HP Offering Big Rewards for Cartridge Vulnerabilities

HP announced on Thursday that it has expanded its bug bounty program, inviting several white hat hackers to find vulnerabilities in its office-class ink and toner cartridges.

The printer giant says it’s working with Bugcrowd to run this program for three months. The program is private and only four researchers have been invited to find vulnerabilities in original HP cartridges.

HP says it has invested roughly $200,000 into this initiative and it’s prepared to award an extra $10,000 for each vulnerability, in addition to the researchers’ base fee.HP adds cartridge vulnerabilities to its bug bounty program

HP has been running a bug bounty program for its printers since 2018 — the company claimed at the time that this was the industry’s first printer bug bounty program. The company says there has been an increase in attacks on embedded systems, and printer firmware may also be targeted.

The company has warned that, in addition to poor printing results and the financial damage they cause to the industry, imitation and fake cartridges can introduce unknown and untrusted electrical hardware into an organization’s network.

“While the industry has become sophisticated at spotting and blocking software-based intrusions, the same can’t be said for hardware. In fact, it is well understood in the IT industry that counterfeit hardware can become the source of hardware-based exploitation,” said Shivaun Albright, chief technologist for print security at HP.

HP says it has taken steps to prevent cartridge chips from being replaced or altered in the supply chain.

“Only Original HP cartridges contain a chip with HP proprietary firmware that is designed to be secure and resistant to tampering. Non-HP supplies include chips of unknown origin that may employ untrusted firmware,” Albright explained. “Given that there is a data interface from the chip to the printer, an attacker with the right skills and resources may be able to uncover and exploit a vulnerability, taking advantage of this interface to inject malicious code.”

Related: Researchers Hijack 28,000 Printers to Show How Easily They Can Be Hacked

Related: HP Patches Critical RCE Flaws in Inkjet Printers

Related: Flaw in HP Touchpoint Analytics Could Impact Many PCs

Related: HP Adds New Malware Protection Solution to Latest Laptops

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *