HP Issues Flimsy Mea Culpa For Recent Printer Cartridge DRM Idiocy, But It's Not Enough
from the not-helping dept
A few weeks ago we noted how HP had effectively delivered a DRM time bomb in the form of a software update that, once detonated, crippled customers’ ability to use competing third-party print cartridges in HP printers. While such ham-fisted behavior certainly isn’t new, in this case HP had actually first deployed the “security update” to its printers back in March — but didn’t activate its stealthy payload until last month. Once activated, the software update prevented HP printers from even detecting alternative ink cartridges, resulting in owners getting a rotating crop of error messages about faulty cartridges.
HP customers were obviously annoyed, and the EFF was quick to pen an open letter to HP, quite correctly noting that HP abused its security update mechanism to trick its customers and actively erode product functionality. Ultimately HP was forced to respond via a blog post proclaiming the company was just “dedicated to the best printing experience” and wanted to correct some “confusion” about its DRM sneak attack. In short, HP strongly implied it was just trying to protect consumers from “potential security risks” (what sweethearts):
“HP printers and original HP ink products deliver the best quality, security and reliability. When ink cartridges are cloned or counterfeited, the customer is exposed to quality and potential security risks, compromising the printing experience. As is standard in the printing business, we have a process for authenticating supplies. The most recent firmware update included a dynamic security feature that prevented some untested third-party cartridges that use cloned security chips from working, even if they had previously functioned.”
And while HP ultimately said it would deploy an “optional firmware update” in a few weeks, the mea culpa is filled with the usual assortment of garbled half-truths — including HP patting itself on the back for being ultra-transparent and proactive after its customers began brandishing pitchforks. The EFF is fortunately attempting to hold HP’s feet to the fire, urging the company to more fully disclose just how many printers were impacted, detail how it intends to inform users about the update, and stop undermining their customers confidence in the security update process:
“HP needs to promise never to use a security update to take away features again. There’s hundreds of millions of inkjet printers out there, and they’re vulnerable to malicious software that can conscript them into jaw-dropping internet attacks. Whether or not you own an HP printer, you have a stake in HPs’ printers being swiftly updated when bugs are discovered in them. That means that HP must not give customers a reason to worry that the next “security update” is yet another self-destruct mechanism aimed at protecting the security of HP’s cartridge division, rather than the security of our printers, to which we supply our credit card details, Social Security Numbers and personal photos.”
The EFF is also urging annoyed customers to sign this petition, which currently has 12,400 signatures and counting.
Filed Under: cartridges, drm, ink, printers
Companies: hp
Comments on “HP Issues Flimsy Mea Culpa For Recent Printer Cartridge DRM Idiocy, But It's Not Enough”
including HP patting itself on the back for being ultra-transparent and proactive after its customers began brandishing pitchforks
Still, the damage has been done. No more firmware updates before it’s well tested for me. If HP did it, what prevents others from doing the same? Microsoft has paved the road too. I was reluctant to fully ditch Windows because of the hassle. Their abuse of the update system in the W10 upgrade fiasco has provided me with enough incentive.
Re: Re:
HP set a 6 month wait period before the ‘update’ went into effect for the purpose of avoiding bad reports of what gets broken. Did HP purposely want as many people as possible to install an apparently benign update? So how long would you recommend waiting before updating firmware?
Re: Re: Re:
Good point. Reading the update documentation is a good start though Microsoft is being criticized by the lack of helpful information about their updates recently. So the waiting window would be variable.
HP printers and original HP ink products deliver the best quality, security and reliability. When ink cartridges are cloned or counterfeited, the customer is exposed to quality and potential security risks, compromising the printing experience.
… so we are going to beat all those assholes to the punch and MAKE SURE you WILL NOT have a quality printing experience.
It’s simple… just buy another printer brand. Even a 20 dollar printer these days is enough for most.
A while back I bought an HP photo printer. I was into photography back then. The printer quality was terrific. It cost 350.00 and lasted for 377 days with minimal printing.
