HP Issues Flimsy Mea Culpa For Recent Printer Cartridge DRM Idiocy, But It's Not Enough

from the not-helping dept

A few weeks ago we noted how HP had effectively delivered a DRM time bomb in the form of a software update that, once detonated, crippled customers’ ability to use competing third-party print cartridges in HP printers. While such ham-fisted behavior certainly isn’t new, in this case HP had actually first deployed the “security update” to its printers back in March — but didn’t activate its stealthy payload until last month. Once activated, the software update prevented HP printers from even detecting alternative ink cartridges, resulting in owners getting a rotating crop of error messages about faulty cartridges.

HP customers were obviously annoyed, and the EFF was quick to pen an open letter to HP, quite correctly noting that HP abused its security update mechanism to trick its customers and actively erode product functionality. Ultimately HP was forced to respond via a blog post proclaiming the company was just “dedicated to the best printing experience” and wanted to correct some “confusion” about its DRM sneak attack. In short, HP strongly implied it was just trying to protect consumers from “potential security risks” (what sweethearts):

“HP printers and original HP ink products deliver the best quality, security and reliability. When ink cartridges are cloned or counterfeited, the customer is exposed to quality and potential security risks, compromising the printing experience. As is standard in the printing business, we have a process for authenticating supplies. The most recent firmware update included a dynamic security feature that prevented some untested third-party cartridges that use cloned security chips from working, even if they had previously functioned.”

And while HP ultimately said it would deploy an “optional firmware update” in a few weeks, the mea culpa is filled with the usual assortment of garbled half-truths — including HP patting itself on the back for being ultra-transparent and proactive after its customers began brandishing pitchforks. The EFF is fortunately attempting to hold HP’s feet to the fire, urging the company to more fully disclose just how many printers were impacted, detail how it intends to inform users about the update, and stop undermining their customers confidence in the security update process:

“HP needs to promise never to use a security update to take away features again. There’s hundreds of millions of inkjet printers out there, and they’re vulnerable to malicious software that can conscript them into jaw-dropping internet attacks. Whether or not you own an HP printer, you have a stake in HPs’ printers being swiftly updated when bugs are discovered in them. That means that HP must not give customers a reason to worry that the next “security update” is yet another self-destruct mechanism aimed at protecting the security of HP’s cartridge division, rather than the security of our printers, to which we supply our credit card details, Social Security Numbers and personal photos.”

The EFF is also urging annoyed customers to sign this petition, which currently has 12,400 signatures and counting.

Filed Under: , , ,
Companies: hp

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “HP Issues Flimsy Mea Culpa For Recent Printer Cartridge DRM Idiocy, But It's Not Enough”

Subscribe: RSS Leave a comment
43 Comments
Ninja (profile) says:

including HP patting itself on the back for being ultra-transparent and proactive after its customers began brandishing pitchforks

Still, the damage has been done. No more firmware updates before it’s well tested for me. If HP did it, what prevents others from doing the same? Microsoft has paved the road too. I was reluctant to fully ditch Windows because of the hassle. Their abuse of the update system in the W10 upgrade fiasco has provided me with enough incentive.

Anonymous Coward says:

HP printers and original HP ink products deliver the best quality, security and reliability. When ink cartridges are cloned or counterfeited, the customer is exposed to quality and potential security risks, compromising the printing experience.

… so we are going to beat all those assholes to the punch and MAKE SURE you WILL NOT have a quality printing experience.

I.T. Guy says:

It’s simple… just buy another printer brand. Even a 20 dollar printer these days is enough for most.

A while back I bought an HP photo printer. I was into photography back then. The printer quality was terrific. It cost 350.00 and lasted for 377 days with minimal printing.

Needless to say my Brother printer has been running strong for 6 years now and has gone through maybe 3 carts including the original.

I wouldn’t take an HP printer for free.

Thad (user link) says:

Re: Re:

I’ve always thought of Brother as a cheap and inferior brand but I’m hearing a lot of recommendations for them lately. I’ll definitely look into them if my current printer dies on me.

