Dan GoodinJan 19, 2024

Does anyone know of any attacks, either PoC or in the wild, that use malicious printer cartridges to infect printers? I saw this article from 2022

https://www.action-intell.com/2022/10/05/hp-bug-bounty-program-finds-reprogrammable-chips-open-printers-to-malware/

It says that HP's Bug Bounty program found such attacks are possible, but there are no details about who reported the bug that made such attacks possible. I remain skeptical about the accuracy.

Any help from experts in the form of pointers to attacks or analysis about whether printer cartridges are a viable infection vector would be much appreciated.

HP Bug Bounty Program Finds Reprogrammable Chips Open Printers to Malware | Actionable Intelligence

HP Inc. reported to Actionable Intelligence that it has confirmed third-party cartridges with reprogrammable chips can be used to inject malware into printers and compromise networks. HP has released a security alert and updated printer firmware to address the problem.

Actionable Intelligence | Market Research for digital printer and MFP hardware and supplies
Show threadDan GoodinJan 19, 2024

HP CEO Enrique Lores said this about counterfeit ink cartridges this morningon CNBC:

They can "create security issues. We have seen that you can embed viruses in the cartridges, through the cartridges go to the printer, from the printer go to the network. So it can create [inaudible]"

I'm not aware of a single instance of this happening, either as a PoC attack by a researcher or a malicious one in the wild. Seems like the CEO is misspeaking. Any help here from people with experience in malware in embedded devices would be much appreciated.

Quote occurs at 3:28

https://youtu.be/QPRMyQSZGuY?si=EU905oCTcW860xJs&t=208

HP CEO Enrique Lores on PC market trends: 'Significant tailwinds' will continue to drive demand

YouTube
Show threadGraham Sutherland / PolynomialJan 19, 2024
@dangoodin pure bollocks
Show threadGraham Sutherland / PolynomialJan 19, 2024
@dangoodin and you can quote me on that, as a security professional who has previously worked in 3rd party ink recycling.
Show threadGraham Sutherland / PolynomialJan 19, 2024
@dangoodin if you want a more technical answer: many ink cartridges contain a tiny embedded circuit (typically a CoB ASIC) in the plastic along with metal contacts, to electrically identify it as a "legit" cartridge and track the printed page count so it can claim to be empty after a while. this is intended to prevent refills (rewinding the page count) of first party cartridges, and also prevent third party cartridges from being used.
Show threadGraham Sutherland / PolynomialJan 19, 2024
@dangoodin they're just EEPROMs most of the time, since they don't need to get their own custom ASICs designed and fabricated and can just buy the bare dies or chipscale packages. sometimes they also include some sort of passive "security" check like adding a specific resistance across pins which the printer can detect. some use EEPROMs that offer write or read protection on blocks, where an unlock command must be sent to unlock it. trivial to defeat in practice.
Show threadGraham Sutherland / PolynomialJan 19, 2024

@dangoodin those EEPROMs will contain some magic data that the printer needs to see in order to believe it's a legit ink cartridge. it also tracks the number of printed pages so the cartridge can claim to be empty after a while (they don't detect ink level at all).

I can 99.999% guarantee that even with the most optimal trivial exploit for the printer firmware's parsing of the cartridge data, you cannot weaponise it in any useful way. Why? Because the whole thing is like 32 bytes.

Show threadGraham Sutherland / PolynomialJan 19, 2024

@dangoodin on a combo colour cartridge you might have three or even four separate EEPROM blocks for those colours, so maybe 256 bytes if you're lucky. from which you'd have to trigger the exploit, gain code exec on the printer, and somehow pivot that into malware delivery elsewhere (including storage or download of that malware!)

that is a ludicrously tall order, and would still be strongly predicated on multiple severe firmware bugs in the printer.

Show threadJohann-Tobias SchägJan 19, 2024
@gsuberland @dangoodin
Exactly, if the firmware is really badly buggy a microprocessor emulating a EEPROM could do harm. But if it could it would be negliant if HP didn't fix these bugs which they apperently know about.
Show threadGraham Sutherland / PolynomialJan 19, 2024
@freemin7 @dangoodin precisely. that's the crux of the dishonesty in his claim - even if these things did somehow exist, they'd be 100% be HP's fault and could only persist due to HP's negligence.
Show threadJohann-Tobias SchägJan 19, 2024
@gsuberland @dangoodin If i tried i could write firmware so bad that such security holes exist but you really would have to try.
Like how do you get an BufferOverflow from a 256 byte EEPROM? You'll have to have the cartridge control how much data is read which is extra effort to implement. HP would need to be actively building such security holes as with okay software practices they should never occour.
Show threadGraham Sutherland / Polynomial
@freemin7 @dangoodin yep. and even if newer stuff is using fancier embedded security tech (e.g. secure element) with more storage, that upgrade inherently raises the bar for building an exploit anyway, and the interaction is still extremely minimal, so there's zero excuse for writing vulnerable code when there's that small of an attack surface area (especially when it's intended to be a security feature, albeit for a shitty goal!)
Jan 19, 2024 at 9:01pmWeb