His claims are quickly debunked in the article, as the true reason is, obviously, protecting their IP and subscription model

  • megopie@beehaw.org
    link
    fedilink
    arrow-up
    121
    ·
    edit-2
    11 months ago

    “ See ink cartridges can be vectors for viruses because they have chips in them.”

    “Why does a container of ink have chips in it?”

    “To make sure you don’t use third party ink cartridges”

    • BreakDecks@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      The virus thing is bullshit, but inkjet cartridges usually have chips in them because the print head requires a digital controller. They aren’t generally just a container of ink.

      Now, using the need for a controller to add anti-consumer lockouts? That’s what we call malware.

      • megopie@beehaw.org
        link
        fedilink
        arrow-up
        1
        ·
        11 months ago

        Didn’t they remove the chips from inkjet cartridges during the chip shortage during the pandemic?

      • Doxin@yiffit.net
        link
        fedilink
        arrow-up
        1
        ·
        11 months ago

        By far most ink cartridges come without heads. The heads are mounted in the printer itself. Even if the head is on the cartridge the controller can still be in the printer.

  • AnonTwo@kbin.social
    link
    fedilink
    arrow-up
    44
    ·
    11 months ago

    So basically they’re protecting you from something that’s only possible, because of something they shouldn’t have done.

  • mozz@mbin.grits.dev
    link
    fedilink
    arrow-up
    35
    ·
    edit-2
    11 months ago

    Unsurprisingly, Lores’ claim comes from HP-backed research. The company’s bug bounty program tasked researchers from Bugcrowd with determining if it’s possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.

    As detailed in a 2022 article from research firm Actionable Intelligence, a researcher in the program found a way to hack a printer via a third-party ink cartridge. The researcher was reportedly unable to perform the same hack with an HP cartridge.

    Shivaun Albright, HP’s chief technologist of print security, said at the time:

    “A researcher found a vulnerability over the serial interface between the cartridge and the printer. Essentially, they found a buffer overflow. That’s where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer. And that gives them the ability to inject code into the device.”

    This is a remarkable amount of effort and money to spend trying to demonstrate the “truth” of something which everyone involved was surely aware was bullshit from start to finish. I’m honestly at a loss to figure out what was the point, unless the point was “help me help I have too much money what am I gonna do with all this money.”

    (I looked it up, and the bug bounty program awarded “up to” $10,000. So maybe they just made the guy sign an NDA then gave him $100 and said thanks for helping us with our lying sucker, now get lost.)

    • Scrubbles@poptalk.scrubbles.tech
      link
      fedilink
      English
      arrow-up
      33
      ·
      11 months ago

      I personally love how they gave ink cartridges the ability to execute arbitrary code. Not like there are ways for them to have a signed hash or something that could do the same amount of validation, but actual code. That’s HP’s fuckup, not ours.

      • mozz@mbin.grits.dev
        link
        fedilink
        arrow-up
        16
        ·
        11 months ago

        It wasn’t quite that; there was a buffer overflow in the code that was talking to the ink cartridge. So a malicious ink cartridge could in fact take over your printer. Of course, a web page you visit could in fact take over your browser and that’s a much more realistic threat vector, and somehow we’ve survived all this time without limiting ourselves to HP-sponsored and security-assured web pages with a healthy cut of profit going to HP from every visit.

        • Overzeetop@beehaw.org
          link
          fedilink
          arrow-up
          15
          ·
          11 months ago

          in the code that was talking to the ink cartridge.

          So the flaw is in the printer or driver, and HP has just admitted to shipping an insecure, nay negligently dangerous, product to consumers?

          • Banzai51@midwest.social
            link
            fedilink
            English
            arrow-up
            5
            ·
            11 months ago

            In the 90s, they shipped recovery CDs with viruses baked in. Knowingly shipping destructive code and hardware is kinda HP’s thing.

              • Banzai51@midwest.social
                link
                fedilink
                English
                arrow-up
                1
                ·
                11 months ago

                This was 95ish. We were under strict orders not to confirm it. HP worked hard to keep it under wraps. Now layer on the fact the web was still in its infancy, you likely won’t find a whole lot about it.

          • Bitrot@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            4
            ·
            11 months ago

            They all have flaws, that’s ostensibly why they also provide firmware updates. I think it’s likely their software team even fixed the original flaw while their make more money team extended it into locking down products even more.

    • Snot Flickerman@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      11 months ago

      This is a remarkable amount of effort and money to spend trying to demonstrate the “truth” of something which everyone involved was surely aware was bullshit from start to finish.

      See the Return to Office mandates and basically anything and everything corporate-mandated. CEOs have shown they don’t actually give a flying fuck what research tells them, they’ll go with their “gut instinct” every time when their gut instinct always boils down to “Fuck you, I’ve got mine, nevermind that I got it by stealing it from you.”

