The case of the insecure printer
Hewlett Packard (HP) wants you to know this while paying more upfront, though You are buying real new HP ink cartridges, you will “actually save money in the long run”. Yes, exactly. I’ve heard this siren chant from printer manufacturers since the 1980s.
I am not buying it. Neither do most printer owners. And neither is companies, whether they are buying printers (and ink) for the office or for new remote workers who had to set up at home.
According to a 2019 Consumer Reports survey on printer usage, “most” A frequent complaint was the high cost and effort involved in replacing ink cartridges – and that affected every inkjet brand in our survey. “
Guess what? I’ve been using replacement inks and cartridges for years and have saved money in the long run. My printed documents look fine and my printers work as always. I wouldn’t mind buying the real ink, but it costs too much. Nowadays, Inkjet ink costs an astronomical $ 12,000 per gallon. I like good wine, but I don’t pay $ 2,400 a bottle for it.
That’s bad news, but it’s old bad news. We’ve been dealing with this for decades, and my favorite printer nuisance of all time – the refusal to print in black and white when cyan or some other color is low – for decades.
Recently, however, printer manufacturers have started patching their printers with lockdown firmware updates to deter users from refilling cartridges or buying replacement cartridges. HP and Epson last tried this trick in 2016. Do you really want a vendor to intentionally paralyze your printer or other device with a malicious patch? Certainly not me.
Another variation on the theme came when HP introduced a so-called cartridge protection setting. Not only does this prevent you from using an alternative, it also locks the original cartridges to a specific printer. So, for example, if you have an HP OfficeJet Pro 251dw printer and an HP OfficeJet Pro 8600 ink printer – even though they have the precisely same HP 950 and 951 cartridges – once used, the cartridges cannot be transferred between models. Is this fun or what?
(Fortunately, it’s not too difficult Bypass the cartridge protection setting.)
The newest way to make sure the seller is in charge is to insist Printer does not print a page unless they have an Internet connection and are linked to an “HP Smart” account. According to HP, you need to connect your HP LaserJet M209dwe, MFP M234dwe, M234sdne, and M234sdwe Printers to an HP Smart account before they work. (I expect other printers will soon face the same pesky requirement.)
I am not happy about it. And not just because I’m sure that it will monitor my ink or my laser jet cartridge. I’m ticked because this is a major security flaw on my network. I don’t want to report an unauthorized connection to printers on my network that HP knows.
Sure, HP probably doesn’t care what I print. But every printer is one Vulnerability waiting to be opened. A printer with a built-in permanent online connection is just a hassle. Hell, we’re still struggling with Windows print spooler security issues; I don’t really need another hole in my network.
Printers have always been weak links in security. Think about it. Do you allow all of your users to access network printers? Most of us do. That, in turn, means that a clever user in the mailroom can see what the CEO has printed.
Worse, most modern printers come with embedded web servers (EWSs) to manage settings, receive updates, and perform routine maintenance tasks. Yes, this is very convenient – but is it safe? Have you patched it recently? Do you even know
A decade ago at Black hat, security researchers found that many printers use EWSs had no security hardening to speak. In fact, the devices were available directly from the Internet and often not even password-protected.
While I haven’t researched the current state of printer security in detail, I’ve looked at the small business printers of my own and some friends. Guess what? You are all as vulnerable as ever.
I’m not turning off my printer yet. But if you really need a “hard copy” of a document from me, do you mind if I send you a PDF instead? I will not use my printer.
Copyright © 2021 IDG Communications, Inc.