LAS VEGAS - Information security experts work hard to protect computers, but few worry about what comes between the computer and the user: the monitor. But monitors can be hacked to display false information and fool the user, two researchers showed yesterday (Aug. 5) at the DEF CON hacker conference here.
Ang Cui and Jatin Kataria of Red Balloon Security in New York opened up a Dell U2410 monitor and discovered it was a computer itself, with a motherboard, operating system and various ports. They designed the monitor software and figured out how to add information to the stream of image data coming from the computer.
The DEF CON audience watched as Cui and Kataria injected an image into the display, added a safe-lock icon to the address field of the Web browser, changed the status-alarm control on the power plant control interface from green to red, and changed the PayPal balance from $0 to $1,000,000.
The researchers got the idea from buying sleek, curved Dell U3415 monitors and noticed that they offered the ability to communicate with computers via built-in USB inputs. However, the $700 U3415 was too expensive to pull apart, so Cui and Kataria settled for a $150 Dell U2410, which also had a USB port. They found that Dell offered instructions on how to transfer firmware to the monitor.
Cui and Kataria took the monitor apart, examined its software, and after much trial and error, figured out how to send commands, first through the USB port and then through HDMI. They learned not only how to change the color of individual pixels, but also how to send malicious data to the monitor to make images appear as they came from the computer.
They added a green HTTPS lock icon to the address bar of the web browser to make it look like the notoriously nasty 4-channel image array was providing a secure connection. (It didn't.) On PayPal's website, the monitor "showed" that the user had a billion dollars in his account when the computer actually sent an image indicating zero.
The researchers suggested that it would be possible to hack, for example, the monitors that stock traders use to display misinformation. Even if the computers send accurate numbers, malware in the monitors could change the way those numbers are displayed and cause people reading them to make bad decisions.
Cui and Kataria said this image security problem is not limited to Dell monitors. They said they bought four more inexpensive flat-panel monitors from four different major manufacturers and found that each had the same type of software (which is different from the Dell monitors).
In other words, if you learned to hack one monitor, you'd probably learn to hack all monitors from many different brands, as long as they depended on the same software. And there is no anti-virus software for computer monitors.
"How practical is this attack?" Cui wondered. "Well, we didn't need any privileged access to the computer for this. How realistic is this patch? It's not that simple. How can we build more secure monitors in the future? We don't know."