HP firmware update blocks 'non-HP chip' cartridges

I rediscovered the Wayback Machine several months ago, and it’s still a very useful thing to have around.

Do you report that person in the supermarket who grabbed some grapes to eat along the way? Would police (or the supermarket) actually do anything if you did? What about the person who cut in front of you in the car park?

There are crimes being committed around us every day, and in many cases the most we can do is try to shame the offender. In some cases the only safe thing we can do is look the other way.

A crime, like a sin, exists in the eye of the beholder. No legal action is necessary for me to know that it is wrong to eat grapes that are being sold without paying for them. It may not be a sin to me, but it is a crime.

Turn Off automatic updates, they are On by Default by HP

Or block all internet access for the printer if you don’t need to access the printer yourself from the internet.

You can achieve that block by giving the printer an incorrect internet gateway IP address (easy but not completely robust) or by blocking that access in your router (a little bit more effort but almost completely robust).

If you are already running something like Pi-Hole in order to block ads then you could also use Pi-Hole to block access (easy but not completely robust).

And, as with anything, belt and braces. Given that this is effectively HP stealing money from you, consider doing more than one of the above.

Update: I have received the replacement toner cartridges from the Ink Station, the supplier. Three of the four came up with a message that these are not genuine, and HP can not guarantee the quality or reliability. I accepted the message and they worked.

Unfortunately, one toner gave me HP’s message about detecting a non-genuine chip which refused to allow me to proceed. I contacted the seller again, and they felt that all the other cartridges in that batch would fail as well, so they have sourced a cartridge from another supplier for me in the hope that that will work. Excellent service from Ink Station!

Understood there are those options. Sound advice for some of us to consider.

An aside:
I often wonder how appropriate any advice knowing there are many who find all technology challenging. These households likely still have home wifi that is set up with all the default settings out of the box from their internet service provider (RSP/ISP). Adding a device such as a printer relies on simply pushing the WPS button and accepting any prompts on the printer. Alternately connecting to the web page listed in the printer install manual, downloading an App and hey presto all works.

The same customers are likely to have a mobile device or two, possibly also set up with the original defaults, auto updates optionally on or off. I know several who have deliberately found the way to turn updates off because in simple English - ‘it stuffs the device up and I can’t find things anymore’. Many of us learn to work with technology by wrote, IE repeating exactly the same steps expecting symbols/icons to always look the same, rest in the same place and behave as always.

For those who take the path of least learning and tend to stress over tech - I’ve found phone a friend (me usually being the friend) does not always help. Techie to techie the language is shared. For those less inclined translation takes time. It’s easy to see why, even when one does not agree with the outcome, there are those who will bin a product and buy a different brand. Hope springs eternal.

I’m sure that there are households to whom everything you wrote applies. There will be a range of households represented by readers of this forum. Some of them will be able to take my suggestions as pointers in the right direction, and benefit, - and some won’t. Those who don’t will just have to run the risk that a printer update suddenly renders their third party cartridges worthless.

Maybe there is a fundamental flaw with being such avid adopters of technology while at the same time being so little in control of that technology, and in some cases the reverse being true. However that might be a bigger topic than third party cartridges. To my mind, this is a legislative problem. The law helps those who can’t help themselves. Well, sometimes.

The OP at least seems to be making progress.

Final update: Ink Station has sent me another magenta toner cartridge they sourced from another vendor. It works aside from the non-genuine chip which produces a ‘HP can’t guarantee it’ message. Great service from Ink Station.

Never had a problem with Ink station cartridges on my HP Printer.

Later in the interview, he added: “Every time a customer buys a printer, it’s an investment for us. We are investing in that customer, and if that customer doesn’t print enough or doesn’t use our supplies, it’s a bad investment.”

… says it all really. I’d never buy an HP printer …

HP is also on my list of ‘Never Buy From Them Again’ manufacturers. I used to love their laptops and printers but they started chasing the cheap end of the market 10-15 years ago and everything from printers to computer mice and even mousepads are rubbish.

I wonder if Alan Joyce was HP CEO around that time?

The real problem is the “race to the bottom” where the up front purchase price is subsidised by the ongoing cost of consumables (and that is across many makes, not just HP; and that is what the linked article is probably referring to). This is not necessarily good for the consumer and unlikely to be good for the environment.

As soon as my HP printer stopped working because of non-HP cartridges I brought a EPSON ET-4800 which uses tubes of dry powder. I’ve been really happy with it and satisfied that I’m not captive and black mailed by HP. I will NEVER support HP products again.

