Monitors aren’t just dumb display terminals that output an image, after all. They contain ASICs (application-specific integrated circuits) that are capable of providing overlays and scaling functions.
Monitors with USB hubs or speakers integrated into the housing also contain the necessary circuitry required to interface with those subsystems. Monitors can also require their own firmware updates — and as Cui and Kataria demonstrated, these vectors can be used to hijack the monitor’s capabilities to display information that isn’t actually on-screen.
Examples shown at DEFCON included changing status-alert lights on a power plant control board from green to red, changing PayPal balances, and adding a secure lock to a web page that shouldn’t actually have displayed one.
The team initially hacked the Dell U2410 monitor using a USB port, but were also able to hack the hardware using the HDMI cable.
Who uses hacks like this?
Most of the discussion around PC security and hacking focuses on botnets, zombie PCs, and trojan applications that want to turn your system into a cryptocurrency miner or ransom the contents of your hard drive for cash.
Hacking a monitor isn’t the kind of thing you’d expect from this type of commercial attack — it requires access to the display and takes some time to get up and running.
Just because an attack isn’t useful to the commercial sector doesn’t mean it isn’t useful. Stuxnet is credited with damaging or destroying up to one-fifth of Iran’s centrifuges when it was deployed to that country.
Experts have warned for years that America’s infrastructure could be critically vulnerable to certain kinds of attack, and security researchers have long known that one of the best ways to introduce malware into specific, targeted facilities is to leave an ordinary USB drive sitting around outside.
Researchers have reported that roughly half of individuals who find an unattended USB drive will plug it into an available system.
No botnet or malware application is going to try to target your monitor — but infrastructure targeting is a very real threat. One of the disclosures Snowden made several years ago was that the NSA had a program dedicated to intercepting systems shipped by Dell, HP, and other manufacturers, modifying the hardware between the warehouse and its destination, then sending it on its way, with the final recipients none the wiser.
Targeted interception and modification of this sort is rare, but this is precisely the kind of modification that government-sponsored black hats might use.
“How practical is this attack?” Cui asked. “Well, we didn’t need any privileged computer access to do this. How realistic is the fix? It’s not that easy. How do you build more secure monitors in the future? We don’t know.”
While monitors do contain some support for security standards like HDCP, that protocol was designed to prevent unauthorized copying of media broadcasts, not to block the monitor from displaying fundamentally unauthorized data or to prevent firmware updates. It should be theoretically possible to build a more secure display, but doing it right could require years to hammer out — and take years more until such devices are in the market.
It’s not currently clear if this security hole can be exploited by DisplayPort-attached devices, laptops (which typically lack ASICs), or monitors without USB ports. Presumably simpler displays are less likely to be affected but details on the topic are scarce and the DEFCON 24 presentation on the issue isn’t available yet.