printers

HP wants you to pay up to $36/month to rent a printer that it monitors

Biz & IT, HP, printers, subscriptions, Tech / Ryan Harris / March 1, 2024

HP Envy 6020e printer — Enlarge / The HP Envy 6020e is one of the printers available for rent.

HP launched a subscription service today that rents people a printer, allots them a specific amount of printed pages, and sends them ink for a monthly fee. HP is framing its service as a way to simplify printing for families and small businesses, but the deal also comes with monitoring and a years-long commitment.

Prices range from $6.99 per month for a plan that includes an HP Envy printer (the current model is the 6020e) and 20 printed pages. The priciest plan includes an HP OfficeJet Pro rental and 700 printed pages for $35.99 per month.

HP says it will provide subscribers with ink deliveries when they’re running low and 24/7 support via phone or chat (although it’s dubious how much you want to rely on HP support). Support doesn’t include on or offsite repairs or part replacements. The subscription’s terms of service (TOS) note that the service doesn’t cover damage or failure caused by, unsurprisingly, “use of non-HP media supplies and other products” or if you use your printer more than what your plan calls for.

HP is watching

HP calls this an All-In-Plan; if you subscribe, the tech company will be all in on your printing activities.

One of the most perturbing aspects of the subscription plan is that it requires subscribers to keep their printers connected to the Internet. In general, some users avoid connecting their printer to the Internet because it’s the type of device that functions fine without web access.

A web connection can also concern users about security or HP-issued firmware updates that make printers stop functioning with non-HP ink.

But HP enforces an Internet connection by having its TOS also state that HP may disrupt the service—and continue to charge you for it—if your printer’s not online.

HP says it enforces a constant connection so that the company can monitor things that make sense for the subscription, like ink cartridge statuses, page count, and “to prevent unauthorized use of Your account.” However, HP will also remotely monitor the type of documents (for example, a PDF or JPEG) printed, the devices and software used to initiate the print job, “peripheral devices,” and any other “metrics” that HP thinks are related to the subscription and decides to add to its remote monitoring.

The All-In-Plan privacy policy also says that HP may “transfer information about you to advertising partners” so that they can “recognize your devices,” perform targeted advertising, and, potentially, “combine information about you with information from other companies in data sharing cooperatives” that HP participates in. The policy says that users can opt out of sharing personal data.

The All-In-Plan TOS reads:

Subject to the terms of this Agreement, You hereby grant to HP a non-exclusive, worldwide, royalty-free right to use, copy, store, transmit, modify, create derivative works of and display Your non-personal data for its business purposes.

HP wants you to pay up to $36/month to rent a printer that it monitors Read More »

HP CEO evokes James Bond-style hack via ink cartridges

class action, HP, Policy, printers, Security, Tech / Ari B / January 22, 2024

Last Thursday, HP CEO Enrique Lores addressed the company’s controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, “We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network.”

That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.

Dynamic Security stops HP printers from functioning if an ink cartridge without an HP chip or HP electronic circuitry is installed. HP has issued firmware updates that block printers with such ink cartridges from printing, leading to the above lawsuit (PDF), which is seeking class-action certification. The suit alleges that HP printer customers were not made aware that printer firmware updates issued in late 2022 and early 2023 could result in printer features not working. The lawsuit seeks monetary damages and an injunction preventing HP from issuing printer updates that block ink cartridges without an HP chip.

But are hacked ink cartridges something we should actually be concerned about?

To investigate, I turned to Ars Technica Senior Security Editor Dan Goodin. He told me that he didn’t know of any attacks actively used in the wild that are capable of using a cartridge to infect a printer.

Goodin also put the question to Mastodon, and cybersecurity professionals, many with expertise in embedded-device hacking, were decidedly skeptical.

Another commenter, going by Graham Sutherland / Polynomial on Mastodon, referred to serial presence detect (SPD) electrically erasable programmable read-only memory (EEPROM), a form of flash memory used extensively in ink cartridges, saying:

I’ve seen and done some truly wacky hardware stuff in my life, including hiding data in SPD EEPROMs on memory DIMMs (and replacing them with microcontrollers for similar shenanigans), so believe me when I say that his claim is wildly implausible even in a lab setting, let alone in the wild, and let alone at any scale that impacts businesses or individuals rather than selected political actors.

