Last October, HP Inc issued an over-the-air firmware update to its printers that contained a Trojan Horse of the company’s own making. The update conned printer owners into accepting the update by saying that it was an anti-virus update. Instead, the update reconfigured the printers’ cartridge-reading routines so that they would brick the printer if they detected a non-HP ink cartridge. This Trojan slumbered silently in my wife’s OfficeJet Pro 6978 printer until early December when I inserted a black 902XL ink cartridge from 3^rd-party ink manufacturer LxTek. The printer then rejected the new ink cartridge and refused to print. Instead, the printer displayed an error message and demanded a genuine HP cartridge. Note that this 3^rd-party cartridge came from a partially empty box. Cartridges taken from this same box before the firmware update worked fine.

My wife’s printer was now bricked, until I removed the new ink cartridge and replaced it with the older, empty ink cartridge. Instead of buying a new HP cartridge, I drilled into the LxTek cartridge and used a syringe to extract ink from the new cartridge to refill the old cartridge that did not brick the printer. I lost half of the ink in the process but at least I was able to unbrick the printer in less than an hour.

Before I elaborate on HP Inc’s clumsy attempt to hold my wife’s printer hostage, I want to laud LxTek’s behavior. Good before bad. After I transferred the black ink from LxTek’s cartridge to the working cartridge, I contacted LxTek and explained what happened. A day later, LxTek replied to my email. Here’s the company’s reply:

“Thank you for your purchase and we apologize for the inconvenience.

“HP company has updated their printer models that use 902 ink cartridges. I am afraid this recognition issues of the ink cartridge is caused by the Oct. printer update. We can’t control the printer upgrade, which is a way for the OEM seller to resist our third-party seller.

“But please note that your satisfaction is our first priority. We will try our best to provide first-class after-sales services to compensate for the inconvenience.

“Please let us know the quantity and color of the not working items. We will issue a replacement for the not working items. The new reissue product can be used normally, please rest assured.”

True to their word, LxTek shipped a replacement the next day. That’s the sort of company we all wish to patronize.

Now, for HP Inc. Before making my case, allow me to provide some of my own background. I worked as a design engineer for the Hewlett-Packard Company (HP) in Loveland, Colorado from 1975 to 1980. Back then, Bill Hewlett and Dave Packard still ran the company. Integrity with customers was a top priority for them because their names appeared on the sign over the door. Corporate integrity was drilled into every new employee. It was my first job as an engineer and Bill’s and Dave’s ethics stay with me today, almost 50 years later. Here’s what Packard wrote about corporate responsibility in his book, “The HP Way”:

“Today, Hewlett-Packard operates in many different communities throughout the world. We stress to our people that each of these communities must be better for our presence. This means being sensitive to the needs and interests of the community; it means applying the highest standards of honesty and integrity to all our relationships with individuals and groups; it means enhancing and protecting the physical environment and building attractive plants and offices of which the community can be proud; it means contributing talent, energy, time, and financial support to community projects.”

During my time at HP, engineers from HP Labs in Palo Alto, California visited Loveland to demo a new thermal inkjet printing technology they’d developed. That technology became the basis for HP’s ThinkJet printers and for all the HP inkjet printers to follow. My wife’s OfficeJet Pro 6978 printer is a recent descendant of the original ThinkJet printers. When I buy an HP printer, I’m rooting for my home team. That’s why I am so disappointed and forlorn about this latest attempt by HP Inc to extort money from its customers.

HP has never liked 3^rd-party cartridges for its inkjet and laser printers, with good reason. An outsized chunk of the company’s profits come from the sale of its printer consumables, which includes ink and toner cartridges. To make it difficult for other companies to manufacture replacement ink and toner cartridges for its printers, HP started to install ICs in small circuit boards bonded to the cartridges. HP Inc implemented the latest version of this technology, euphemistically called Dynamic Security, in 2016. The company’s newer printers read information from these chips to help identify genuine HP cartridges, but 3^rd-party vendors have become adept at circumventing these measures with countermeasures. HP has been sued multiple times for its anti-competitive practice of putting and amending these countermeasures.

The latest firmware update to Dynamic Security took place in October. HP conned its printer customers into accepting the firmware update by claiming it was adding antivirus protection to the printer. Who wouldn’t want that? Instead, the firmware update contained HP Trojan Horse code that would invalidate 3^rd-party ink cartridges by completely bricking the printer. (My friend Ron Sartore just encountered this problem as well. He thinks that HP Inc’s Dynamic Security is little more than ransomware.)

HP Inc’s duplicity in this matter goes all the way to the top. In a January 18 video interview on CNBC’s “Squawk Box” earlier this year, here’s what HP CEO Enrique Lores had to say about this matter:

“I think for us, it is important to protect our IP. There is a lot of IP we build in the ink, in printers themselves. And what we’re doing is, when we identify cartridges that are violating our IP, we stop the printer from working.” (Added emphasis is mine)

There are ways to defend IP. Legal ways involving civil lawsuits and courts. Those don’t appear to be the ways HP Inc wants to use in this situation. In this video interview, Lores justifies waging war against 3^rd-party consumables suppliers by weaponizing printers purchased by HP’s customers. Apparently, he views customers as collateral damage.

During this interview, Lores explained that HP uses the razor-razorblade model, a pricing tactic developed by King Camp Gillette in the early 1900s for his personal grooming products. This business model depends on selling a consumable (razor blades or ink cartridges) at a high profit while selling the dependent good (a razor or printer) at a loss or even giving it away for free. The consumables generate the profits. Gillette still employs this business model.

