Unsurprisingly, Lores’ claim comes from HP-backed research. The company’s bug bounty program tasked researchers from Bugcrowd with determining if it’s possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.
As detailed in a 2022 article from research firm Actionable Intelligence, a researcher in the program found a way to hack a printer via a third-party ink cartridge. The researcher was reportedly unable to perform the same hack with an HP cartridge.
Shivaun Albright, HP’s chief technologist of print security, said at the time:
“A researcher found a vulnerability over the serial interface between the cartridge and the printer. Essentially, they found a buffer overflow. That’s where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer. And that gives them the ability to inject code into the device.”
This is a remarkable amount of effort and money to spend trying to demonstrate the “truth” of something which everyone involved was surely aware was bullshit from start to finish. I’m honestly at a loss to figure out what was the point, unless the point was “help me help I have too much money what am I gonna do with all this money.”
(I looked it up, and the bug bounty program awarded “up to” $10,000. So maybe they just made the guy sign an NDA then gave him $100 and said thanks for helping us with our lying sucker, now get lost.)
I personally love how they gave ink cartridges the ability to execute arbitrary code. Not like there are ways for them to have a signed hash or something that could do the same amount of validation, but actual code. That’s HP’s fuckup, not ours.
It wasn’t quite that; there was a buffer overflow in the code that was talking to the ink cartridge. So a malicious ink cartridge could in fact take over your printer. Of course, a web page you visit could in fact take over your browser and that’s a much more realistic threat vector, and somehow we’ve survived all this time without limiting ourselves to HP-sponsored and security-assured web pages with a healthy cut of profit going to HP from every visit.
This was 95ish. We were under strict orders not to confirm it. HP worked hard to keep it under wraps. Now layer on the fact the web was still in its infancy, you likely won’t find a whole lot about it.
They all have flaws, that’s ostensibly why they also provide firmware updates. I think it’s likely their software team even fixed the original flaw while their make more money team extended it into locking down products even more.
This is a remarkable amount of effort and money to spend trying to demonstrate the “truth” of something which everyone involved was surely aware was bullshit from start to finish.
See the Return to Office mandates and basically anything and everything corporate-mandated. CEOs have shown they don’t actually give a flying fuck what research tells them, they’ll go with their “gut instinct” every time when their gut instinct always boils down to “Fuck you, I’ve got mine, nevermind that I got it by stealing it from you.”
They’ll spend millions chasing thousands, they always do. The rich are only successful because of the wealth they can endlessly fall back on, the rest of us are completely fucked when we make the endless mistakes they make. It’s part of why they think they’re infallible, since their wealth insulates them from real consequences.
Yes. I suspect that when they say the printers are only vulnerable via third-party cartridges, they mean that obviously no genuine HP cartridge would contain malicious software, therefore any malicious cartridge is by definition third party, therefore the printers are only vulnerable via third-party cartridges.
This is a remarkable amount of effort and money to spend trying to demonstrate the “truth” of something which everyone involved was surely aware was bullshit from start to finish. I’m honestly at a loss to figure out what was the point, unless the point was “help me help I have too much money what am I gonna do with all this money.”
(I looked it up, and the bug bounty program awarded “up to” $10,000. So maybe they just made the guy sign an NDA then gave him $100 and said thanks for helping us with our lying sucker, now get lost.)
I personally love how they gave ink cartridges the ability to execute arbitrary code. Not like there are ways for them to have a signed hash or something that could do the same amount of validation, but actual code. That’s HP’s fuckup, not ours.
It wasn’t quite that; there was a buffer overflow in the code that was talking to the ink cartridge. So a malicious ink cartridge could in fact take over your printer. Of course, a web page you visit could in fact take over your browser and that’s a much more realistic threat vector, and somehow we’ve survived all this time without limiting ourselves to HP-sponsored and security-assured web pages with a healthy cut of profit going to HP from every visit.
So the flaw is in the printer or driver, and HP has just admitted to shipping an insecure, nay negligently dangerous, product to consumers?
In the 90s, they shipped recovery CDs with viruses baked in. Knowingly shipping destructive code and hardware is kinda HP’s thing.
I’ve not heard about this. Does anyone have a link to share? Can’t find one myself
This was 95ish. We were under strict orders not to confirm it. HP worked hard to keep it under wraps. Now layer on the fact the web was still in its infancy, you likely won’t find a whole lot about it.
They all have flaws, that’s ostensibly why they also provide firmware updates. I think it’s likely their software team even fixed the original flaw while their make more money team extended it into locking down products even more.
well that makes a bit more sense, thanks for clearing it up. Still stupid, but not as bad as I had been lead to believe.
See the Return to Office mandates and basically anything and everything corporate-mandated. CEOs have shown they don’t actually give a flying fuck what research tells them, they’ll go with their “gut instinct” every time when their gut instinct always boils down to “Fuck you, I’ve got mine, nevermind that I got it by stealing it from you.”
They’ll spend millions chasing thousands, they always do. The rich are only successful because of the wealth they can endlessly fall back on, the rest of us are completely fucked when we make the endless mistakes they make. It’s part of why they think they’re infallible, since their wealth insulates them from real consequences.
That sounds an awful lot like even their first party cartridges could be attack vectors.
Yes. I suspect that when they say the printers are only vulnerable via third-party cartridges, they mean that obviously no genuine HP cartridge would contain malicious software, therefore any malicious cartridge is by definition third party, therefore the printers are only vulnerable via third-party cartridges.
Well, at least he can explain technical stuff somewhat coherently.