HP Issues Flimsy Mea Culpa For Recent Printer Cartridge DRM Idiocy, But It's Not Enough
from the not-helping dept
A few weeks ago we noted how HP had effectively delivered a DRM time bomb in the form of a software update that, once detonated, crippled customers' ability to use competing third-party print cartridges in HP printers. While such ham-fisted behavior certainly isn't new, in this case HP had actually first deployed the "security update" to its printers back in March -- but didn't activate its stealthy payload until last month. Once activated, the software update prevented HP printers from even detecting alternative ink cartridges, resulting in owners getting a rotating crop of error messages about faulty cartridges.HP customers were obviously annoyed, and the EFF was quick to pen an open letter to HP, quite correctly noting that HP abused its security update mechanism to trick its customers and actively erode product functionality. Ultimately HP was forced to respond via a blog post proclaiming the company was just "dedicated to the best printing experience" and wanted to correct some "confusion" about its DRM sneak attack. In short, HP strongly implied it was just trying to protect consumers from "potential security risks" (what sweethearts):
"HP printers and original HP ink products deliver the best quality, security and reliability. When ink cartridges are cloned or counterfeited, the customer is exposed to quality and potential security risks, compromising the printing experience. As is standard in the printing business, we have a process for authenticating supplies. The most recent firmware update included a dynamic security feature that prevented some untested third-party cartridges that use cloned security chips from working, even if they had previously functioned."And while HP ultimately said it would deploy an "optional firmware update" in a few weeks, the mea culpa is filled with the usual assortment of garbled half-truths -- including HP patting itself on the back for being ultra-transparent and proactive after its customers began brandishing pitchforks. The EFF is fortunately attempting to hold HP's feet to the fire, urging the company to more fully disclose just how many printers were impacted, detail how it intends to inform users about the update, and stop undermining their customers confidence in the security update process:
"HP needs to promise never to use a security update to take away features again. There's hundreds of millions of inkjet printers out there, and they're vulnerable to malicious software that can conscript them into jaw-dropping internet attacks. Whether or not you own an HP printer, you have a stake in HPs' printers being swiftly updated when bugs are discovered in them. That means that HP must not give customers a reason to worry that the next "security update" is yet another self-destruct mechanism aimed at protecting the security of HP's cartridge division, rather than the security of our printers, to which we supply our credit card details, Social Security Numbers and personal photos."The EFF is also urging annoyed customers to sign this petition, which currently has 12,400 signatures and counting.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cartridges, drm, ink, printers
Companies: hp
Reader Comments
Subscribe: RSS
View by: Time | Thread
Still, the damage has been done. No more firmware updates before it's well tested for me. If HP did it, what prevents others from doing the same? Microsoft has paved the road too. I was reluctant to fully ditch Windows because of the hassle. Their abuse of the update system in the W10 upgrade fiasco has provided me with enough incentive.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
... so we are going to beat all those assholes to the punch and MAKE SURE you WILL NOT have a quality printing experience.
[ link to this | view in chronology ]
A while back I bought an HP photo printer. I was into photography back then. The printer quality was terrific. It cost 350.00 and lasted for 377 days with minimal printing.
Needless to say my Brother printer has been running strong for 6 years now and has gone through maybe 3 carts including the original.
I wouldn't take an HP printer for free.
[ link to this | view in chronology ]
Re:
I do have an HP printer, but it's a B&W laser, not an inkjet. Still, it might be a good idea to set up a firewall rule to prevent it from connecting to the Internet, just in case.
[ link to this | view in chronology ]
Re:
Best of all it can sit for weeks and then start printing out perfect pages. These other brands with chips on them blow!!!
[ link to this | view in chronology ]
Re:
While my old printer is still running on the same ink toner cartridge it came with.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
The problem is, this attitude is endemic across the whole industry. Sure, HP got caught out but you can bet other brands are doing the same.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
When people stop trusting security updates, they'll stop *installing* security updates.
When vulnerable network-connected hardware goes unpatched, it gets compromised.
You don't have to own an HP printer to be impacted by a vulnerability in HP printers. This is the era of the botnet, and that affects everybody.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
But it also makes you vulnerable, and that's not a good solution either.
Have you considered Linux? Mint gets pretty high marks as a distribution that's friendly to new users.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
As far as game compatibility, well, that depends. AAA titles still don't usually get Linux releases, though there are exceptions (Firaxis has been great; XCOM2 got a simultaneous launch on Windows, OSX, and Linux, and so will Civ 6). If emulators and indie games are more your thing, on the other hand, you'll be well taken care of. I recently played through Axiom Verge and thought it was fantastic.
For games that have top-of-the-line graphics, you'll get degraded performance on Linux compared to Windows; OpenGL just plain doesn't perform as well as DirectX. This will hopefully change in the next couple of years as Vulkan takes over from OGL, but it's not very well-supported yet. But while OGL lags at the bleeding edge, it's fine for midrange games.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Unless your Internet is capped, or has excess data charges, it costs nothing more than time to try out various flavors of Linux,and try out is the best way of discovering what Linux is about, and which flavor best suites your tastes and software needs.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows
[ link to this | view in chronology ]
Re: Re:
I still have little faith in internet petitions.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Brother??