I do have an HP printer, but it’s a B&W laser, not an inkjet. Still, it might be a good idea to set up a firewall rule to prevent it from connecting to the Internet, just in case.

JBDragon (profile) says:

Re: Re:

I have a Brother Laser Jet and it has ZERO DRM crap on it. It’s easy to reset the toner cartridge. Hell it only took a cheap kit to convert the demo toner cartridge into a full normal cartridge which was simple, as it’s a snap to fill it up with new toner. The toner and drum can also come apart if you need to replace either making costs cheaper.

Best of all it can sit for weeks and then start printing out perfect pages. These other brands with chips on them blow!!!

Thad (user link) says:

Re: Re:

You apparently haven’t sworn off the Internet, so this affects you.

When people stop trusting security updates, they’ll stop installing security updates.

When vulnerable network-connected hardware goes unpatched, it gets compromised.

You don’t have to own an HP printer to be impacted by a vulnerability in HP printers. This is the era of the botnet, and that affects everybody.

That One Guy (profile) says:

Re: Re: Re:2 Re:

Define ‘friendly’. I’ve actually been considering putting together a new computer as a backup/game rig and given the other choices (Microsoft Big Brother Edition and Apple Nope)looked into Linux a bit, with the two biggest stumbling blocks at the moment being ‘totally new OS to learn'(or whatever you would call it, given the various ‘flavors’)’, and ‘reputation for not being very game friendly’ being the ones that come to mind.

Thad (user link) says:

Re: Re: Re:3 Re:

Well, the learning curve shouldn’t be too bad as Mint looks pretty Windows-like out of the box. (There are two default desktop environments to choose from, Cinnamon and MATE; I prefer MATE but would probably recommend Cinnamon to a new user. Cinnamon’s newer and better optimized for HiDPI, multi-monitor support, and other such modern niceties, while MATE is based on an older codebase and is more configurable.)

As far as game compatibility, well, that depends. AAA titles still don’t usually get Linux releases, though there are exceptions (Firaxis has been great; XCOM2 got a simultaneous launch on Windows, OSX, and Linux, and so will Civ 6). If emulators and indie games are more your thing, on the other hand, you’ll be well taken care of. I recently played through Axiom Verge and thought it was fantastic.

For games that have top-of-the-line graphics, you’ll get degraded performance on Linux compared to Windows; OpenGL just plain doesn’t perform as well as DirectX. This will hopefully change in the next couple of years as Vulkan takes over from OGL, but it’s not very well-supported yet. But while OGL lags at the bleeding edge, it’s fine for midrange games.

Anonymous Coward says:

Re: Re: Re:3 Re:

The best way to figure out which distribution, and which desktop environment to use is to try them out with a live ..media version of various distributions. Almost all ISO’s will run off a thumb drive, and you can attach the ISO file to a virtual machine to install it. You can also give them a more thorough try out using virtual box, or an old XP machine should you have one.
Unless your Internet is capped, or has excess data charges, it costs nothing more than time to try out various flavors of Linux,and try out is the best way of discovering what Linux is about, and which flavor best suites your tastes and software needs.

James Burkhardt (profile) says:

Re: Re:

You ever connect to a friends WiFi using your phone or Laptop? Ever connect to free wifi at your local coffee shop? There are plenty of places where you could connect to Wifi that MIGHT have a brother printer on it, and therefore put you at risk. That’s before considering the Botnet problems Thad pointed out.

James Burkhardt (profile) says:

Re: Re:

I second this.

Is this an active malware vector? Do they have examples of it in the wild? Why haven’t news networks jumped at the fear-mongering that would entail? Why didn’t HP SUPPORT that fear-mongering by pushing news networks to release warnings about the ‘dangers’ of third paty ink use?

Perhaps because that would start a series of questions like “Why can your ink cartridge send commands over my LAN?” and “Why does an ink cartridge need a computer chip?”.

As Radix said, If the ink cartridge can access your LAN, you have a huge security problem.

