Written by Edward Gately October 1, 2020
Printers are a commonly overlooked endpoint on a network.
HP just expanded its bug bounty program to stop cybercriminals from exploiting office-class ink and toner cartridge vulnerabilities.
The company made the announcement in recognition of the start of Cybersecurity Awareness Month. It’s part of HPs plan to deliver defense across all aspects of printing. That includes supply chain, cartridge chip, cartridge packaging, firmware and printer hardware.
As part of the HP bug bounty program, Bugcrowd will conduct a three-month program in which it challenges four professional white-hat hackers to identify vulnerabilities in HP original print cartridges. HP will award an extra $10,000 per vulnerability in addition to their base fee if they succeed.
Ensuring Print Hardware is Crucial
Shivaun Albright is HP’s chief technologist for print security. She said HP’s cartridges have built-in security.
“Printers, especially networked printers, are a commonly overlooked endpoint on a network,” she said. “Without proper security protocols enabled, these endpoints may become a target for cyberattacks. Ensuring your print hardware is secure is a crucial step. The office ink/toner print cartridge may also be an entry point for attackers with the right motivation and skill set.”
At this time, HP doesn’t have a known instance of malware on a non-HP cartridge chip infecting an HP office-class printer with up-to-date firmware, Albright said. However, there have been cases of malware on a chip on another OEM cartridge infecting the printer.
“Finding these vulnerabilities is definitely challenging,” she said. “We have engaged with Bugcrowd to work with experts in print technology that are uniquely positioned to uncover vulnerabilities that might not otherwise be detected through our own testing.”
Printers Heavily Targeted
Quocirca’s Print Security 2019 report shows 59% of businesses reported a print-related data loss in the past year. COVID-19 has only added new complexities as many employees increase their remote printing practices. That triggered even more potential vulnerabilities for their employers.
“We launched the first ever bug bounty program for printers in July 2018 with tremendous success,” Albright said. “Through that program, we identified approximately 40 vulnerabilities. These programs help us to find zero-day vulnerabilities and patch them before launch of new products, and for ongoing maintenance to our existing products.”
HP takes these findings and incorporates them into its testing processes, she said. It also analyzes issues found by its bug bounty researchers across its product line.
Nearly 90% of enterprises say they have suffered at least one data loss through unsecured printing, according to Moor Insights & Strategies.
“HP has been a leader in print security for many years now, establishing new industry cybersecurity standards and garnering praise from third-party security testing labs for having some of the most secure printers,” said Mark Vena, Moor senior analyst. “Leadership in this area, particularly focused on secure hardware features and a firmware-based approach with imaging devices, could not come at a better time.”