Needless to say my Brother printer has been running strong for 6 years now and has gone through maybe 3 carts including the original.
I wouldn’t take an HP printer for free.
Re: Re:
I’ve always thought of Brother as a cheap and inferior brand but I’m hearing a lot of recommendations for them lately. I’ll definitely look into them if my current printer dies on me.
I do have an HP printer, but it’s a B&W laser, not an inkjet. Still, it might be a good idea to set up a firewall rule to prevent it from connecting to the Internet, just in case.
Re: Re:
I have a Brother Laser Jet and it has ZERO DRM crap on it. It’s easy to reset the toner cartridge. Hell it only took a cheap kit to convert the demo toner cartridge into a full normal cartridge which was simple, as it’s a snap to fill it up with new toner. The toner and drum can also come apart if you need to replace either making costs cheaper.
Best of all it can sit for weeks and then start printing out perfect pages. These other brands with chips on them blow!!!
Re: Re:
It’s funny I am still using one from the late 90’s. I tried getting a new one, but the ink turned out to be more expensive than the damned printer.
While my old printer is still running on the same ink toner cartridge it came with.
Re: Re: Re:
Did you perchance pick up a Wonka brand printer/ink cartridge? Sounds like you may have bought an Everlasting Ink-Cartridge.
Re: Re:
“It’s simple… just buy another printer brand.”
The problem is, this attitude is endemic across the whole industry. Sure, HP got caught out but you can bet other brands are doing the same.
Re: Re: Re:
Are they, though? I’m aware of other printer brands trying to lock out “counterfeit” cartridges, but I’m not aware of anybody else releasing an online “security” update designed to lock out competing cartridges at some point six months in the future.
I’m not gonna bother signing that petition. Cuz I’ve already sworn off HP products in my house years ago.
Re: Re:
You apparently haven’t sworn off the Internet, so this affects you.
When people stop trusting security updates, they’ll stop installing security updates.
When vulnerable network-connected hardware goes unpatched, it gets compromised.
You don’t have to own an HP printer to be impacted by a vulnerability in HP printers. This is the era of the botnet, and that affects everybody.
Re: Re: Re:
FYI, I’ve stopped trusting Microsoft updates and turned them off. Microsoft’s iron fisted abuse of the update process has made their updates a bigger threat than malware.
Re: Re: Re: Re:
That’s a reasonable and understandable decision; MS has betrayed its users’ trust.
But it also makes you vulnerable, and that’s not a good solution either.
Have you considered Linux? Mint gets pretty high marks as a distribution that’s friendly to new users.
Re: Re: Re:2 Re:
Define ‘friendly’. I’ve actually been considering putting together a new computer as a backup/game rig and given the other choices (Microsoft Big Brother Edition and Apple Nope)looked into Linux a bit, with the two biggest stumbling blocks at the moment being ‘totally new OS to learn'(or whatever you would call it, given the various ‘flavors’)’, and ‘reputation for not being very game friendly’ being the ones that come to mind.
Re: Re: Re:3 Re:
Well, the learning curve shouldn’t be too bad as Mint looks pretty Windows-like out of the box. (There are two default desktop environments to choose from, Cinnamon and MATE; I prefer MATE but would probably recommend Cinnamon to a new user. Cinnamon’s newer and better optimized for HiDPI, multi-monitor support, and other such modern niceties, while MATE is based on an older codebase and is more configurable.)
As far as game compatibility, well, that depends. AAA titles still don’t usually get Linux releases, though there are exceptions (Firaxis has been great; XCOM2 got a simultaneous launch on Windows, OSX, and Linux, and so will Civ 6). If emulators and indie games are more your thing, on the other hand, you’ll be well taken care of. I recently played through Axiom Verge and thought it was fantastic.