JBTW. Quoting Epson … " The Epson EcoTank ET-4800 wireless all-in-one printer offers cartridge-free printing with easy-to-fill, supersized ink tanks."

Basically, ‘we designed our printers so poorly that the ink cartridge has enough smarts to run malware’.

Security nerds (including some apparent experts) on Mastodon suggest that this is garbage.

Surely at this point consumers should be running from all HP products given that they boldly claim such idiotic design.

HP is claiming as fact that such an attack is possible. So either they are outright lying (in order to spread FUD and boost cartridge sales) or the security experts are simply wrong. I am reminded of the following quote from Arthur C Clarke: https://www.brainyquote.com/quotes/arthur_c_clarke_100793

Of course you are correct that such an attack is only possible due to deficient coding inside the printer, for which HP must take the blame. (Likewise, the attack can only spread from the printer to the PC - as claimed in the article - due to deficient coding in the software on the PC, for which it is more likely that Microsoft must take the blame, but it could be HP again, or it could be another software supplier.)

If you really claim that they are outright lying then they have taken the theatre a long way - by actually releasing a purported firmware update for the printer to defend against the attack.

You may be surprised at the level of functionality in these “id chips” - and with functionality may come successful security compromise. So I do not discount that what HP says is true.

Since HP claims to have released a firmware update, it may be that with any updated printer, the attack cannot now succeed in the wild (so someone speaking 2 years later can be correct without contradicting the earlier claim).

However I am willing to bet that not all printers in the world have received their update. (For example, I have intentionally set the gateway in the network configuration on one of my printers to a bogus value - thereby discouraging it from phoning home.)

However let’s be real: This would be a sophisticated attack, required detailed knowledge of the internals of the id chip, as well as knowledge of the internals of the printer, as well as requiring a blended attack in order to get to the PC from the printer. It is much much more likely that you will be a victim of a far simpler attack.

Attack via maliciously reprogrammed printer cartridges sounds like the sort of attack that one nation state actor would undertake against another nation state actor. It would however be a very desirable and sensible attack against an airgapped network, where many of the more conventional attacks will not be possible.

I guess if that is your motivation (rather than just the Total Cost of Ownership) then you should verify the security of your chosen alternative. (I would be surprised if HP printers are the only printers in the world to have security flaws in the firmware - but I didn’t go off to search for examples.)

My understanding is that this is the ‘update’ that bricks printers with non-HP ink cartridges. Sure, it stops any further possibility of cyber-attack - but I would consider such an ‘update’ to be malware as it stops the printer from functioning.

HP is talking about malware contained in the ink cartridge chip. As the Mastodon thread discusses, this has incredibly limited storage capacity (measured in bytes rather than even kilobytes) - to the point where even if a malware writer could develop an exploit small enough to fit in that capacity it should be trivial to fully secure the device against such malware. This is a chip whose only legitimate functions are “I have ink of x colour” and “I have x% of my capacity remaining”! (It may also have the function “I was made by HP”, but from the user perspective that is not a legitimate or useful function.)

In reality it would need only about 8 bits at an address to support almost a rainbow of colour options (256 colours), for remaining capacity a similar number of bits (actually can be expressed in 7 bits) would be more than adequate, and as to genuine or not, one bit would be sufficient. Cartridge type might take a couple of bytes as they have such a broad selection of different printers and thus cartridges. They might like to add some buffer space so only those addresses would be interrogated without mistake on reading and writing and some could be made unwritable once set (e.g. genuine or not and colour). The interpretation of the chip content would be done by the printer firmware, thus a chip would be a poor target for malware based on capacity. Seems to me more like a way to lock the firmware into using only HP product and stopping after market cartridge use as a means to garner greater profits. Scaremongering to bolster profits might be one way to see these changes and assertions.

There is an unlikely potential that they install chips with higher storage capacity to allow additional coding to be included on the chip…but, there is a risk the printing device won’t recognise the chip due to increased capacity. The other factor is will the code be executable, again unlikely in the print cartridge context.

Microprocessors such as those used on print cartridges, SIMs, credit cards, can have many kilobytes of programmable ROM for execution code and constant data, plus a half Kbytes or so of working RAM.

That is plenty of space to hold a malicious program. After all, the master boot record used to boot up PCs was only 512 bytes.

I think that what HP is getting at is they make it hard to reprogram the micro chips they use, whereas the chips in other cartridges by third party makers have been demonstrated to be easier to reprogram. Probably because they need to be to keep up with HP changes.