And exactly how would a Brother printer put one at risk?
[ link to this | view in chronology ]
If your printer can gain access to your network by reading harmful instructions from compromised ink buckets, your security problem is much too serious to be solved with DRM.
[ link to this | view in chronology ]
Re:
Is this an active malware vector? Do they have examples of it in the wild? Why haven't news networks jumped at the fear-mongering that would entail? Why didn't HP SUPPORT that fear-mongering by pushing news networks to release warnings about the 'dangers' of third paty ink use?
Perhaps because that would start a series of questions like "Why can your ink cartridge send commands over my LAN?" and "Why does an ink cartridge need a computer chip?".
As Radix said, If the ink cartridge can access your LAN, you have a huge security problem.
[ link to this | view in chronology ]
Re: Re:
The interface HP uses to communicate with the cartridge is either I2C or a form of SPI, with the printer controller in control of the communication. The amount of memory in an HP cartridge is pretty limited. It would do little good for a 3rd party to add enough memory to contain malware, as the printer controller will only address those locations where the cartridge ID, manufacture date, manufacturing location, and pages/dots printed are stored. Claiming that 3rd party cartridges are a security risk is a blatant lie.
[ link to this | view in chronology ]
Re: Re: Re:
Perhaps someone thought that having the controller update itself from the cartridge would be a good way to distribute software upgrades. That way they can update printers that do not connect to the Internet, or are blocked via a firewall.
[ link to this | view in chronology ]
Re:
This vector for a security problem would only be because you are putting any kind of chip at all in the ink cartridge that does something non trivial.
If you must have a chip in the cartridge, and communicate with it, the communication should be totally trivial. Ink level. Temperature. Other telemetry. Nothing more. Poke the cartridge, it produces a string or binary result that is easily parsed by the printer's firmware.
[ link to this | view in chronology ]
Re:
Yea I was reading about this on the dark web the other day.
Some hackers have embedded a Rasberry Pi into the cartridge so it records what the cartridge is printing thus stealing the image. It then transmits the data to via wifi.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
It's more a case that they think they are being robbed by customers buying non-official products.
[ link to this | view in chronology ]
Re: Re:
Not buying a refill cartridge from us is robbery! (sick)
[ link to this | view in chronology ]
between what the government and its lapdog police are doing and what corporations are doing, generations of careful trust-building are going out the window without so much as a fare-thee-well.
these pompous posteriors are going to learn a valuable lesson regarding the wisdom of those naïve primitives who begat them.
[ link to this | view in chronology ]
There. Right there. Thats when I knew the post was a marketing puff piece put together by a bunch of lying sh**tbags.
[ link to this | view in chronology ]
If you're going to lie, at least try to sound believable
By trying to spin it as them being 'just so concerned for customer security' they actually just make it worse. If it was really a matter of customer security, addressing a serious threat then they would have told their customers immediately about the 'threat' so their customers could do something about it it, and implemented and activated the 'security patch' immediately rather than months later.
Imagine for a moment if an anti-virus/malware company kept an up to date virus/malware detection databases, but only updated the software to detect malicious code on a tri-yearly basis. Would anyone accept their claim that they were concerned about the security of their customers?
Their attempt at defending their actions here isn't just a lie it's a terrible lie, the kind of lie you'd expect from someone who honestly thought that they'd never get caught and have to defend their actions, and who is scrambling to come up with anything they can think of to brush it under the rug or try to spin it in their favor.
[ link to this | view in chronology ]
Illegal in the EU
[ link to this | view in chronology ]
Updated cartridges
[ link to this | view in chronology ]
"best printing experience" from three years ago
The last one they had for my printer didn't work because it was over 3 yrs old already.
Ended up at Best Buy at 10pm printer shopping so could print out taxes.
[ link to this | view in chronology ]
Re: "best printing experience" from three years ago
[ link to this | view in chronology ]
[ link to this | view in chronology ]
We spent more on developing security chips, than improving our product.
We have a business model that works when we can charge ungodly amounts for our ink, and are shocked that consumers prefer to buy cheaper carts that work.
Rather than improve our product, we just locked everyone else out and will try to use laws to demand the entire world follow the laws of 1 country.
How about you shake up the industry and stop selling the printers well below cost hoping to make up the extra on future ink sales.
Hell scare everyone and develop a unified ink/toner platform.
All your products using a single platform or carts meaning no ones ever screwed running around town looking for the slightly different cart they need for their printer that costs as much as a new printer is on sale for.
Make the recycling program more robust & look for ways to improve the carts & lifespan.
Be the better product, not the product with a chip you wasted money on creating that'll be hacked in less than a week.
[ link to this | view in chronology ]
Printer refils
[ link to this | view in chronology ]