@dangoodin and you can quote me on that, as a security professional who has previously worked in 3rd party ink recycling.
@dangoodin if you want a more technical answer: many ink cartridges contain a tiny embedded circuit (typically a CoB ASIC) in the plastic along with metal contacts, to electrically identify it as a "legit" cartridge and track the printed page count so it can claim to be empty after a while. this is intended to prevent refills (rewinding the page count) of first party cartridges, and also prevent third party cartridges from being used.
@dangoodin they're just EEPROMs most of the time, since they don't need to get their own custom ASICs designed and fabricated and can just buy the bare dies or chipscale packages. sometimes they also include some sort of passive "security" check like adding a specific resistance across pins which the printer can detect. some use EEPROMs that offer write or read protection on blocks, where an unlock command must be sent to unlock it. trivial to defeat in practice.
@dangoodin those EEPROMs will contain some magic data that the printer needs to see in order to believe it's a legit ink cartridge. it also tracks the number of printed pages so the cartridge can claim to be empty after a while (they don't detect ink level at all).
I can 99.999% guarantee that even with the most optimal trivial exploit for the printer firmware's parsing of the cartridge data, you cannot weaponise it in any useful way. Why? Because the whole thing is like 32 bytes.
@dangoodin on a combo colour cartridge you might have three or even four separate EEPROM blocks for those colours, so maybe 256 bytes if you're lucky. from which you'd have to trigger the exploit, gain code exec on the printer, and somehow pivot that into malware delivery elsewhere (including storage or download of that malware!)
that is a ludicrously tall order, and would still be strongly predicated on multiple severe firmware bugs in the printer.
@gsuberland @dangoodin So it strcpys into a 32 byte buffer? 😄🤞
🦆@gsuberland I didn't want to share at the level of detail Graham did - but his posts are correct. We (inkjet printers) need extremely little data to enable functional use of the ink cartridge - even if you want to include the DRM angle.
It's total FUD.
I bet you they are much larger after the SCOTUS ruled against LexMark, probably cryptographically signed content.
@dangoodin (they don't use bigger EEPROMs because those cost money, and ink cartridges are where all the profit margins come from - printers themselves are typically loss leaders)
@gsuberland @dangoodin
Exactly, if the firmware is really badly buggy a microprocessor emulating a EEPROM could do harm. But if it could it would be negliant if HP didn't fix these bugs which they apperently know about.
@gsuberland @dangoodin getting this to work would definitely be demoscene magic
@freemin7 @dangoodin precisely. that's the crux of the dishonesty in his claim - even if these things did somehow exist, they'd be 100% be HP's fault and could only persist due to HP's negligence.
Edited 301d ago
@gsuberland @dangoodin If i tried i could write firmware so bad that such security holes exist but you really would have to try.
Like how do you get an BufferOverflow from a 256 byte EEPROM? You'll have to have the cartridge control how much data is read which is extra effort to implement. HP would need to be actively building such security holes as with okay software practices they should never occour.
@freemin7 @dangoodin yep. and even if newer stuff is using fancier embedded security tech (e.g. secure element) with more storage, that upgrade inherently raises the bar for building an exploit anyway, and the interaction is still extremely minimal, so there's zero excuse for writing vulnerable code when there's that small of an attack surface area (especially when it's intended to be a security feature, albeit for a shitty goal!)
Edited 301d ago
@dangoodin you could, I suppose, embed a microcontroller into the cartridge to emulate an EEPROM with much larger storage capacity, but that's a *lot* of manual work, and is nontrivial due to the CoB wire bonding (a wire bonding tool costs ten grand plus!)
literally nobody in the third party ink space is going to do this. nation states doing targeted attacks *might* bother, maybe, but there are usually much cheaper and easier vectors than these wacky theorised ink supply chain attacks.
@dangoodin so yeah, I call bullshit on this guy's claim. he has profit motive and I think he's a liar.
I've seen and done some truly wacky hardware stuff in my life, including hiding data in SPD EEPROMs on memory DIMMs (and replacing them with microcontrollers for similar shenanigans), so believe me when I say that his claim is wildly implausible even in a lab setting, let alone in the wild, and let alone at any scale that impacts businesses or individuals rather than selected political actors.
Edited 301d ago
@dangoodin I should also point out that the EEPROMs they embed in the plastic for DRM purposes are a large part of why almost all printer ink cartridges end up in landfill rather than plastic recycling.
they also know that "eco" models of printers that use refillable liquid ink hoppers rather than cartridges don't allow them to artificially lock consumers into their ecosystem, because you can buy the ink from whoever you like, so it benefits them greatly to spread FUD about third parties.
@gsuberland @dangoodin And even then, that's just a representative that just said, on record, that they sell printers with firmware so badly written that you can infect it through an interface.
Really not sure how fast any interviewer must have been asleep at that point to not jump up and say something like "so you're saying all your printers are a security risk and should not be used where confidential documents are printed? Are you going to issue a recall or just send replacements?"
Hey @gsuberland, totally fine with you perusing my talking point there, but would love if you added a link to my post above to your current "CEOs like that need to be called out on their BS" thread :) (I'm not into fame, it's just that I know that due to mastodon's sketchy nearly-federation, chances are a lot of your subscribers will not see that context, being from a different server)
Edited 301d ago
@funkylab I wasn't specifically persuing your point (I had the same conversation off-site and IRL in tandem, and the same points were made) but can still link if you want?
@gsuberland no really, if you think the thread you link to is enough context in itself, that's fine. Really really not keen on the notification torrent this might bring, especially since everything even remotely infosec related is just a magnet for bad hot takes...
@funkylab with you being on m.s it should federate to pretty much everywhere anyway so if folks are reading the thread they'll see your replies ^_^
@dangoodin the ink in each standard cartridge costs less than a penny to make. the plastic costs a few pennies. so you can imagine why they're so enamoured with keeping customers buying stuff from their consumables ecosystem at premium prices. the profit margins are ridiculous. that's also why in the mid-to-late 2000s there was such a race to the bottom on printer prices, offering them for £30 or even less. they sold them as loss leaders knowing that the median lifetime ink purchase made profit.
@gsuberland I know of one particular brand of "eco" printer that, while you can use any ink in it, DRM-locks itself after every 10th or so refill, requiring an expensive technician's visit to replace a waste ink sponge and reset the DRM.
@jaseg oh the fucking SPONGES
I forgot about them
@gsuberland @dangoodin Good info. Thanks. I decided long ago never to buy another HP product when I learned that my multi-function printer (Office jet Pro 8600 plus) wouldn't scan a page unless it had a full complement of ink cartridges. Interested to know what you use for printing.
@samueljohnson @dangoodin the cheapest laser printer I could find