We bought our OfficeJet Pro 6978 printer from Amazon for $181.46 in early 2022. Since then, HP Inc appears to have nearly doubled the printer’s price. When I looked at the printer listing on Amazon while writing this article, I saw that it was now listed for $350. HP Inc’s not giving these printers away. Now, I’ve spent as much as $5000 on computer printers way back in the 1980s, back when printers were made of metal and used ribbons instead of ink or toner cartridges. But these days, printers cost much less because they’re made of plastic and because electronics have gotten much less expensive. Here’s what Lores said about the cost of HP printers during his CNBC interview:

“[It’s] part of the business model developed over time. We sell our printers and make it clear the printers were for HP supplies. We made it very clear from the beginning.”

I don’t seem to remember getting that particular message from HP, although I never doubted that the company would prefer for me to use HP ink cartridges. Later during the interview, Lores stated that people who buy HP printers but then use 3^rd-party cartridges are “bad customers.” He elaborated:

“A customer buys a printer, it’s an investment for us. We’re investing on [sic] this customer. And not using our supplies, it’s a bad investment [for HP].”

CEO Lores then telegraphed true intent towards the end of his CNBC interview:

“Our goal is to reduce the number of unprofitable customers… IT [information technology] has become very difficult. One of the roads we see is how do we make it easy to solve problems like [paper jams], and we have a service to enable that. But also, as we shift the business to a subscription [model], not only for printers but PCs and the rest of the products that we build, that will be an even better [way to solve these problems].”

Now, to be fair, profit and IP protection are not HP Inc’s sole justifications for inserting the Trojan Horse firmware update into its printers. The company claims that it’s possible for hackers to turn ink cartridges into cyberthreats by inserting viruses in an ink or toner cartridge. These viruses can somehow infect the printer’s firmware through the integrated microprocessor and can then escape into PCs on the same network. To me, this statement reflects a fundamental lack of understanding with respect to the various microprocessors and connections involved in this chain.

For proof of its assertion, HP Inc cites an article published on a site called “Actionable Intelligence” and titled “HP Bug Bounty Program Finds Reprogrammable Chips Open Printers to Malware.” The article is dated October 5, 2022 and says that a 3^rd-party hacker working under the auspices of HP Inc’s Bug Bounty program was able to inject malware from a 3^rd-party ink cartridge with a reprogrammable security chip into a printer by exploiting a buffer-overflow bug in HP’s Dynamic Security firmware. HP Inc says that its ink cartridges are not reprogrammable, so they can’t be adulterated with viruses or malware.

HP Inc’s solution to this potential malware threat from 3^rd-party cartridges was to issue multiple firmware updates so that its printers would lock up upon seeing a 3^rd-party ink cartridge in a printer. The printer remains unusable until the 3^rd-party cartridge is replaced by a genuine HP cartridge. Multiple firmware updates are required because 3^rd-party vendors have gotten adept at circumventing HP Inc’s Dynamic Security countermeasures, using the flexibility and fast-turn capabilities of the reprogrammable chips in their ink cartridges.

Note that this malware vulnerability is built into HP’s Dynamic Security firmware, which communicates with the ink cartridges, so HP created this situation by adding Dynamic Security to the printer in the first place. There’s no other reason for the printer to communicate with the chip on the 902XL ink cartridge, which is just a dumb plastic container filled with ink.

The severity of this problem completely escapes me. The printer is in total control of the ink cartridge. Simple mechanisms have existed for decades to prevent buffer-overflow exploits, which are well-known, well-understood software vulnerabilities. But beyond that, why would anyone implement a cartridge security system using a vulnerable message-passing protocol instead of simply reading an ID code from the cartridge? There’s zero possibility of a buffer overflow if the firmware reads exactly the number of bytes in a valid ID. There are many questions about this Dynamic Security firmware from an engineering perspective. If one of your printers manages to suck a virus out of a 3^rd-party ink cartridge, HP, that’s on you.

It may not surprise you to find out that a class-action lawsuit was filed on January 5 against HP Inc with the US District Court in the Northern District of Illinois for the company’s latest “antivirus” firmware update that bricks HP printers. In its introduction, the lawsuit filing states:

“This is a class action brought against HP, Inc., for requiring consumers who had purchased certain brands of printers to use only HP-branded replacement ink cartridges, rather than purchasing ink replacements from its competitors. HP accomplished this through firmware updates it distributed electronically to all registered owners of the printers at issue in this case in late 2022 and early 2023, which effectively disabled the printer if the user installed a replacement ink cartridge that was not HP-branded. In the same time period, HP raised prices on the HP-branded replacement ink cartridges. In effect, HP used the software update to create a monopoly in the aftermarket for replacement cartridges, permitting it to raise prices without fear of being undercut by competitors.”

No doubt, CEO Lores’s CNBC interview justifying HP’s actions in this matter will be submitted to the court by the plaintiffs’s attorneys as evidence of intent. HP Inc’s board of directors might want to discuss the wisdom of allowing CEO Lores in front of a camera again, at least until he gets some basic PR training.

I’ve no illusions that HP Inc is not the HP that employed me half a century ago. However, as an ex-HPite and a now-designated “bad customer” for HP Inc, I’d guess that Bill and Dave are spinning in their graves right about now because of what’s happened to their company.. Hopefully, they’re spinning fast enough to generate some light at HP Inc’s headquarters in Palo Alto.