potential vulnerability lurks inside every office-class printer and MFP: the consumables cartridge. These cartridges come equipped with embedded integrated circuit (IC) microcontroller chips that contain code that enables them to communicate with the printer and perform essential functions.

 

Back in 2018, HP was the first document imaging OEM to launch a public “bug bounty” program, where ethical “white hat” hackers were encouraged (rewarded, in fact) to look for vulnerabilities in HP’s office-class printers and MFPs. The goal was to find chinks in the armor so that fixes could be issued before any vulnerability was exploited by hackers with malicious intent. That initiative yielded approximately 40 exploitable bugs that could have been used to compromise device security, and HP issued firmware updates to close those holes.

 

Now, HP is the first OEM to expand such a program to ink and toner cartridges. The company is challenging four professional ethical hackers to identify security vulnerabilities and risks that might be lurking in the firmware found in office-class (not consumer-level) HP Original Ink and Toner cartridges. Instances of cartridge-chip hacking are rare, HP notes, but it has happened. In one instance, chips fitted to third-party remanufactured cartridges (not HP Original consumables) were able to alter the printer-resident firmware without the knowledge or approval of the customer nor the hardware OEM. The malware was used to instruct the printer to no longer recognize otherwise-compatible cartridges from other manufactures—including original OEM cartridges. Users of these devices had to download new firmware provided by OEM vendor to remediate the changes made to the printer.

 

This bug-bounty program is latest step in HP’s security lifecycle for its consumables. Indeed, HP incorporates security into every step of the design, supply chain, and production process of its consumables cartridges for office-class devices—including unalterable firmware resident on the cartridges’ control chips.

 

HP takes the security of its HP Original supplies seriously with safeguards through the entire lifecycle of the product.

 

HP recognizes that no code (even its own) is perfect; hence them looking for others to help uncover flaws. As part of this program, HP has engaged with Bugcrowd, a leading crowdsourced cybersecurity company, to conduct the three-month program. The four ethical hackers that have been chosen are challenged to identify vulnerabilities in the interfaces associated with the HP Original print cartridges. If any of the hackers are successful, HP will award up to $10,000 per vulnerability. Good luck and happy hunting to those participants. If flaws are found, they (along with all HP Original consumables customers) will benefit.

 

Check out the FREE Keypoint Intelligence whitepaper covering all aspects of HP Original Ink and Toner cartridges!