News

HP is making your office printer more secure with help from hackers

New Bug Bounty cybersecurity program offers rewards for finding vulnerabilities in HP’s commercial printers.

By Sarah Murry — August 2, 2018

Wanna Cry. Meltdown. Mirai. NotPetya.  

These (seemingly nonsensical) noms-de-guerre for major cyberattacks over the past few years still strike fear into the heart of every CISO office — and they should. The frequency and sophistication of such attacks is indisputably on the rise — as is the tidal wave of damage they cause in their wake.

Companies need all the help they can get staying ahead of the security curve. It’s why HP is tapping security researchers around the globe — commonly called “white hat” or “ethical” hackers — to help them spot security risks before they can gain control of a connected device and compromise sensitive data. 

“The odds are against us,” says Shivaun Albright, Chief Technologist, Print Security, and member of the HP’s Security Advisory Board. “With millions of attacks being introduced on an ongoing basis, we need to be sure that we are setting a high bar.”

Bug bounty programs aren’t new, but HP this week unveiled a fresh twist on one — it’s the first of its kind for a printer company. Ahead of the Black Hat conference in Las Vegas, HP is opening the curtains to some of its code, with the hopes that transparency and some well-placed cash rewards will prompt creative hackers to find hidden vulnerabilities in office printers.

HP is working with BugCrowd to help verify reported threats and reward security researchers (an industry word for hackers) based on the severity of the flaw, with incentives ranging from $500 to $10,000. It’s part of an ongoing effort by HP to design and develop products with security in mind from the hardware on up the stack. 

Getty Image

The weakest link could be the printer

Malevolent hackers are always going to look for the weakest link in the network. And most often it’s the (sometimes neglected) office printer. In fact, HP says that 1 in 3 office printers are unsecured. “What we are all not really savvy to is that a printer is really a just a computer under the hood, that can act as a gateway for an attacker,” says MedSec Chief Executive Justine Bone, who also serves as a member of HP’s Security Advisory Board. “Then there are much more lucrative and attractive systems that can be reached from that one printer.”

And once the network’s been breached, it can be incredibly costly to remediate, especially in the case of ransomware attacks. Such attacks, where important data or access is held hostage for a ransom, are projected to cost some $8 billion this year. “One of the trends we are seeing is the use of more destructive attacks, where once hackers gain control of the device and breach the network, they hold data hostage,” Albright says. “In some instances, even if you paid the ransom, you aren’t able to get that data back.”

“By crowdsourcing and opening up to all the ways that attackers think ultimately make our devices that much more resilient.”

Justine Bone, member of HP’s Security Advisory Board

Security requires a community

As flaws or vulnerabilities are reported to the Bug Bounty program, HP uses that information to not only patch the loophole but also to improve its own internal testing processes. HP also engages with the security researchers who found it and try to identify all of the potential attack methods. That intel gets incorporated into the next iteration of the product, Albright explains.

“Once we understand the threats that are out there in the industry, we design our products with security requirements from the beginning, so we have the best defenses we possibly can,” she says.

Bug bounty programs help companies like HP broaden their expertise in the ever-expanding frontier of malevolent hacking.

“There are so many different ways to come at attacking a machine and so many techniques that can be deployed,” Bone says. By crowdsourcing and opening up to all the ways that attackers think ultimately make our devices that much more resilient.”

 

Learn more about HP’s security features for your office printer.