A manufacturer of private label ink cartridges for HP printers is working on new “security” chips that should make sure non-HP cartridges are no longer rejected. Consumers can simply replace the old chips with the new ones to start using their non-HP cartridges again.
A week ago, on the 13th of September, several HP printer types started to reject non-HP ink cartridges. Online ink retailer 123inkt.nl found that HP pre-programmed a date in its firmware on which private label, non-HP ink cartridges would no longer be accepted.
HP admitted that it previously made changes to its software and stated it did so to, “protect its intellectual property, innovation and to protect the communication between the cartridge and the printer”
In the same statement HP also said that, “Affected printers will continue to work with refilled cartridges if they contain the original HP security chip. Other cartridges possibly don’t work”.
The use of the word ‘security’ made us wonder what exactly needs to be secured. A report of a lawsuit in 2015 shows that the ‘security’ chips HP is using are developed by ST Micro. This company states on its website that its chips are “particularly well suited for applications exposed to fraud or counterfeiting, such as consumables like printer cartridges”.
The security chips perform authentication using asymmetric cryptography. A document (only still available in Google’s cache) explains how the printer security chips work.
Each chip contains a private key and a certificate that has the approval of the printer, laptop, or mobile-phone manufacturer, as well as identifying information about the product, such as the model number. When a user inserts the consumable product [such as a ink cartridge] into the host product, the host software first requests a random number from the IC’s onboard random-number generator, along with a public key. The host then combines that number with the public key to create a challenge message, which the host sends back to the accessory product.
The IC uses its securely stored private key to compute the elliptic-curve digital signature of the challenge message and sends this digital signature back to the host. Using the corresponding public key, the host verifies the signature. Only an authentic product with knowledge of the private key can produce a correct digital signature. Using the result of the verification, the host decides whether to authenticate the accessory. The host can also determine whether this model number is correct for use with the host and could also use the product to track, for example, how many pages the printer has printed and use that information to send a replacement notification when the ink cartridge is nearly empty.”
The security chips also contain a protected way of counting how many pages are printed using the cartridge which is used to provide an indication on how much ink is still available. As far as security is concerned, we can only conclude that the chips are mainly designed to secure HP’s ink business.
Despite the heavy encryption, it’s still possible to create chips that are accepted by the printer. In 2014 HP sued the company Datel for $30 million because it cracked the security used on HP’s ink cartridge microchips.
Today’s news that a private label ink cartridge manufacturer is working on working on new security chips learns us that the cracking continues and so far HP hasn’t created “security” chips that can’t be cracked. That’s good for consumers, they can continue to use cheaper non-HP cartridges.