LAS VEGAS — Information-security experts work hard to protect computers, yet few worry about what comes between the computer and the user: the monitor. But monitors can be hacked to display false information and fool the user, two researchers showed yesterday (Aug. 5) at the DEF CON hacker conference here.
Ang Cui and Jatin Kataria of Red Balloon Security in New York opened up a Dell U2410 monitor and found that it was a computer itself, with a motherboard, operating system and various ports. They reverse-engineered the monitor's software and figured out how to add information to the stream of image data coming from the computer.
The DEF CON audience watched as Cui and Kataria injected a photograph onto a display, added a secure-lock icon to a Web browser's address field, changed the status-alert light on a power plant's control interface from green to red and changed a PayPal balance from $0 to $1,000,000,000.
The researchers got their idea when they bought sleek, curved Dell U3415 monitors and noticed that the monitors offered options to communicate with computers via built-in USB inputs. But the $700 U3415 was too expensive to take apart, so Cui and Kataria settled for the $150 Dell U2410, which also had a USB input port. They found that Dell offered instructions on how to upload firmware to the monitor.
Cui and Kataria took apart the monitor, examined its software and, after much trial and error, figured out how to send it commands, using first the USB port, then later the HDMI port. They learned not only how to change the color of individual pixels, but how to send malicious data to the monitor's display so that images were made to appear as they were coming from the computer.
They added a green HTTPS lock icon to a Web browser's address bar to make it appear as if the notoriously nasty imageboard 4chan provided a secure connection. (It doesn't.) On a PayPal Web page, they made the monitor "show" that a user had a billion dollars in his account, when the computer had actually sent an image indicating a figure of zero.
The researchers implied that it would be possible to hack into, for example, monitors that stock traders use to display erroneous information. Even though the computers would be sending accurate numbers, malware in the monitors could alter how those numbers were displayed and cause the humans reading them to make bad decisions.
Cui and Kataria said that this image-security problem wasn't limited to Dell monitors. They said they bought four more inexpensive flatscreen monitors made by four different major manufacturers, and found that each ran the same kind of software (which was different from the Dell monitors' software).
In other words, if you learned to hack one monitor, you'd probably learn to hack all monitors from many different brands, as long as they depended on the same software. And there's no antivirus software for computer monitors.
"How practical is this attack?" Cui wondered. "Well, we didn't need any privileged computer access to do this. How realistic is the fix? It's not that easy. How do you build more secure monitors in the future? We don't know."