[ad_1]
Final Thursday, HP CEO Enrique Lores addressed the corporate’s controversial observe of bricking printers when customers load them with third-party ink. Talking to CNBC Tv, he stated, “We’ve seen that you could embed viruses within the cartridges. By the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the community.”
That scary situation might assist clarify why HP, which was hit this month with one other lawsuit over its Dynamic Safety system, insists on deploying it to printers.
To analyze, I turned to Ars Technica senior safety editor Dan Goodin. He informed me that he did not know of any assaults actively used within the wild which are able to utilizing a cartridge to contaminate a printer.
Goodin additionally put the query to Mastodon, and cybersecurity professionals, many with experience in embedded-device hacking, had been decidedly skeptical.
HP’s Proof
Unsurprisingly, Lores’ declare comes from HP-backed analysis. The corporate’s bug bounty program tasked researchers from Bugcrowd with figuring out if it is attainable to make use of an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, that are used to speak with the printer, might be an entryway for assaults.
As detailed in a 2022 article from analysis agency Actionable Intelligence, a researcher in this system discovered a option to hack a printer through a third-party ink cartridge. The researcher was reportedly unable to carry out the identical hack with an HP cartridge.
Shivaun Albright, HP’s chief technologist of print safety, stated on the time:
Albright added that the malware “remained on the printer in reminiscence” after the cartridge was eliminated.
HP acknowledges that there is not any proof of such a hack occurring within the wild. Nonetheless, as a result of chips utilized in third-party ink cartridges are reprogrammable (their “code will be modified through a resetting device proper within the area,” in keeping with Actionable Intelligence), they’re much less safe, the corporate says. The chips are stated to be programmable in order that they’ll nonetheless work in printers after firmware updates.
HP additionally questions the safety of third-party ink corporations’ provide chains, particularly in comparison with its personal provide chain safety, which is ISO/IEC-certified.
So HP did discover a theoretical method for cartridges to be hacked, and it is affordable for the corporate to challenge a bug bounty to determine such a danger. However its resolution for this risk was introduced earlier than it confirmed there might be a risk. HP added ink cartridge safety coaching to its bug bounty program in 2020, and the above analysis was launched in 2022. HP began utilizing Dynamic Safety in 2016, ostensibly to unravel the issue that it sought to show exists years later.
[ad_2]
Source link