The case of the insecure printer

Hewlett Packard (HP) wants you to know that while you pay more up front when you buy genuine new HP ink cartridges, you’ll “actually save you money in the long run.” Yeah, right. I’ve been hearing that siren song from printer vendors since the 1980s.

I don’t buy it. Neither do most printer owners. And neither do companies, whether they’re buying printers (and ink) for the office or for newly-remote workers who’ve had to set up shop at home.

According to a 2019 Consumer Reports survey about printer use, the “most common complaint was the high cost and hassle of replacing ink cartridges — and that affected every inkjet brand in our survey.”

Guess what? I’ve been using replacement inks and cartridges for years and I’ve saved money in the long run. My printed documents look just fine, and my printers work as well as they ever did. I wouldn’t mind buying the real ink, but it costs too much. These days, inkjet ink costs an astronomical $12,000 a gallon. I like good wine, but I’m not paying $2,400 a bottle for it.

Now, this is bad news, but it’s old bad news. We’ve been dealing with it and my all-time favorite printer annoyance — refusing to print in black and white if cyan or some other color is low — for decades.

Lately, though, the printer vendors have started patching their printers with lockdown firmware updates to keep users from refilling cartridges or buying replacement cartridges. HP and Epson last tried this trick in 2016. Do you really want a vendor deliberately crippling your printer, or any other device, with a malicious patch? I sure don’t.

Another variation on the theme came when HP introduced a so-called cartridge protection setting. This not only prevents you from using an alternative, but it also locks the original cartridges to a specific printer, So, for example, if you have an HP OfficeJet Pro 251dw printer and an HP OfficeJet Pro 8600 ink printer — even though they use the exact same HP 950 and 951 cartridges — once used, the cartridges can’t be transferred between models. Is that fun or what?

(Fortunately, it’s not too hard to get around the cartridge protection setting.)

The latest way to make sure the vendor calls the shots is to insist that printers won’t print a page unless they have internet connectivity and are linked to an “HP Smart” account. According to HP, you must connect your HP LaserJet M209dwe, MFP M234dwe, M234sdne, and M234sdwe printers to an HP Smart account before they’ll work. (I expect other printers will soon face the same annoying requirement.)

I’m not happy about this. And it’s not just because I’m sure this will monitor my ink or my laserjet cartridge. I’m ticked off because this is a major security hole in my network. I do not want an unauthorized connection to printers in my network reporting who knows what to HP.

Sure, HP isn’t likely to care what I’m printing. But any printer is a security hole waiting to be popped open. A printer with a built-in, permanent online connection is just asking for trouble. Heck, we’re still fighting with Windows print spooler security foul-ups; I don’t really need another hole in my network.

Printers have always been weak security links. Think about it. Do you allow all your users access to networked printers? Most of us do. That, in turn, means a clever user in the mailroom can see what the CEO has been printing.

Worse still, most modern printers come with embedded web servers (EWSs) to manage settings, get updates, and perform routine maintenance tasks. Yes, this is very handy — but is it secure? Have you recently patched it? Do you even know?

A decade ago at Black Hat, security researchers found that many printers with EWSs had no security hardening to speak of. Indeed, the devices were available directly from the Internet, and often hadn’t even been password-protected.

Though I haven’t researched the current state of printer security in detail, I did look over my own and several friends’ small-business printers. Guess what? They’re all as vulnerable as ever.

I’m not yet turning off my printer. But if you really need a “paper” copy of some document from me, do you mind if I send you a PDF instead? I won’t be using my printer.