HP offers hackers $10K to break printers

Avatar By Le Williams | 2 years ago

On Tuesday, HP announced its first bug bounty program that specifically targets its printers, offering as much as $10,000 to researchers or “hackers” who can detect vulnerabilities on its machines.

Companies such as Google and Facebook have turned to bug bounties as a way to bolster their security.

HP commenced its program in May with 34 committed researchers.

According to last week’s interview with the company’s chief technologist for printer security, Shivaun Albright, HP has already paid $10,000 to a hacker who found a serious flaw with its printers.

“The company is focused on printer security because of the vulnerabilities of internet of things devices,” Albright said. “While there’s a heavy focus on connected devices and their security flaws, it’s often on web cameras, smart televisions or lightbulbs, not printers,” she further explained.

The HP technologist noted that printers may be the oldest and most common IoT device a person owns.

“They’ve been around for a long time, even before the term ‘IoT’ was out there,” she said. “The issue is, why do customers not consider printers as IoT?”

In 2016, the Mirai botnet, a massive network of hacked devices used to wreak havoc online, caused a major web outage that took down popular sites like Twitter, Netflix, and Reddit.

“The botnet used hacked IoT devices, like webcams and DVRs, but printers were also a part of that mix,” Albright said.

HP’s bug bounty program will be run through Bugcrowd, a platform that facilitates payouts and invites. The program is currently private, with Bugcrowd handling which researchers are invited to join. Albright said HP is interested in making it public in the future, but is keeping it closed for now to better manage incoming vulnerabilities.

The invited researchers will have remote access to 15 printers, which are isolated in HP’s offices. From their home computers, the researchers can pry into these machines to find any hidden vulnerabilities.