Most of the time when we talk about PC security, we talk about either the operating system or the hardware that it runs on. Security researchers tend to focus on these characteristics for obvious reasons, but it’s always interesting to see what other research teams can do by targeting the hardware most of us don’t consider part of the normal security chain. New research presented at DEFCON last week by Ang Cui and Jatin Kataria discussed how one team discovered monitors are themselves vulnerable to hacking — and in ways that can be difficult for ordinary users to spot.
Monitors aren’t just dumb display terminals that output an image, after all. They contain ASICs (application-specific integrated circuits) that are capable of providing overlays and scaling functions. Monitors with USB hubs or speakers integrated into the housing also contain the necessary circuitry required to interface with those subsystems. Monitors can also require their own firmware updates — and as Cui and Kataria demonstrated, these vectors can be used to hijack the monitor’s capabilities to display information that isn’t actually on-screen.
Examples shown at DEFCON included changing status-alert lights on a power plant control board from green to red, changing PayPal balances, and adding a secure lock to a web page that shouldn’t actually have displayed one. The team initially hacked the Dell U2410 monitor using a USB port, but were also able to hack the hardware using the HDMI cable.
Most of the discussion around PC security and hacking focuses on botnets, zombie PCs, and trojan applications that want to turn your system into a cryptocurrency miner or ransom the contents of your hard drive for cash. Hacking a monitor isn’t the kind of thing you’d expect from this type of commercial attack — it requires access to the display and takes some time to get up and running.
Just because an attack isn’t useful to the commercial sector doesn’t mean it isn’t useful. Stuxnet is credited with damaging or destroying up to one-fifth of Iran’s centrifuges when it was deployed to that country. Experts have warned for years that America’s infrastructure could be critically vulnerable to certain kinds of attack, and security researchers have long known that one of the best ways to introduce malware into specific, targeted facilities is to leave an ordinary USB drive sitting around outside. Researchers have reported that roughly half of individuals who find an unattended USB drive will plug it into an available system.
No botnet or malware application is going to try to target your monitor — but infrastructure targeting is a very real threat. One of the disclosures Snowden made several years ago was that the NSA had a program dedicated to intercepting systems shipped by Dell, HP, and other manufacturers, modifying the hardware between the warehouse and its destination, then sending it on its way, with the final recipients none the wiser. Targeted interception and modification of this sort is rare, but this is precisely the kind of modification that government-sponsored black hats might use.
“How practical is this attack?” Cui asked. “Well, we didn’t need any privileged computer access to do this. How realistic is the fix? It’s not that easy. How do you build more secure monitors in the future? We don’t know.”
While monitors do contain some support for security standards like HDCP, that protocol was designed to prevent unauthorized copying of media broadcasts, not to block the monitor from displaying fundamentally unauthorized data or to prevent firmware updates. It should be theoretically possible to build a more secure display, but doing it right could require years to hammer out — and take years more until such devices are in the market. It’s not currently clear if this security hole can be exploited by DisplayPort-attached devices, laptops (which typically lack ASICs), or monitors without USB ports. Presumably simpler displays are less likely to be affected but details on the topic are scarce and the DEFCON 24 presentation on the issue isn’t available yet.