HP’s evidence

Unsurprisingly, Lores’ claim comes from HP-backed research. The company’s bug bounty program tasked researchers from Bugcrowd with determining if it’s possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.

As detailed in a 2022 article from research firm Actionable Intelligence, a researcher in the program found a way to hack a printer via a third-party ink cartridge. The researcher was reportedly unable to perform the same hack with an HP cartridge.

Shivaun Albright, HP’s chief technologist of print security, said at the time:

A researcher found a vulnerability over the serial interface between the cartridge and the printer. Essentially, they found a buffer overflow. That’s where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer. And that gives them the ability to inject code into the device.

Albright added that the malware “remained on the printer in memory” after the cartridge was removed.

HP acknowledges that there’s no evidence of such a hack occurring in the wild. Still, because chips used in third-party ink cartridges are reprogrammable (their “code can be modified via a resetting tool right in the field,” according to Actionable Intelligence), they’re less secure, the company says. The chips are said to be programmable so that they can still work in printers after firmware updates.

HP also questions the security of third-party ink companies’ supply chains, especially compared to its own supply chain security, which is ISO/IEC-certified.

So HP did find a theoretical way for cartridges to be hacked, and it’s reasonable for the company to issue a bug bounty to identify such a risk. But its solution for this threat was announced before it showed there could be a threat. HP added ink cartridge security training to its bug bounty program in 2020, and the above research was released in 2022. HP started using Dynamic Security in 2016, ostensibly to solve the problem that it sought to prove exists years later.

Further, there’s a sense from cybersecurity professionals that Ars spoke with that even if such a threat exists, it would take a high level of resources and skills, which are usually reserved for targeting high-profile victims. Realistically, the vast majority of individual consumers and businesses shouldn’t have serious concerns about ink cartridges being used to hack their machines.

HP CEO evokes James Bond-style hack via ink cartridges Read More »

Microsoft releases downloadable tool to fix phantom HP printer installations

HP, microsoft, printers, Tech, Windows 10, Windows 11 / Ryan Harris / December 19, 2023

unprint —

Windows 10 and 11 users noticed this bug earlier this month.

Andrew Cunningham – Dec 19, 2023 8: 16 pm UTC

Enlarge / The HP LaserJet M106w is one of the printer models that is mysteriously appearing for some users in Windows 10 and 11.

HP

Earlier this month, Microsoft disclosed an odd printer bug that was affecting some users of Windows 10, Windows 11, and various Windows Server products. Affected PCs were seeing an HP printer installed, usually an HP LaserJet M101-M106, even when they weren’t actually using any kind of HP printer. This bug could overwrite the settings for whatever printer the user actually did have installed and also prompted the installation of an HP Smart printer app from the Microsoft Store.

Microsoft still hasn’t shared the root cause of the problem, though it did make it clear that the problem wasn’t HP’s fault. Now, the company has released a fix for anyone whose PC was affected by the bug, though as of this writing, it requires users to download and run a dedicated troubleshooting tool available from Microsoft’s support site.

The December 2023 Microsoft Printer Metadata Troubleshooter Tool is available for all affected Windows versions, and it will remove all references to the phantom HP LaserJet model (as long as you don’t have one installed, anyway). The tool will also remove the HP Smart app as long as you don’t have an HP printer attached and the app was installed after November 25, presumably the date that the bug began affecting systems. These steps should fix the issue for anyone without an HP printer without breaking anything for people who do use HP printers.

There are four different versions of the troubleshooter, depending on whether you have the 32- or 64-bit version of an Arm or x86 version of Windows. Microsoft will also release an additional recommended troubleshooting tool “in the coming weeks” that will fix the problem in Windows 11 upon a user’s request without requiring the download of a separate tool.

Microsoft has said that, despite the renaming and the download of the HP Smart tool, most basic printing functionality should continue to work as intended for users affected by the problem. But if your printer relies on its own external app to provide additional settings or extra functionality, you’ll need to run the troubleshooting tool (or manually uninstall the phantom HP printer and reinstall your own printer) to get things working properly again.

Listing image by Getty

Microsoft releases downloadable tool to fix phantom HP printer installations Read More »