Last Thursday, HP CEO Enrique Lores addressed the company’s controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, “We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network.”
That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.
To investigate, I turned to Ars Technica senior security editor Dan Goodin. He told me that he didn’t know of any attacks actively used in the wild that are capable of using a cartridge to infect a printer.
Goodin also put the question to Mastodon, and cybersecurity professionals, many with expertise in embedded-device hacking, were decidedly skeptical.
HP’s Evidence
Unsurprisingly, Lores’ claim comes from HP-backed research. The company’s bug bounty program tasked researchers from Bugcrowd with determining if it’s possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.
As detailed in a 2022 article from research firm Actionable Intelligence, a researcher in the program found a way to hack a printer via a third-party ink cartridge. The researcher was reportedly unable to perform the same hack with an HP cartridge.
Shivaun Albright, HP’s chief technologist of print security, said at the time:
A researcher found a vulnerability over the serial interface between the cartridge and the printer. Essentially, they found a buffer overflow. That’s where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer. And that gives them the ability to inject code into the device.
Albright added that the malware “remained on the printer in memory” after the cartridge was removed.
HP acknowledges that there’s no evidence of such a hack occurring in the wild. Still, because chips used in third-party ink cartridges are reprogrammable (their “code can be modified via a resetting tool right in the field,” according to Actionable Intelligence), they’re less secure, the company says. The chips are said to be programmable so that they can still work in printers after firmware updates.
HP also questions the security of third-party ink companies’ supply chains, especially compared to its own supply chain security, which is ISO/IEC-certified.
So HP did find a theoretical way for cartridges to be hacked, and it’s reasonable for the company to issue a bug bounty to identify such a risk. But its solution for this threat was announced before it showed there could be a threat. HP added ink cartridge security training to its bug bounty program in 2020, and the above research was released in 2022. HP started using Dynamic Security in 2016, ostensibly to solve the problem that it sought to prove exists years later.
Further, there’s a sense from cybersecurity professionals that Ars spoke with that even if such a threat exists, it would take a high level of resources and skills, which are usually reserved for targeting high-profile victims. Realistically, the vast majority of individual consumers and businesses shouldn’t have serious concerns about ink cartridges being used to hack their machines.
Whose Job Is It to Make HP Printers Secure?
With Dynamic Security, HP claims to be providing a response to cyberthreats against ink cartridges. But its response is to inconvenience customers rather than beef up HP printers to be invulnerable to remote code execution via ink cartridges.
In response to Bugcrowd’s research, HP issued a security update in 2022. Despite this, Albright claimed at the time that it still wasn’t safe for customers to use third-party ink because HP could “never guarantee that every interface with a non-HP cartridge on our device will be free of bugs and security vulnerabilities.”
Even if it’s theoretically possible for hackers to leverage ink cartridges, it’s a minimal concern, and there are far more pressing security threats to printers than third-party ink. Many easier ways exist for a diligent hacker to get into a printer user’s network, including by exploiting unfixed software vulnerabilities.
Further, with HP firmware updates becoming associated with printers suddenly not working, we’ve seen reports of users avoiding printer updates and encouraging others to do the same, which could result in users rejecting important security updates.
An HP spokesperson declined to comment on these matters.
The Real Focus: Protecting IP
Lores’ initial response to CNBC Television’s question about the lawsuit may be telling. The CEO responded to dictated consumer complaints by highlighting HP’s own needs:
It’s important to protect our IP. There is a lot of IP that we build in the inks of the printers, in the printers themselves … And what we’re doing is, when we identify cartridges that are violating our IP, we stop the printer from work[ing].
When HP first announced Dynamic Security in 2016, it claimed that the feature would deliver “the best consumer experience” and protect customers from cartridges “that infringe on our IP.” Eight years and several abrupt firmware updates later, the former seems like it has taken a backseat to the latter.
Lores told CNBC Television that non-HP ink can create “all sort[s] of issues,” saying that printers may stop working if a customer uses ink that is not “designed” to work with HP printers.
Of course, third-party ink manufacturers would have you believe that their ink is meant to work with the printer brands on its products’ boxes. But depending on the quality of the product, you might find inconsistent results with third-party ink cartridges.
While brand recognition and reliability could be good reasons for someone to opt for an HP-brand cartridge over a third party’s, such decisions are typically left to customers, not forced via firmware updates. Companies like HP can expect to be rewarded for superior products, support, and warranties, but customers who would rather risk quality to save money would prefer to have options.
HP Wants Printing to Be a Subscription
It’s clear that HP’s tactics are meant to coax HP printer owners into committing to HP ink, which helps the company drive recurring revenue and makes up for money lost when the printers are sold. Lores confirmed in his interview that HP loses money when it sells a printer and makes money through supplies.
But HP’s ambitions don’t end there. It envisions a world where all of its printer customers also subscribe to an HP program offering ink and other printer-related services. “Our long-term objective is to make printing a subscription. This is really what we have been driving,” Lores said.
HP has been largely focused on pushing its monthly ink subscription program, Instant Ink, over the years. In December, HP CFO Marie Myers noted that subscription models like Instant Ink can bring “20 percent uplift on the value of that customer because you’re locking that person” in. In its most recent financial report, HP named Instant Ink one of its “key growth areas.”
When asked about concerns that HP is driving up the price of printer ink, Lores told CNBC Television, “This is part of the business model that has been developed over time,” noting that HP printer boxes disclose which printers use Dynamic Security. HP’s website also notes which printers use Dynamic Security.
But even if you have that information, it’s unclear whether an HP printer will immediately work with third-party ink. HP sells printers that work with third-party ink now, but the company says it may update them in the future to “block cartridges using a non-HP chip or modified or non-HP circuitry from working in the printer, including cartridges that work today.”
Who’s Investing in Whom?
HP has faced numerous lawsuits in relation to blocking device functionality due to third-party ink and has paid out millions as a result. So why is it still continuing down this road? That might be partially explained by the company’s perspective on the vendor-customer relationship.
When people buy an HP printer, they consider it an investment. But HP thinks that when you buy a printer, the company is investing in you.
As Lores put it:
This is something we announced a few years ago that our goal was to reduce the number of what we call unprofitable customers. Because every time a customer buys a printer, it’s an investment for us. We’re investing [in] that customer, and if this customer doesn’t print enough or doesn’t use our supplies, it’s a bad investment.
HP expects customers who already gave it money for a printer to continue paying the company for years. HP customers expect their purchase to pay off in the long term without stipulations on ink branding. If HP can’t find a way to make printer customers feel like their purchase is a benefit rather than a commitment to giving HP money regularly, people may eventually stop thinking that HP printers are a worthy investment.
When reached for comment, an HP spokesperson told Ars, in part, that HP “offers a wide range of printing products and solutions for customers to choose from, including Instant Ink” and “regularly” expands its offerings “to create more value” for customers.
You can watch CNBC Television’s interview below:
This story originally appeared on Ars Technica.