Remaining Thursday, HP CEO Enrique Lores addressed the corporate’s debatable follow of bricking printers when customers load them with third-party ink. Chatting with CNBC Tv, he stated, “We now have noticed that you’ll embed viruses within the cartridges. During the cartridge, [the virus can] pass to the printer, [and then] from the printer, pass to the community.”

That scary state of affairs may lend a hand give an explanation for why HP, which was once hit this month with every other lawsuit over its Dynamic Safety device, insists on deploying it to printers.

Dynamic Safety stops HP printers from functioning if an ink cartridge with out an HP chip or HP digital circuitry is put in. HP has issued firmware updates that block printers with such ink cartridges from printing, resulting in the above lawsuit (PDF), which is looking for class-action certification. The go well with alleges that HP printer consumers weren’t made conscious that printer firmware updates issued in past due 2022 and early 2023 may lead to printer options now not operating. The lawsuit seeks financial damages and an injunction combating HP from issuing printer updates that block ink cartridges with out an HP chip.

However are hacked ink cartridges one thing we will have to in fact be interested in?

To analyze, I became to Ars Technica Senior Safety Editor Dan Goodin. He advised me that he did not know of any assaults actively used within the wild which might be able to the use of a cartridge to contaminate a printer.

Goodin additionally put the query to Mastodon, and cybersecurity pros, many with experience in embedded-device hacking, had been decidedly skeptical.

Every other commenter, going by way of Graham Sutherland / Polynomial on Mastodon, referred to serial presence discover (SPD) electrically erasable programmable read-only reminiscence (EEPROM), a type of flash reminiscence used widely in ink cartridges, announcing:

I have noticed and executed some actually wacky {hardware} stuff in my lifestyles, together with hiding knowledge in SPD EEPROMs on reminiscence DIMMs (and changing them with microcontrollers for identical shenanigans), so imagine me after I say that his declare is wildly fantastic even in a lab environment, let by myself within the wild, and let by myself at any scale that affects companies or people slightly than decided on political actors.

HP’s proof

Unsurprisingly, Lores’ declare comes from HP-backed analysis. The corporate’s worm bounty program tasked researchers from Bugcrowd with figuring out if it is conceivable to make use of an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which can be used to keep in touch with the printer, may well be an entryway for assaults.

As detailed in a 2022 article from analysis company Actionable Intelligence, a researcher in this system discovered a option to hack a printer by way of a third-party ink cartridge. The researcher was once reportedly not able to accomplish the similar hack with an HP cartridge.

Shivaun Albright, HP’s leader technologist of print safety, stated on the time:

A researcher discovered a vulnerability over the serial interface between the cartridge and the printer. Necessarily, they discovered a buffer overflow. That’s the place you’ve got an interface which you can now not have examined or validated smartly sufficient, and the hacker was once ready to overflow into reminiscence past the limits of that specific buffer. And that provides them the power to inject code into the machine.

Albright added that the malware “remained at the printer in reminiscence” after the cartridge was once got rid of.

HP recognizes that there is not any proof of the sort of hack happening within the wild. Nonetheless, as a result of chips utilized in third-party ink cartridges are reprogrammable (their “code will also be changed by way of a resetting software proper within the box,” in line with Actionable Intelligence), they’re much less safe, the corporate says. The chips are stated to be programmable in order that they are able to nonetheless paintings in printers after firmware updates.

HP additionally questions the protection of third-party ink firms’ provide chains, particularly in comparison to its personal provide chain safety, which is ISO/IEC-certified.

So HP did discover a theoretical means for cartridges to be hacked, and it is cheap for the corporate to factor a worm bounty to spot the sort of chance. However its resolution for this danger was once introduced ahead of it confirmed there can be a danger. HP added ink cartridge safety coaching to its worm bounty program in 2020, and the above analysis was once launched in 2022. HP began the use of Dynamic Safety in 2016, ostensibly to resolve the issue that it sought to turn out exists years later.

Additional, there is a sense from cybersecurity pros that Ars spoke with that even supposing the sort of danger exists, it could take a excessive degree of assets and talents, which can be typically reserved for focused on high-profile sufferers. Realistically, nearly all of person customers and companies do not need severe considerations about ink cartridges getting used to hack their machines.