The company releases micro-updates that block the use of third-party cartridges on its printers, which usually cost significantly less than the original ones.
“We have seen that viruses can be embedded in the cartridge. Through the cartridge, the virus can get to the printer, and then from the printer to the network,” HP CEO Enrique Lores said in an interview with CNBC Television.
The company seems to be considering this scenario as one of the reasons why it blocks printers that use third-party cartridges. The practices of the company, called Dynamic Security, have already led to lawsuits, with customers complaining that they were not informed that the update could disable the printer. The suit also seeks monetary damages, as well as an injunction against HP from issuing similar security updates.
Should I worry about the potential for broken ink cartridges?
Ars Technica senior security editor Dan Goodin says he hasn’t heard of any such attacks, as do cyber experts in his Mastodon thread.
Interestingly, Lores’ claim comes from research funded by HP itself. As part of the Bug Bounty program, the company tasked researchers with determining whether the microcontroller chips in the ink cartridges, which are used to communicate with the printer, could become an entry point for attacks.
As described in a 2022 article by Actionable Intelligence, a researcher found a way to hack a printer using a third-party cartridge and was unable to perform the same hack with an HP cartridge. Shivan Albright, HP’s chief print security technologist, said the malware “remained on the printer in memory” after the cartridge was removed.
At the same time, HP admits that there is no evidence that such a hack ever took place. But because the chips used in third-party ink cartridges can be reprogrammed, they are less secure, the company says. HP also questions the security of third-party ink supply chains, especially compared to the security of its own ISO/IEC certified supply chain.
Furthermore, cybersecurity experts interviewed by Ars Technica believe that even if such a threat exists, it would require a high level of resources and skills that are usually reserved for targeting high-profile victims. Simply put, most ordinary consumers and businesses should not seriously worry about ink cartridges being used to hack their computers.
When HP first announced Dynamic Security in 2016, it claimed the feature would provide a “better consumer experience” and protect customers from cartridges that “infringe our IP.” Eight years and a few unexpected micro-updates later, the former seems to have fallen by the wayside.
Print by subscription
Cartridges are an important business for HP, which also faces declining printing needs in an increasingly digital world. In its fiscal 2023 earnings report, the company said its printing business accounted for 32% of net revenue and 57% of operating profit of $1.5 billion. HP’s printing division’s operating margin rose from 14% in fiscal 2016 to 18.9 % in fiscal year 2023.
“Our long-term goal is to launch subscription printing. That’s really what we’ve been going for,” Lores told CNBC Television.
For years, HP has focused on promoting its monthly Instant Ink subscription program. In December, HP CFO Marie Myers noted that such subscription models could deliver “a 20% increase in customer value.” In its latest financial report, HP cited Instant Ink as one of its “key growth areas.”