Anonymous Coward says:

Re: Re: Re:

Actually, I think HP is referring to a third party ink cartridge compromising the printer firmware. I have a difficult time seeing how that could happen as it would require the cartridge to upload malware that the printer controller would then execute. This seem out of the realm of what the cartridge microchip/non-volatile-memory device is intended to do (prevent 3rd party cartridges from working in the printer, provide a means of signalling the printer when the ink is running low, and time/date stamp the ink so that it will no longer work after a predetermined interval of time has past since the cartridge was manufactured).
The interface HP uses to communicate with the cartridge is either I2C or a form of SPI, with the printer controller in control of the communication. The amount of memory in an HP cartridge is pretty limited. It would do little good for a 3rd party to add enough memory to contain malware, as the printer controller will only address those locations where the cartridge ID, manufacture date, manufacturing location, and pages/dots printed are stored. Claiming that 3rd party cartridges are a security risk is a blatant lie.

Anonymous Coward says:

Re: Re: Re: Re:

I have a difficult time seeing how that could happen as it would require the cartridge to upload malware that the printer controller would then execute.

Perhaps someone thought that having the controller update itself from the cartridge would be a good way to distribute software upgrades. That way they can update printers that do not connect to the Internet, or are blocked via a firewall.

DannyB (profile) says:

Re: Re:

Yes, that.

This vector for a security problem would only be because you are putting any kind of chip at all in the ink cartridge that does something non trivial.

If you must have a chip in the cartridge, and communicate with it, the communication should be totally trivial. Ink level. Temperature. Other telemetry. Nothing more. Poke the cartridge, it produces a string or binary result that is easily parsed by the printer’s firmware.

Nick (profile) says:

Companies like HP seem to think there is an epidemic of customers being scammed by purchasing non-official products. I’d wager that most people who buy a replacement cartridge did so because of cost, which is what the open market is supposed to encourage. If GenericX can make a cheaper print cartridge, why can’t HP, which already has the manufacturing and specs figured out?

Anonymous Coward says:

erode confidence.

between what the government and its lapdog police are doing and what corporations are doing, generations of careful trust-building are going out the window without so much as a fare-thee-well.

these pompous posteriors are going to learn a valuable lesson regarding the wisdom of those naïve primitives who begat them.

That One Guy (profile) says:

If you're going to lie, at least try to sound believable

The most recent firmware update included a dynamic security feature that prevented some untested third-party cartridges that use cloned security chips from working, even if they had previously functioned.”

By trying to spin it as them being ‘just so concerned for customer security’ they actually just make it worse. If it was really a matter of customer security, addressing a serious threat then they would have told their customers immediately about the ‘threat’ so their customers could do something about it it, and implemented and activated the ‘security patch’ immediately rather than months later.

Imagine for a moment if an anti-virus/malware company kept an up to date virus/malware detection databases, but only updated the software to detect malicious code on a tri-yearly basis. Would anyone accept their claim that they were concerned about the security of their customers?

Their attempt at defending their actions here isn’t just a lie it’s a terrible lie, the kind of lie you’d expect from someone who honestly thought that they’d never get caught and have to defend their actions, and who is scrambling to come up with anything they can think of to brush it under the rug or try to spin it in their favor.

That Anonymous Coward (profile) says:

“When ink cartridges are cloned or counterfeited”

We spent more on developing security chips, than improving our product.
We have a business model that works when we can charge ungodly amounts for our ink, and are shocked that consumers prefer to buy cheaper carts that work.
Rather than improve our product, we just locked everyone else out and will try to use laws to demand the entire world follow the laws of 1 country.

How about you shake up the industry and stop selling the printers well below cost hoping to make up the extra on future ink sales.
Hell scare everyone and develop a unified ink/toner platform.
All your products using a single platform or carts meaning no ones ever screwed running around town looking for the slightly different cart they need for their printer that costs as much as a new printer is on sale for.
Make the recycling program more robust & look for ways to improve the carts & lifespan.
Be the better product, not the product with a chip you wasted money on creating that’ll be hacked in less than a week.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...