HP envy 7640 being a lil bi***


#1

It keep wanting to connect to a network and spy on me. A product like this should not have to connect to the internet. I need to print documents without it installing any spyware on my manjaro drive and without connected to my network. I tried with a USB flash drive but there are only two options of print photos and use of scanner to then save the scan to the USB. Any work around or does it need to connect to at least a PC.


#2

You’ll probably have to connect it to a computer one way or another. Two options to consider:

  • Set up a Raspberry Pi as a print server and use a firewall to make sure it doesn’t have the ability to make outgoing IP connections
  • Use an old computer with NIC removed (or a cheap SBC without WiFi like the RPi Zero) with a CD drive and use that to connect to the printer via USB. Anything you want to print can go on a CD, which will ensure there’s no way for malware to get to your regular PC.

The Windows software they supply does have a very concerning data policy where they try to get you to agree to having metadata about your print jobs sent back to HP. I can’t find a “store anonymous usage data” option anywhere in my HP printer’s settings like the author of that blog post said there should be, though. I suspect the on-printer data collection only exists on certain models, and data is collected via the client application on the PC otherwise.

HPLIP has no such agreement that I can recall, for whatever that’s worth.


#3

Low rent answer: set the gateway IP address on the printer to a bogus IP address. Best case is that the printer can then be used on the LAN but the printer cannot access the internet.

Better answer: Use a firewall (not a bad idea anyway - your router may already include a basic firewall) and simply block all traffic from/to the printer that would go outside the LAN.

Or do both.

Against a truly malicious printer, there would still be weaknesses but that may be enough.

Without a detailed understanding of your config or this printer, hopefully the above achieves something.

Does this printer support printing via USB?


#4

I think it has printing via a connection to a pc but if you mean by usb flash drive then no.


#5

No, I meant USB connection to PC. Not USB flash drive.

That avoids most realistic possibilities for the printer to access the rest of your network.

USB flash drive is probably limited by the fact that there is no printer driver in that scenario. I would guess that it will support JPEG files and nothing more. Anything else would require software to convert the document into language the printer understands (seemingly only PCL).

It looks as if the printer could take an SD card as an alternative to a USB flash drive.

As @Jt0 suggests, you could use a Pi as a print server. But you could also use a low budget off-the-shelf print server (provided that you are happy to lose the scan functionality). That would be cheaper and simpler than a Pi - unless you happen to have a spare Pi sitting around.


#6

Remember you can’t get away from the printer spying on you. Remember there are microdots on almost every laser printer as implemented by the manufacturer. These identify the printer where print output came from. So even if you air gap your laser output. Whatever you printed can still be traced back to your printer. Your only benefit may be that your printer is in a hidden bunker and you hand carry it to whereever you distribute it to. Just don’t leave a trace of your laser printer purchase.

The list of lasers or copiers that don’t do microdots is small but easily searchable.

But even if you can escape the microdots. Remember the movie “Alone in Berlin”? Handwritten postcards during WWII and left on doorsteps against the Nazi regime. Eventually the postcard writer slipped up and got caught.


#7

Microdots aren’t a concern on inkjet printers though, right? Every reference I’ve seen to them mentions laser printers specifically.


#8

While that is true I don’t think that that is what @user1 is concerned about. The first post says: A product like this should not have to connect to the internet and indeed “phoning home” is a legitimate concern about any device.


#9

I’m sure the user will use a dead drop to distribute the printed output. But where is the fun if I can’t add to the paranoia?


#10

Uuughhhhh. All of these solutions are needlessly complex. How about a USB live boot and the printer connected to PC of the live boot.


#11

From where does the PC get the document that is to be printed?

Having to live boot every time you want to print isn’t complex but it sounds inconvenient and slow.

How are you connecting the printer to the live booted PC? USB? network?


#12

Via USB connection and will use a USB flash drive to move to live boot if need to print. Will run the live USB to auto wipe itself back to standard on every boot on a really crappy, old laptop. Work?


#13

I suppose so but a crappy old laptop is bulkier, slower to boot and consumes more power than either a dedicated (1 USB port) print server or a Pi. The dedicated print server has the advantage that there is nothing to wipe basically. There is no state to speak of.

Example: $25 https://www.amazon.com/IOGEAR-1-Port-Print-Server-GPSU21/dp/B000FW60FW (I don’t own one of these so can’t say how well this specific device works but it is indicative.)


#14

I have a spare raspberry pi but I havem’t setup a print server before. Halp.


#15

I’m using dedicated print servers. But @Jt0 already posted a link to a tutorial above for setting up a Pi as a print server (and the internet can provide many more similar tutorials).

The only question that I would be asking is: what is the client base for this printer?

Are they all Linux computers?

Are there any Windows computers? (so that you will also need Samba set up - but the above tutorial covers that anyway) The point is - don’t set up Samba unless you need it. Otherwise you are needlessly increasing your attack surface.