Everyone knows your computer can be hacked, but did you know your monitor might also be used against you? Ang Cui from Red Balloon Security has figured out a way to hack into a popular Dell monitor and manipulate what you see on your screen. Using this type of attack, a user could easily be tricked into revealing personal, private information. Here’s how it works. Following is a transcript of the video.
Ang Cui: Basically, you can’t trust the thing that’s coming out of your computer, because the monitor is changing the content of the screen.
Hello, my name is Ang Cui. I am the founder and chief scientist of Red Balloon Security.
Let’s look at a typical embedded vulnerability and what it means.
Here we have a beautiful Dell (U2410) 24-inch monitor. And if you look at this website, it’s obviously a mock not- real website. What you probably have not thought about is that this monitor also has a computer inside the monitor itself that’s responsible for displaying pixels and selecting input. It’s generally called the on-screen display controller.
Now our research found that there is a way for an attacker to gain access to and cause arbitrary code execution inside the controller of the monitor itself. What if you can’t trust the output of your computer, because the monitor is actually changing the pixel values on the screen?
So that’s exactly what we did. If the attacker redirects you to a website that looks a lot like your banking website, you’re not going to be able to see that same SSL lock on your browser. So this is where the attacker would then compromise your monitor and put that SSL lock onto the screen.
We’ve made this SSL lock not move at all. It is possible to have this thing move with the browser, but for demonstration purposes, we’ve made it not follow the screen.
So your computer is not showing you that your connection is secure, but the monitor is overlaying the SSL lock onto it.
We can use the monitor itself to change what you see as in your bank account. So instead of having $100, we can make your monitor show that your bank account has a million dollars. There’s no way for the user to know, because we only interact with this computer through the monitor.
We estimate that there’s at least a billion monitors on the planet today that’s vulnerable to this type of attack.
Ang calls the hack “A Monitor Darkly.” The exploit is detailed on Red Balloon’s GitHub.
Monitor Darkly is featured in season 3 of “Mr. Robot.”
Elliot Alderson: What were you doing by my computer? I saw you behind the monitor.
Ang’s team has informed Dell about the vulnerability. Dell recommends users update to a U2417 monitor. They say “security is a top concern and priority.”