Obsolete and vulnerable?Posted: September 13, 2017
For the past few years, I’ve had this HP Photosmart printer. It’s served me well, with nary a problem. Recently, I needed to replace ink, so I spent the usual $60+ to replace all the cartridges, and then it didn’t work…
An endless cycle of “check the ink” ensued, at which point I thought, OK, I can buy some more cartridges, rinse, repeat, or I can buy another printer. This is the problem with printers these days. Since all the money is made on the consumables, buying a new printer is anywhere from a rebated ‘free’, to a few hundred dollars. Even laser printers, which used to cost $10,000 when Apple came out with their first one back in the day, are a measly $300 for a color laser!
So, I did some research. In the end I decided on the HP MFP M277dw.
It’s a pretty little beast. It came with an installation CD, which is normal for such things. But, since my machine doesn’t have a CD/DVD/BFD player in it, I installed software from their website instead.
It’s not often that I install hardware in my machine, so it’s a remarkable event. It’s kind of like those passwords you only have to use once a year. You’ll naturally try to follow the most expedient path. So, I download and install the HP installer appropriate for this device and my OS. No MD5 checksum available, so I just trust that the download from HP (at least over HTTPS) is good. But, these days, any compromise to that software is probably deep in the firmware of the printer already.
The screens are typical, a list of actions that are going to occur by default. These include automatic update, customer feedback, and some other things that don’t sound that interesting to the core functioning of my printer. The choice to turn these options off are hidden behind a blue colored link at the bottom of the screen. Quite unobtrusive, and if I’m color blind, I won’t even notice it. It’s not a button, just some blue text. So, I click the text, which turns on some check boxes, which I can check to turn off various features.
So, further with the installation, “Do I want HP Connect?” Well, I don’t know, I don’t know what that is. So, I leave that checked. Things rumble along, and a couple of test print pages are printed. One says: “Congratulations!” and proceeds to give me the details on how I can send email to my printer for printing from anywhere on the planet! Well, that’s not what I want, and I’m sure involves having the printer talk to service out in the internet looking for print requests, or worse, it’s installed a reverse proxy on my network, punching a vulnerability hole in the same. It just so happens a web page for printer configuration shows up as well, and I figure out how to turn that particular feature off. But what else did it do.
Up pops a dialog window telling me it would like to authenticate my cartridges, giving me untold riches in the process. Just another attempt to get more information on my printer, my machines, and my usage. I just close that window, and away we go.
I’m thinking, I’m a Microsoft employee. I’ve been around computers my entire life. I probably upgrade things more than the average user. I know hardware, identity, security, networking, and the like. I’m at least an “experienced” user. It baffles me to think of how a ‘less experienced’ user would deal with this whole situation. Most likely, they’d go with the defaults, just clicking “OK” when required to get the darned thing running. In so doing, they’d be giving away a lot more information than they think, and exposing their machine to a lot more outside vulnerabilities than they’d care to think about. There’s got to be a better way.
Ideally, I think I’d have a ‘home’ computer, like ‘Jarvis’ for Tony Stark. This is a home AI that knows about me, my family, our habits and concerns. When I want to install a new piece of kit in the house, I should just be able to put that thing on the network, and Jarvis will take care of the rest, negotiating with the printer and manufacturer to get basic drivers installed where appropriate, and only sharing what personal information I want shared, based on knowing my habits and desires. This sort of digital assistant is needed even more by the elderly, who are awash in technology that’s rapidly escaping their grasp. Heck, forget the elderly, even average computer users who’s interaction with a ‘computer’ extends to their cell phones, tablets, and console gaming rigs, this stuff is just not getting any easier.
So, more than just hope, this lesson in hardware installation reminds me that the future of computing doesn’t always lie in the shiny new stuff. Sometimes it’s just about making the mundane work in an easier, more secure fashion.