class action

HP CEO evokes James Bond-style hack via ink cartridges

class action, HP, Policy, printers, Security, Tech / Ari B / January 22, 2024

Last Thursday, HP CEO Enrique Lores addressed the company’s controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, “We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network.”

That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.

Dynamic Security stops HP printers from functioning if an ink cartridge without an HP chip or HP electronic circuitry is installed. HP has issued firmware updates that block printers with such ink cartridges from printing, leading to the above lawsuit (PDF), which is seeking class-action certification. The suit alleges that HP printer customers were not made aware that printer firmware updates issued in late 2022 and early 2023 could result in printer features not working. The lawsuit seeks monetary damages and an injunction preventing HP from issuing printer updates that block ink cartridges without an HP chip.

But are hacked ink cartridges something we should actually be concerned about?

To investigate, I turned to Ars Technica Senior Security Editor Dan Goodin. He told me that he didn’t know of any attacks actively used in the wild that are capable of using a cartridge to infect a printer.

Goodin also put the question to Mastodon, and cybersecurity professionals, many with expertise in embedded-device hacking, were decidedly skeptical.

Another commenter, going by Graham Sutherland / Polynomial on Mastodon, referred to serial presence detect (SPD) electrically erasable programmable read-only memory (EEPROM), a form of flash memory used extensively in ink cartridges, saying:

I’ve seen and done some truly wacky hardware stuff in my life, including hiding data in SPD EEPROMs on memory DIMMs (and replacing them with microcontrollers for similar shenanigans), so believe me when I say that his claim is wildly implausible even in a lab setting, let alone in the wild, and let alone at any scale that impacts businesses or individuals rather than selected political actors.

HP’s evidence

Unsurprisingly, Lores’ claim comes from HP-backed research. The company’s bug bounty program tasked researchers from Bugcrowd with determining if it’s possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.

As detailed in a 2022 article from research firm Actionable Intelligence, a researcher in the program found a way to hack a printer via a third-party ink cartridge. The researcher was reportedly unable to perform the same hack with an HP cartridge.

Shivaun Albright, HP’s chief technologist of print security, said at the time:

A researcher found a vulnerability over the serial interface between the cartridge and the printer. Essentially, they found a buffer overflow. That’s where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer. And that gives them the ability to inject code into the device.

Albright added that the malware “remained on the printer in memory” after the cartridge was removed.

HP acknowledges that there’s no evidence of such a hack occurring in the wild. Still, because chips used in third-party ink cartridges are reprogrammable (their “code can be modified via a resetting tool right in the field,” according to Actionable Intelligence), they’re less secure, the company says. The chips are said to be programmable so that they can still work in printers after firmware updates.

HP also questions the security of third-party ink companies’ supply chains, especially compared to its own supply chain security, which is ISO/IEC-certified.

So HP did find a theoretical way for cartridges to be hacked, and it’s reasonable for the company to issue a bug bounty to identify such a risk. But its solution for this threat was announced before it showed there could be a threat. HP added ink cartridge security training to its bug bounty program in 2020, and the above research was released in 2022. HP started using Dynamic Security in 2016, ostensibly to solve the problem that it sought to prove exists years later.

Further, there’s a sense from cybersecurity professionals that Ars spoke with that even if such a threat exists, it would take a high level of resources and skills, which are usually reserved for targeting high-profile victims. Realistically, the vast majority of individual consumers and businesses shouldn’t have serious concerns about ink cartridges being used to hack their machines.

HP CEO evokes James Bond-style hack via ink cartridges Read More »

Vizio settles for $3M after saying 60 Hz TVs had 120 Hz “effective refresh rate”

class action, Policy, Tech, TVs, Vizio / Blake Jones / January 3, 2024

Class action —

Vizio claimed backlight scanning made refresh rates seem twice as high.

Scharon Harding – Jan 2, 2024 10: 03 pm UTC

A marketing image for Vizio's P-series Q9 TV. — Enlarge / A marketing image for Vizio’s P-series Q9 TV.

Vizio has agreed to pay $3 million to settle a class-action lawsuit that alleged the company misled customers about the refresh rates of its TVs.

