HP Warns Third-Party Ink and Toner Cartridges Can be Security Vulnerability
We all know that network-connected printers and MFPs can be security vulnerabilities, and that if precautions aren’t taken (such as enabling strong passwords), they and the data they process can be hacked.
A recent bulletin from HP Inc. also warns that third-party toner and ink cartridges can be security vulnerabilities, as these cartridges contain computer chips that can potentially be altered or replaced, and then used to download malware to printers.
In contrast, HP says it’s secured its ink and toner cartridges from start to finish in order to prevent altering or replacing cartridge chips.
Securing the Supply Chain
HP says it’s vigilant about recognizing and mitigating security risks in its supply chain to help reduce the risk of malicious code entering cartridge chips. It takes various measures to protect the chip from being replaced or altered while in the supply chain.
Overall, it says it and its partners carefully manage internal supply chains, working with partners that follow industry best practices on security, and partnering with security experts.
The firm notes that HP chips are manufactured in secure facilities, and that chips are certified as EAL5+, and/or manufactured in facilities where products have achieved EAL5+ certification.
HP say that HP office-class cartridges contain a chip with HP proprietary firmware that’s designed from the ground up to be secure and resistant to tampering.
In contrast, non-HP supplies include chips of unknown origin that may employ un-trusted firmware. The firm notes that since there’s a data interface from the chip to the printer, an attacker with the right skills and resources may be able to uncover and exploit a vulnerability, taking advantage of this interface to add malicious code.
In contrast, HP chips contain tamper-resistant HP firmware. The HP proprietary firmware on HP office-class cartridge chips cannot be modified by third parties after production.
The company also says that non-HP cartridge and chip suppliers claim their chips can be reprogrammed, and even sell devices online that can modify data elements and firmware.
HP Smart Card Technology
HP says that original HP office printer cartridges introduced since 2015 use smart card technology for maximum data integrity with best-known resistance to tampering and hacking.
Additionally, HP smart card technology includes a printer verification of authenticity to ensure that supplies are Original HP supplies
Cartridge Packaging Security
HP explains that its cartridge packaging incorporates a specialized construction design and glues for tamper-resistant packaging. The security label on the box also incorporates
both manual and machine-readable elements, including an identifier that is tracked through the HP supply chain.
HP adds further security with a zip-strip sealed inner package and, for some Asia Pacific countries and products, provides a tamper-evident label on the tear strip
For more information on HP’s securing of printer supplies, visit HP here.