(Mis)Uses of Technology

by Karl Bode


Filed Under:
cartridges, drm, ink, printers

Companies:
hp



HP Issues Flimsy Mea Culpa For Recent Printer Cartridge DRM Idiocy, But It's Not Enough

from the not-helping dept

A few weeks ago we noted how HP had effectively delivered a DRM time bomb in the form of a software update that, once detonated, crippled customers' ability to use competing third-party print cartridges in HP printers. While such ham-fisted behavior certainly isn't new, in this case HP had actually first deployed the "security update" to its printers back in March -- but didn't activate its stealthy payload until last month. Once activated, the software update prevented HP printers from even detecting alternative ink cartridges, resulting in owners getting a rotating crop of error messages about faulty cartridges.

HP customers were obviously annoyed, and the EFF was quick to pen an open letter to HP, quite correctly noting that HP abused its security update mechanism to trick its customers and actively erode product functionality. Ultimately HP was forced to respond via a blog post proclaiming the company was just "dedicated to the best printing experience" and wanted to correct some "confusion" about its DRM sneak attack. In short, HP strongly implied it was just trying to protect consumers from "potential security risks" (what sweethearts):
"HP printers and original HP ink products deliver the best quality, security and reliability. When ink cartridges are cloned or counterfeited, the customer is exposed to quality and potential security risks, compromising the printing experience. As is standard in the printing business, we have a process for authenticating supplies. The most recent firmware update included a dynamic security feature that prevented some untested third-party cartridges that use cloned security chips from working, even if they had previously functioned."
And while HP ultimately said it would deploy an "optional firmware update" in a few weeks, the mea culpa is filled with the usual assortment of garbled half-truths -- including HP patting itself on the back for being ultra-transparent and proactive after its customers began brandishing pitchforks. The EFF is fortunately attempting to hold HP's feet to the fire, urging the company to more fully disclose just how many printers were impacted, detail how it intends to inform users about the update, and stop undermining their customers confidence in the security update process:
"HP needs to promise never to use a security update to take away features again. There's hundreds of millions of inkjet printers out there, and they're vulnerable to malicious software that can conscript them into jaw-dropping internet attacks. Whether or not you own an HP printer, you have a stake in HPs' printers being swiftly updated when bugs are discovered in them. That means that HP must not give customers a reason to worry that the next "security update" is yet another self-destruct mechanism aimed at protecting the security of HP's cartridge division, rather than the security of our printers, to which we supply our credit card details, Social Security Numbers and personal photos."
The EFF is also urging annoyed customers to sign this petition, which currently has 12,400 signatures and counting.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 4 Oct 2016 @ 10:55am

    including HP patting itself on the back for being ultra-transparent and proactive after its customers began brandishing pitchforks

    Still, the damage has been done. No more firmware updates before it's well tested for me. If HP did it, what prevents others from doing the same? Microsoft has paved the road too. I was reluctant to fully ditch Windows because of the hassle. Their abuse of the update system in the W10 upgrade fiasco has provided me with enough incentive.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2016 @ 12:46pm

      Re:

      HP set a 6 month wait period before the 'update' went into effect for the purpose of avoiding bad reports of what gets broken. Did HP purposely want as many people as possible to install an apparently benign update? So how long would you recommend waiting before updating firmware?

      reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 5 Oct 2016 @ 3:22am

        Re: Re:

        Good point. Reading the update documentation is a good start though Microsoft is being criticized by the lack of helpful information about their updates recently. So the waiting window would be variable.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2016 @ 10:56am

    HP printers and original HP ink products deliver the best quality, security and reliability. When ink cartridges are cloned or counterfeited, the customer is exposed to quality and potential security risks, compromising the printing experience.

    ... so we are going to beat all those assholes to the punch and MAKE SURE you WILL NOT have a quality printing experience.

    reply to this | link to this | view in chronology ]

  • identicon
    I.T. Guy, 4 Oct 2016 @ 11:09am

    It's simple... just buy another printer brand. Even a 20 dollar printer these days is enough for most.

    A while back I bought an HP photo printer. I was into photography back then. The printer quality was terrific. It cost 350.00 and lasted for 377 days with minimal printing.

    Needless to say my Brother printer has been running strong for 6 years now and has gone through maybe 3 carts including the original.

    I wouldn't take an HP printer for free.

    reply to this | link to this | view in chronology ]

    • identicon
      Thad, 4 Oct 2016 @ 11:58am

      Re:

      I've always thought of Brother as a cheap and inferior brand but I'm hearing a lot of recommendations for them lately. I'll definitely look into them if my current printer dies on me.