In 2018, a lawsuit [PDF], which was later certified as a class action, was filed against Vizio for advertising its 60 Hz and 120 Hz LCD TVs as having an “effective” refresh rate of 120 Hz and 240 Hz, respectively. Vizio was referring to the backlight scanning (or black frame insertion) ability, which it claimed made the TVs look like they were operating at a refresh rate that was twice as fast as they are capable of. Vizio’s claims failed to address the drawbacks that can come from backlight scanning, which include less brightness and the potential for noticeable flickering. The lawsuit complained about Vizio’s language in marketing materials and user manuals.

The lawsuit read:

Vizio knows, or at the very least should know, that its television with 60Hz display panels have a refresh rate of 60 images per second and that backlight manipulation methods cannot and do not increase the effective Hz (refresh rate) of a television.

The lawsuit, filed in the Superior Court of California, County of Los Angeles, accused Vizio of using misleading tactics to persuade retailers to sell and recommend Vizio TVs. It accused Vizio of trying “to sell its lesser-quality product at a higher price and allowed Vizio to realize sales it may not have otherwise made if it were truthful regarding the performance capabilities of its televisions.”

Under the settlement terms [PDF] spotted by The Verge, people who bought a Vizio TV in California after April 30, 2014, can file a claim. They’ll receive $17 or up to $50 if the fund allows it. The individual payout may also be under $17 if the claims exceed the $3 million fund. Vizio will also pay attorney fees. People have until March 30 to submit their claims. The final approval hearing is scheduled for June 20.

Vizio also agreed to stop advertising their TVs with 120 and 240 Hz “effective” refresh rates but “will not be obligated to recall or modify labeling for any Vizio-branded television model that has already been sold or distributed to a third party,” according to the agreement. Further, the California-headquartered company will also offer affected customers a “service and limited warranty package conservatively valued at $25” per person.

Vizio, per the settlement, denies any wrongdoing. The company declined to comment on the settlement to Ars.

The settlement comes as tactics for fighting motion blur, like backlight scanning and frame interpolation (known for causing the “soap opera effect“), have been maligned for often making the viewing experience worse. LG and TCL have also faced class-action lawsuits for boosting refresh rate claims by saying that their motion blur-fighting techniques make it seem like their TVs are running at a higher refresh rate than possible. While the case against LG was dismissed, TCL settled for $2,900,000 [PDF].

Despite the criticisms, backlight scanning and motion smoothing remain on default across countless TVs belonging to unsuspecting owners. Class-action cases like Vizio’s that end up having a negative cost for OEMs provide further incentive for them to at least stop using the ability as a way to superficially boost spec sheets.

Vizio settles for $3M after saying 60 Hz TVs had 120 Hz “effective refresh rate” Read More »

Google agrees to settle Chrome incognito mode class action lawsuit

chrome, class action, Google, incognito mode, lawsuit, Policy, privacy / Blake Jones / December 29, 2023

Not as private as you thought —

2020 lawsuit accused Google of tracking incognito activity, tying it to users’ profiles.

Eric Bangeman – Dec 28, 2023 4: 12 pm UTC

Google has indicated that it is ready to settle a class-action lawsuit filed in 2020 over its Chrome browser’s Incognito mode. Arising in the Northern District of California, the lawsuit accused Google of continuing to “track, collect, and identify [users’] browsing data in real time” even when they had opened a new Incognito window.

The lawsuit, filed by Florida resident William Byatt and California residents Chasom Brown and Maria Nguyen, accused Google of violating wiretap laws. It also alleged that sites using Google Analytics or Ad Manager collected information from browsers in Incognito mode, including web page content, device data, and IP address. The plaintiffs also accused Google of taking Chrome users’ private browsing activity and then associating it with their already-existing user profiles.

Google initially attempted to have the lawsuit dismissed by pointing to the message displayed when users turned on Chrome’s incognito mode. That warning tells users that their activity “might still be visible to websites you visit.”

Judge Yvonne Gonzalez Rogers rejected Google’s bid for summary judgement in August, pointing out that Google never revealed to its users that data collection continued even while surfing in Incognito mode.

“Google’s motion hinges on the idea that plaintiffs consented to Google collecting their data while they were browsing in private mode,” Rogers ruled. “Because Google never explicitly told users that it does so, the Court cannot find as a matter of law that users explicitly consented to the at-issue data collection.”

According to the notice filed on Tuesday, Google and the plaintiffs have agreed to terms that will result in the litigation being dismissed. The agreement will be presented to the court by the end of January, with the court giving final approval by the end of February.

Google agrees to settle Chrome incognito mode class action lawsuit Read More »