The Electronic Frontier Foundation (EFF) sent a letter to the Texas Attorney General's office regarding possible firmware updates released by Epson for their printers which disabled support for third-party inks.
Moreover, the EFF found out about Epson's problematic firmware upgrade from a Texas supporter and sent a letter to the Texas Attorney General's office asking the consumer protection division to take a closer look into the reported third-party ink disabling incident.
Although Epson's firmware updates reportedly did nothing else besides restricting a printer's functionality, this can lead to serious cybersecurity issues if true because it has the potential of convincing customers that firmware upgrades are something to be avoided.
Having unpatched printer firmware on a corporate network is even more dangerous given that on multiple occasions security researchers have found out that such devices can be used as both entry and pivot points during corporate network attacks.
Printers left unpatched are vulnerable to multiple types of attacks, with denial of service, privilege escalation, print job access, information disclosure, and code execution being the most important.
If the report about the firmware updates issued by Epson to disable third-party ink support is accurate, this could mean the start of a very unhealthy trend
There are well-documented incidents where attackers managed to compromise vast amounts of printers in one go, with the February 2017 event when the grey-hat hacker Stackoverflowin was able to control over 160,000 printers.
During that incident, Stackoverflowin was able to print a custom page by adding a print job to devices ranging from corporate multi-functional devices to restaurant receipt printers.
Furthermore, security researchers from Ruhr University Bochum tested multiple printers from brands such as HP, Dell, Brother, Lexmark, Kyocera, Samsung, Konica, and OKI, and they found out that all of them were vulnerable to infinite loop DoS attacks and the vast majority to information disclosure and print job manipulation.
Returning to the letter sent by the EFF to the Texas Attorney General's office, if the report of printer firmware updates removing support for third-party inks is valid, this might persuade other Epson customers from updating their devices' firmware.
Although at first, this would only affect the customers who haven't updated their Epson devices, in the event of a security breach those printers could very well expose their entire network to further attacks, with owners of devices from other brands also in danger.