      I do have an HP printer, but it's a B&W laser, not an inkjet. Still, it might be a good idea to set up a firewall rule to prevent it from connecting to the Internet, just in case.

      reply to this | link to this | view in chronology ]

    • icon
      JBDragon (profile), 4 Oct 2016 @ 12:11pm

      Re:

      I have a Brother Laser Jet and it has ZERO DRM crap on it. It's easy to reset the toner cartridge. Hell it only took a cheap kit to convert the demo toner cartridge into a full normal cartridge which was simple, as it's a snap to fill it up with new toner. The toner and drum can also come apart if you need to replace either making costs cheaper.

      Best of all it can sit for weeks and then start printing out perfect pages. These other brands with chips on them blow!!!

      reply to this | link to this | view in chronology ]

    • icon
      Padpaw (profile), 4 Oct 2016 @ 1:41pm

      Re:

      It's funny I am still using one from the late 90's. I tried getting a new one, but the ink turned out to be more expensive than the damned printer.

      While my old printer is still running on the same ink toner cartridge it came with.

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 5 Oct 2016 @ 12:24am

      Re:

      "It's simple... just buy another printer brand."

      The problem is, this attitude is endemic across the whole industry. Sure, HP got caught out but you can bet other brands are doing the same.

      reply to this | link to this | view in chronology ]

      • identicon
        Thad, 5 Oct 2016 @ 11:12am

        Re: Re:

        Are they, though? I'm aware of other printer brands trying to lock out "counterfeit" cartridges, but I'm not aware of anybody else releasing an online "security" update designed to lock out competing cartridges at some point six months in the future.

        reply to this | link to this | view in chronology ]

  • identicon
    kallethen, 4 Oct 2016 @ 11:16am

    I'm not gonna bother signing that petition. Cuz I've already sworn off HP products in my house years ago.

    reply to this | link to this | view in chronology ]

    • identicon
      Thad, 4 Oct 2016 @ 11:53am

      Re:

      You apparently haven't sworn off the Internet, so this affects you.

      When people stop trusting security updates, they'll stop *installing* security updates.

      When vulnerable network-connected hardware goes unpatched, it gets compromised.

      You don't have to own an HP printer to be impacted by a vulnerability in HP printers. This is the era of the botnet, and that affects everybody.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Oct 2016 @ 11:58am

        Re: Re:

        FYI, I've stopped trusting Microsoft updates and turned them off. Microsoft's iron fisted abuse of the update process has made their updates a bigger threat than malware.

        reply to this | link to this | view in chronology ]

        • identicon
          Thad, 4 Oct 2016 @ 12:21pm

          Re: Re: Re:

          That's a reasonable and understandable decision; MS has betrayed its users' trust.

          But it also makes you vulnerable, and that's not a good solution either.

          Have you considered Linux? Mint gets pretty high marks as a distribution that's friendly to new users.

          reply to this | link to this | view in chronology ]

          • icon
            That One Guy (profile), 4 Oct 2016 @ 2:41pm

            Re: Re: Re: Re:

            Define 'friendly'. I've actually been considering putting together a new computer as a backup/game rig and given the other choices (Microsoft Big Brother Edition and Apple Nope)looked into Linux a bit, with the two biggest stumbling blocks at the moment being 'totally new OS to learn'(or whatever you would call it, given the various 'flavors')', and 'reputation for not being very game friendly' being the ones that come to mind.

            reply to this | link to this | view in chronology ]

            • identicon
              Thad, 4 Oct 2016 @ 3:11pm

              Re: Re: Re: Re: Re:

              Well, the learning curve shouldn't be too bad as Mint looks pretty Windows-like out of the box. (There are two default desktop environments to choose from, Cinnamon and MATE; I prefer MATE but would probably recommend Cinnamon to a new user. Cinnamon's newer and better optimized for HiDPI, multi-monitor support, and other such modern niceties, while MATE is based on an older codebase and is more configurable.)

              As far as game compatibility, well, that depends. AAA titles still don't usually get Linux releases, though there are exceptions (Firaxis has been great; XCOM2 got a simultaneous launch on Windows, OSX, and Linux, and so will Civ 6). If emulators and indie games are more your thing, on the other hand, you'll be well taken care of. I recently played through Axiom Verge and thought it was fantastic.