For games that have top-of-the-line graphics, you’ll get degraded performance on Linux compared to Windows; OpenGL just plain doesn’t perform as well as DirectX. This will hopefully change in the next couple of years as Vulkan takes over from OGL, but it’s not very well-supported yet. But while OGL lags at the bleeding edge, it’s fine for midrange games.
Re: Re: Re:3 Re:
The best way to figure out which distribution, and which desktop environment to use is to try them out with a live ..media version of various distributions. Almost all ISO’s will run off a thumb drive, and you can attach the ISO file to a virtual machine to install it. You can also give them a more thorough try out using virtual box, or an old XP machine should you have one.
Unless your Internet is capped, or has excess data charges, it costs nothing more than time to try out various flavors of Linux,and try out is the best way of discovering what Linux is about, and which flavor best suites your tastes and software needs.
Re: Re: Re:3 Re:
Invest time in Linux bootable usb’s. You can learn it at your leisure and won’t need any additional hardware.
http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows
Re: Re: Re:
I’ll concede you have a valid point with the “not trusting security updates” angle.
I still have little faith in internet petitions.
Re: Re: Re: Re:
I definitely understand that, and it’s the reason I haven’t signed it myself. It’s nice to see HP backpedaling on this, but I don’t know how much it actually had to do with the EFF campaign; the story was widely reported all over the world, after all.
Re: Re:
You ever connect to a friends WiFi using your phone or Laptop? Ever connect to free wifi at your local coffee shop? There are plenty of places where you could connect to Wifi that MIGHT have a brother printer on it, and therefore put you at risk. That’s before considering the Botnet problems Thad pointed out.
Re: Re: Re:
You can use a VPN and protect yourself!
Re: Re: Brother??
“There are plenty of places where you could connect to Wifi that MIGHT have a brother printer on it, and therefore put you at risk.”
And exactly how would a Brother printer put one at risk?
Potential security risks from using unauthorized cartridges? Is that really an active malware vector?
If your printer can gain access to your network by reading harmful instructions from compromised ink buckets, your security problem is much too serious to be solved with DRM.
Re: Re:
I second this.
Is this an active malware vector? Do they have examples of it in the wild? Why haven’t news networks jumped at the fear-mongering that would entail? Why didn’t HP SUPPORT that fear-mongering by pushing news networks to release warnings about the ‘dangers’ of third paty ink use?
Perhaps because that would start a series of questions like “Why can your ink cartridge send commands over my LAN?” and “Why does an ink cartridge need a computer chip?”.
As Radix said, If the ink cartridge can access your LAN, you have a huge security problem.
Re: Re: Re:
Actually, I think HP is referring to a third party ink cartridge compromising the printer firmware. I have a difficult time seeing how that could happen as it would require the cartridge to upload malware that the printer controller would then execute. This seem out of the realm of what the cartridge microchip/non-volatile-memory device is intended to do (prevent 3rd party cartridges from working in the printer, provide a means of signalling the printer when the ink is running low, and time/date stamp the ink so that it will no longer work after a predetermined interval of time has past since the cartridge was manufactured).
The interface HP uses to communicate with the cartridge is either I2C or a form of SPI, with the printer controller in control of the communication. The amount of memory in an HP cartridge is pretty limited. It would do little good for a 3rd party to add enough memory to contain malware, as the printer controller will only address those locations where the cartridge ID, manufacture date, manufacturing location, and pages/dots printed are stored. Claiming that 3rd party cartridges are a security risk is a blatant lie.
Re: Re: Re: Re:
Perhaps someone thought that having the controller update itself from the cartridge would be a good way to distribute software upgrades. That way they can update printers that do not connect to the Internet, or are blocked via a firewall.
Re: Re:
Yes, that.
This vector for a security problem would only be because you are putting any kind of chip at all in the ink cartridge that does something non trivial.
If you must have a chip in the cartridge, and communicate with it, the communication should be totally trivial. Ink level. Temperature. Other telemetry. Nothing more. Poke the cartridge, it produces a string or binary result that is easily parsed by the printer’s firmware.
Re: Re:
–Potential security risks from using unauthorized cartridges?
