HP has expanded the line of products that are covered by this bug bounty program, on Thursday the IT giant invited several white hat hackers to find and report vulnerabilities in its office-class ink and toner cartridges.
“Today, in recognition of Cybersecurity Awareness Month (U.S.), HP Inc. (NYSE: HPQ) announced it has expanded its Bug Bounty program to focus specifically on office-class print cartridge security vulnerabilities.” reads the announcement published by the company. “The program underscores HP’s commitment to delivering defense-in-depth across all aspects of printing—including supply chain, cartridge chip, cartridge packaging, firmware and printer hardware.”
The company is working with Bugcrowd to run a private bug bounty program for a duration of three months, this means that only four bug hunters have been invited to participate.
The company is going to pay $10,000 for each vulnerability in original HP cartridges, it invested roughly $200,000 in this program.
HP covered printers in its bug bounty program since 2018 paying rewards that range between $500 and $10,000 per flaw. The initiative aimed at security this specific category of office devices that are increasingly targeted by hackers in an attempt to gain access to enterprise networks.
“Bad actors aiming to exploit printers with sophisticated malware pose an ever-present and growing threat to businesses and individuals alike,” said Shivaun Albright, HP Chief Technologist for Print Security. “Security features need to go beyond the hardware and include the cartridge for an end-to-end secure system that protects your network and information. HP is committed to staying ahead by expanding our Bug Bounty Program and hiring some of the brightest cybersecurity experts across the globe to help us uncover potential risks so they can be fixed before any harm is done.”
HP added that it has taken steps to prevent cartridge chips from being replaced or altered in the supply chain, the move aims at preventing that fake cartridges could be used by businesses.
The company pointed out that non-HP supplies could include chips of unknown origin that may run untrusted firmware. Threat actors with the right skills and resources may be able to exploit backdoors and vulnerabilities in the firmware to gain access to the network of the organizations hosting the printers.
“In our increasingly connected world, any connected device can become an avenue of attack for hackers. Keeping up requires continuous investment and dedicated research. That’s why HP is committed to pursuing focused and rigorous testing, both internally and with third parties, to better protect its customers and partners.” concludes the announcement. “For more information on the threat landscape, the size of the problem and HP’s strategy to ward off potential threats, visit Is Your Printer The New Trojan Horse from Moor Insights & Strategies and HP Office Cartridge Security Printing: Security from Start to Finish from Keypoint Intelligence/InfoTrends.”
(SecurityAffairs – hacking, cartridges)