              For games that have top-of-the-line graphics, you'll get degraded performance on Linux compared to Windows; OpenGL just plain doesn't perform as well as DirectX. This will hopefully change in the next couple of years as Vulkan takes over from OGL, but it's not very well-supported yet. But while OGL lags at the bleeding edge, it's fine for midrange games.

              reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 5 Oct 2016 @ 12:44am

              Re: Re: Re: Re: Re:

              The best way to figure out which distribution, and which desktop environment to use is to try them out with a live ..media version of various distributions. Almost all ISO's will run off a thumb drive, and you can attach the ISO file to a virtual machine to install it. You can also give them a more thorough try out using virtual box, or an old XP machine should you have one.
              Unless your Internet is capped, or has excess data charges, it costs nothing more than time to try out various flavors of Linux,and try out is the best way of discovering what Linux is about, and which flavor best suites your tastes and software needs.

              reply to this | link to this | view in chronology ]

            • identicon
              I.T. Guy, 5 Oct 2016 @ 8:45am

              Re: Re: Re: Re: Re:

              Invest time in Linux bootable usb's. You can learn it at your leisure and won't need any additional hardware.

              http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows

              reply to this | link to this | view in chronology ]

      • identicon
        kallethen, 4 Oct 2016 @ 1:18pm

        Re: Re:

        I'll concede you have a valid point with the "not trusting security updates" angle.

        I still have little faith in internet petitions.

        reply to this | link to this | view in chronology ]

        • identicon
          Thad, 4 Oct 2016 @ 2:09pm

          Re: Re: Re:

          I definitely understand that, and it's the reason I haven't signed it myself. It's nice to see HP backpedaling on this, but I don't know how much it actually had to do with the EFF campaign; the story was widely reported all over the world, after all.

          reply to this | link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 4 Oct 2016 @ 12:00pm

      Re:

      You ever connect to a friends WiFi using your phone or Laptop? Ever connect to free wifi at your local coffee shop? There are plenty of places where you could connect to Wifi that MIGHT have a brother printer on it, and therefore put you at risk. That's before considering the Botnet problems Thad pointed out.

      reply to this | link to this | view in chronology ]

  • icon
    radix (profile), 4 Oct 2016 @ 11:21am

    Potential security risks from using unauthorized cartridges? Is that really an active malware vector?

    If your printer can gain access to your network by reading harmful instructions from compromised ink buckets, your security problem is much too serious to be solved with DRM.

    reply to this | link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 4 Oct 2016 @ 11:56am

      Re:

      I second this.

      Is this an active malware vector? Do they have examples of it in the wild? Why haven't news networks jumped at the fear-mongering that would entail? Why didn't HP SUPPORT that fear-mongering by pushing news networks to release warnings about the 'dangers' of third paty ink use?

      Perhaps because that would start a series of questions like "Why can your ink cartridge send commands over my LAN?" and "Why does an ink cartridge need a computer chip?".

      As Radix said, If the ink cartridge can access your LAN, you have a huge security problem.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Oct 2016 @ 12:32pm

        Re: Re:

        Actually, I think HP is referring to a third party ink cartridge compromising the printer firmware. I have a difficult time seeing how that could happen as it would require the cartridge to upload malware that the printer controller would then execute. This seem out of the realm of what the cartridge microchip/non-volatile-memory device is intended to do (prevent 3rd party cartridges from working in the printer, provide a means of signalling the printer when the ink is running low, and time/date stamp the ink so that it will no longer work after a predetermined interval of time has past since the cartridge was manufactured).
        The interface HP uses to communicate with the cartridge is either I2C or a form of SPI, with the printer controller in control of the communication. The amount of memory in an HP cartridge is pretty limited. It would do little good for a 3rd party to add enough memory to contain malware, as the printer controller will only address those locations where the cartridge ID, manufacture date, manufacturing location, and pages/dots printed are stored. Claiming that 3rd party cartridges are a security risk is a blatant lie.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Oct 2016 @ 2:09pm

          Re: Re: Re:

          I have a difficult time seeing how that could happen as it would require the cartridge to upload malware that the printer controller would then execute.

          Perhaps someone thought that having the controller update itself from the cartridge would be a good way to distribute software upgrades. That way they can update printers that do not connect to the Internet, or are blocked via a firewall.

          reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 4 Oct 2016 @ 12:18pm

      Re:

      Yes, that.

      This vector for a security problem would only be because you are putting any kind of chip at all in the ink cartridge that does something non trivial.

      If you must have a chip in the cartridge, and communicate with it, the communication should be totally trivial. Ink level. Temperature. Other telemetry. Nothing more. Poke the cartridge, it produces a string or binary result that is easily parsed by the printer's firmware.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2016 @ 1:36pm

      Re:

      --Potential security risks from using unauthorized cartridges?

