Dan GoodinJan 19, 2024

Does anyone know of any attacks, either PoC or in the wild, that use malicious printer cartridges to infect printers? I saw this article from 2022

https://www.action-intell.com/2022/10/05/hp-bug-bounty-program-finds-reprogrammable-chips-open-printers-to-malware/

It says that HP's Bug Bounty program found such attacks are possible, but there are no details about who reported the bug that made such attacks possible. I remain skeptical about the accuracy.

Any help from experts in the form of pointers to attacks or analysis about whether printer cartridges are a viable infection vector would be much appreciated.

HP Bug Bounty Program Finds Reprogrammable Chips Open Printers to Malware | Actionable Intelligence

HP Inc. reported to Actionable Intelligence that it has confirmed third-party cartridges with reprogrammable chips can be used to inject malware into printers and compromise networks. HP has released a security alert and updated printer firmware to address the problem.

Actionable Intelligence | Market Research for digital printer and MFP hardware and supplies
Show threadDan GoodinJan 19, 2024

HP CEO Enrique Lores said this about counterfeit ink cartridges this morningon CNBC:

They can "create security issues. We have seen that you can embed viruses in the cartridges, through the cartridges go to the printer, from the printer go to the network. So it can create [inaudible]"

I'm not aware of a single instance of this happening, either as a PoC attack by a researcher or a malicious one in the wild. Seems like the CEO is misspeaking. Any help here from people with experience in malware in embedded devices would be much appreciated.

Quote occurs at 3:28

https://youtu.be/QPRMyQSZGuY?si=EU905oCTcW860xJs&t=208

HP CEO Enrique Lores on PC market trends: 'Significant tailwinds' will continue to drive demand

YouTube
Show threadGraham Sutherland / PolynomialJan 19, 2024
@dangoodin pure bollocks
Show threadGraham Sutherland / PolynomialJan 19, 2024
@dangoodin and you can quote me on that, as a security professional who has previously worked in 3rd party ink recycling.
Show threadjasegJan 19, 2024
@dangoodin As someone currently doing a PhD in hardware security stuff atm, what @gsuberland writes here is 100% accurate. This is just a desperate manufacturer spreading FUD for profit.
Show threadjasegJan 19, 2024
@dangoodin @gsuberland Proof by construction why this is a made-up attack scenario: If an aftermarket ink manufacturer wanted to infect your computer with malware, instead of doing some complex multi-level exploit chain from the ink cartridge through the printer into the printer driver, they could just put a little CD-ROM (or QR code link) to their malware renamed to "setup.exe" into the box, and break their cartridges enough that they don't work.
Show threadJohann-Tobias SchägJan 19, 2024
@jaseg @dangoodin @gsuberland
But advanced persistent threat with a setup.exe? Avira will never run on your printer much easier to hide a virus there! /unironically true but sarcastic
Show threadjasegJan 19, 2024
@freemin7 @dangoodin @gsuberland It is my professional opinion that people worrying about APTs should not get their infosec advice from a printer manufacturer 🤣
Show threadJohann-Tobias Schäg
@jaseg @dangoodin @gsuberland
... Wait if the read lines are sufficiently unbuffered a malicious printer chip might be able to pull of a fault injection with a voltage glitch attack 💥
Jan 19, 2024 at 9:14pmWeb