      They’ll spend millions chasing thousands, they always do. The rich are only successful because of the wealth they can endlessly fall back on, the rest of us are completely fucked when we make the endless mistakes they make. It’s part of why they think they’re infallible, since their wealth insulates them from real consequences.

    • falsem@kbin.social
      link
      fedilink
      arrow-up
      6
      ·
      11 months ago

      That sounds an awful lot like even their first party cartridges could be attack vectors.

      • mozz@mbin.grits.dev
        link
        fedilink
        arrow-up
        8
        ·
        11 months ago

        Yes. I suspect that when they say the printers are only vulnerable via third-party cartridges, they mean that obviously no genuine HP cartridge would contain malicious software, therefore any malicious cartridge is by definition third party, therefore the printers are only vulnerable via third-party cartridges.

  • floofloof
    link
    fedilink
    English
    arrow-up
    24
    ·
    edit-2
    11 months ago

    Shivaun Albright, HP’s chief technologist of print security, said at the time:

    “A researcher found a vulnerability over the serial interface between the cartridge and the printer. Essentially, they found a buffer overflow. That’s where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer. And that gives them the ability to inject code into the device.”

    Albright added that the malware “remained on the printer in memory” after the cartridge was removed.

    So HP had a vulnerability in their printer’s firmware that allowed arbitrary cartridge code to become executable, and they’re trying to spin this so it doesn’t sound like their printers are at fault. Still sounds like a them problem.

  • Snot Flickerman@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    23
    ·
    11 months ago

    This has real “Home Taping is Killing Music” vibes.


    But god damn do these corporate vultures really think that we owe them something.

    No, this is a financial transaction. I am buying a product from you, and once I have paid you, I owe you nothing more. Endless attempts to make your business model endlessly extractive from your customer base just shows you have shitty business management skills and don’t know how to grow your business outside of nickel-and-diming people to death.

  • WasPentalive@beehaw.org
    link
    fedilink
    arrow-up
    13
    ·
    edit-2
    11 months ago

    The mad rush to sell the sizzle, not the steak.

    Wouldn’t it be nice to have one company create a simple printer that just prints. It does not have a local webpage. It does not monitor your ink supplies. It does not phone home. It uses ink from bottles sold inexpensivly.

    • progandy@feddit.de
      link
      fedilink
      arrow-up
      3
      ·
      11 months ago

      The last point does exist, those printers are just more expensive because they are no loss leaders and no ink sales are expected.

  • flatbield@beehaw.org
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    11 months ago

    I guess it is HP think it is OK to brick your printer due to HP updates but using competing cartridges is just so dangerous. Typical.

    I never heard what happened to those bricked printers.

  • thefartographer@lemm.ee
    link
    fedilink
    arrow-up
    8
    arrow-down
    1
    ·
    11 months ago

    The only obvious solution to this new threat is to add certificates to their cartridge chips. And if you don’t use up your signed cartridges within the year that the cartridges had valid certificates, that’s really on you. Also, since we’re so worried about security on our ink cartridges, I’d like to be charged an extra $5 per cartridge if I’d like to register them with McAfee. /s

    Also, maybe HP should consider that putting words and images on dead trees is only being accelerated towards its grave by their greedy practices.

      • thefartographer@lemm.ee
        link
        fedilink
        arrow-up
        7
        ·
        11 months ago

        That feature will only be enabled after extensive “research” following the “Crushed Grandma Landfill Disaster of 2135.” A tragedy in which the massive landfill of unused ink cartridges shifts and engulfs an entire city block, crushing one grandmother to death.

          • thefartographer@lemm.ee
            link
            fedilink
            arrow-up
            6
            ·
            edit-2
            11 months ago

            I just tried so hard to stifle my laughter at work that I instead ended up wheeze-giggling and then loudly farting. Holy shit this comment makes me laugh way too hard, I almost want to print it out.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    1
    ·
    11 months ago

    🤖 I’m a bot that provides automatic summaries for articles:

    Click here to see the summary

    Last Thursday, HP CEO Enrique Lores addressed the company’s controversial practice of bricking printers when users load them with third-party ink.

    That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.

    HP has issued firmware updates that block printers with such ink cartridges from printing, leading to the above lawsuit (PDF), which is seeking class-action certification.

    Still, because chips used in third-party ink cartridges are reprogrammable (their “code can be modified via a resetting tool right in the field,” according to Actionable Intelligence), they’re less secure, the company says.

    Further, there’s a sense from cybersecurity professionals that Ars spoke with that even if such a threat exists, it would take a high level of resources and skills, which are usually reserved for targeting high-profile victims.

    Realistically, the vast majority of individual consumers and businesses shouldn’t have serious concerns about ink cartridges being used to hack their machines.


    Saved 79% of original text.

  • DonQuixote@beehaw.org
    link
    fedilink
    arrow-up
    1
    ·
    11 months ago

    I still have a black spot on my lung from a rogue ink cartridge. That’s why HP wants to put theirs on prescription.