      Yea I was reading about this on the dark web the other day.
      Some hackers have embedded a Rasberry Pi into the cartridge so it records what the cartridge is printing thus stealing the image. It then transmits the data to via wifi.

      reply to this | link to this | view in chronology ]

  • icon
    Nick (profile), 4 Oct 2016 @ 11:25am

    Companies like HP seem to think there is an epidemic of customers being scammed by purchasing non-official products. I'd wager that most people who buy a replacement cartridge did so because of cost, which is what the open market is supposed to encourage. If GenericX can make a cheaper print cartridge, why can't HP, which already has the manufacturing and specs figured out?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2016 @ 12:16pm

      Re:

      Companies like HP seem to think there is an epidemic of customers being scammed by purchasing non-official products.

      It's more a case that they think they are being robbed by customers buying non-official products.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2016 @ 11:27am

    erode confidence.

    between what the government and its lapdog police are doing and what corporations are doing, generations of careful trust-building are going out the window without so much as a fare-thee-well.

    these pompous posteriors are going to learn a valuable lesson regarding the wisdom of those naïve primitives who begat them.

    reply to this | link to this | view in chronology ]

  • identicon
    peter, 4 Oct 2016 @ 1:17pm

    "....printing experience...."

    There. Right there. Thats when I knew the post was a marketing puff piece put together by a bunch of lying sh**tbags.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 4 Oct 2016 @ 1:17pm

    If you're going to lie, at least try to sound believable

    The most recent firmware update included a dynamic security feature that prevented some untested third-party cartridges that use cloned security chips from working, even if they had previously functioned."

    By trying to spin it as them being 'just so concerned for customer security' they actually just make it worse. If it was really a matter of customer security, addressing a serious threat then they would have told their customers immediately about the 'threat' so their customers could do something about it it, and implemented and activated the 'security patch' immediately rather than months later.

    Imagine for a moment if an anti-virus/malware company kept an up to date virus/malware detection databases, but only updated the software to detect malicious code on a tri-yearly basis. Would anyone accept their claim that they were concerned about the security of their customers?

    Their attempt at defending their actions here isn't just a lie it's a terrible lie, the kind of lie you'd expect from someone who honestly thought that they'd never get caught and have to defend their actions, and who is scrambling to come up with anything they can think of to brush it under the rug or try to spin it in their favor.

    reply to this | link to this | view in chronology ]

  • icon
    Alex Macfie (profile), 4 Oct 2016 @ 2:07pm

    Illegal in the EU

    Chips that detect and block the use of third-party printer cartridges are specifically banned throughout the EU, since about 2000.

    reply to this | link to this | view in chronology ]

  • icon
    slap (profile), 4 Oct 2016 @ 2:13pm

    Updated cartridges

    I had to buy some new black ink cartridges for my HP 8600 officejet printer. On Ebay I noticed some sellers selling cartridges with updated chips on them - I assume that a work around has already been found.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2016 @ 4:53pm

    "best printing experience" from three years ago

    April 15th, 8pm at a Target trying to find ink cartridge.
    The last one they had for my printer didn't work because it was over 3 yrs old already.
    Ended up at Best Buy at 10pm printer shopping so could print out taxes.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2016 @ 7:15pm

      Re: "best printing experience" from three years ago

      Next time try going to a local hotel and asking if you can print a PDF of your taxes on one of their "guest" computers. They _might_ charge you per page, but it would be cheaper than a new printer from BB. Then get your print cartridge from eBay the next day.

      reply to this | link to this | view in chronology ]

  • identicon
    Kronomex, 4 Oct 2016 @ 7:05pm

    "We're sorry, really and truly, that we got caught out trying to pull a swifty...and...and...IT'S ALL HILARY CLINTON'S FAULT..."

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 5 Oct 2016 @ 12:53am

    "When ink cartridges are cloned or counterfeited"

    We spent more on developing security chips, than improving our product.
    We have a business model that works when we can charge ungodly amounts for our ink, and are shocked that consumers prefer to buy cheaper carts that work.
    Rather than improve our product, we just locked everyone else out and will try to use laws to demand the entire world follow the laws of 1 country.

    How about you shake up the industry and stop selling the printers well below cost hoping to make up the extra on future ink sales.
    Hell scare everyone and develop a unified ink/toner platform.
    All your products using a single platform or carts meaning no ones ever screwed running around town looking for the slightly different cart they need for their printer that costs as much as a new printer is on sale for.
    Make the recycling program more robust & look for ways to improve the carts & lifespan.
    Be the better product, not the product with a chip you wasted money on creating that'll be hacked in less than a week.

    reply to this | link to this | view in chronology ]

  • icon
    JustMe (profile), 5 Oct 2016 @ 9:22am

    Printer refils

    Shouldn't be able to create security problems in the first place, HP. This is you screwing up. This is you screwing your customers over. This is me never buying your crap again.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.