Yea I was reading about this on the dark web the other day.
Some hackers have embedded a Rasberry Pi into the cartridge so it records what the cartridge is printing thus stealing the image. It then transmits the data to via wifi.
Companies like HP seem to think there is an epidemic of customers being scammed by purchasing non-official products. I’d wager that most people who buy a replacement cartridge did so because of cost, which is what the open market is supposed to encourage. If GenericX can make a cheaper print cartridge, why can’t HP, which already has the manufacturing and specs figured out?
Re: Re:
It’s more a case that they think they are being robbed by customers buying non-official products.
Re: Re: Re:
Oh, it’s the famous Lost Sail! (sic)
Not buying a refill cartridge from us is robbery! (sick)
erode confidence.
between what the government and its lapdog police are doing and what corporations are doing, generations of careful trust-building are going out the window without so much as a fare-thee-well.
these pompous posteriors are going to learn a valuable lesson regarding the wisdom of those naïve primitives who begat them.
“….printing experience….”
There. Right there. Thats when I knew the post was a marketing puff piece put together by a bunch of lying sh**tbags.
If you're going to lie, at least try to sound believable
The most recent firmware update included a dynamic security feature that prevented some untested third-party cartridges that use cloned security chips from working, even if they had previously functioned.”
By trying to spin it as them being ‘just so concerned for customer security’ they actually just make it worse. If it was really a matter of customer security, addressing a serious threat then they would have told their customers immediately about the ‘threat’ so their customers could do something about it it, and implemented and activated the ‘security patch’ immediately rather than months later.
Imagine for a moment if an anti-virus/malware company kept an up to date virus/malware detection databases, but only updated the software to detect malicious code on a tri-yearly basis. Would anyone accept their claim that they were concerned about the security of their customers?
Their attempt at defending their actions here isn’t just a lie it’s a terrible lie, the kind of lie you’d expect from someone who honestly thought that they’d never get caught and have to defend their actions, and who is scrambling to come up with anything they can think of to brush it under the rug or try to spin it in their favor.
Illegal in the EU
Chips that detect and block the use of third-party printer cartridges are specifically banned throughout the EU, since about 2000.
Updated cartridges
I had to buy some new black ink cartridges for my HP 8600 officejet printer. On Ebay I noticed some sellers selling cartridges with updated chips on them – I assume that a work around has already been found.
"best printing experience" from three years ago
April 15th, 8pm at a Target trying to find ink cartridge.
The last one they had for my printer didn’t work because it was over 3 yrs old already.
Ended up at Best Buy at 10pm printer shopping so could print out taxes.
Re: "best printing experience" from three years ago
Next time try going to a local hotel and asking if you can print a PDF of your taxes on one of their “guest” computers. They might charge you per page, but it would be cheaper than a new printer from BB. Then get your print cartridge from eBay the next day.
“We’re sorry, really and truly, that we got caught out trying to pull a swifty…and…and…IT’S ALL HILARY CLINTON’S FAULT…”
“When ink cartridges are cloned or counterfeited”
We spent more on developing security chips, than improving our product.
We have a business model that works when we can charge ungodly amounts for our ink, and are shocked that consumers prefer to buy cheaper carts that work.
Rather than improve our product, we just locked everyone else out and will try to use laws to demand the entire world follow the laws of 1 country.
How about you shake up the industry and stop selling the printers well below cost hoping to make up the extra on future ink sales.
Hell scare everyone and develop a unified ink/toner platform.
All your products using a single platform or carts meaning no ones ever screwed running around town looking for the slightly different cart they need for their printer that costs as much as a new printer is on sale for.
Make the recycling program more robust & look for ways to improve the carts & lifespan.
Be the better product, not the product with a chip you wasted money on creating that’ll be hacked in less than a week.
Printer refils
Shouldn’t be able to create security problems in the first place, HP. This is you screwing up. This is you screwing your customers over. This is me never buying your crap again.