Office printer and MFP consumables cartridges come equipped with embedded integrated circuit (IC) micro-controller chips that contain code used to communicate with the printer and perform essential functions. In 2018, HP was the first document imaging OEM to launch a public “bug bounty” program, where industry experts were rewarded to look for vulnerabilities in HP’s office-class printers and MFPs and report them to the copmany.
The aim was to initiate countermeasures before these problems were exploited. That initiative resulted in the unearthing of dozens of ‘bugs’ that could have been used to compromise print-device security – while HP quickly created firmware updates to eliminate those problems. HP has now become the first OEM to expand its program to include ink and toner cartridges.
According to Keypoint Intelligence, HP is challenging four professional ethical hackers to identify security vulnerabilities and risks that might be lurking in the firmware found in office-class (not consumer-level) HP original ink and HP original toner cartridges. Instances of cartridge-chip hacking are rare, HP notes, but it has indeed happened. In one instance, chips fitted to third-party re-manufactured cartridges (not HP Original consumables) were able to alter the printer-resident firmware without the knowledge or approval of the customer, nor the hardware OEM. The malware was used to instruct the printer to no longer recognize otherwise compatible cartridges from other manufactures – including original OEM cartridges. Users of these devices had to download new firmware provided by the OEM vendor to “re-mediate” the changes made to the printer. HP added that this bug-bounty program is latest step in HP’s security lifecycle for its consumables.
As part of this new program, HP engaged Bugcrowd, a leading crowd-sourced cybersecurity company, to conduct the three-month program. The four “ethical hackers” that have been chosen are challenged to identify vulnerabilities in the interfaces associated with the HP original print cartridges. If any of the hackers are successful, HP will award up to $10,000 per recognized vulnerability.