Hacking Your Computer Monitor

Here's an interesting hack against a computer's monitor:

A group of researchers has found a way to hack directly into the tiny computer that controls your monitor without getting into your actual computer, and both see the pixels displayed on the monitor -- effectively spying on you -- and also manipulate the pixels to display different images.

I've written a lot about the Internet of Things, and how everything is now a computer. But while it's true for cars and refrigerators and thermostats, it's also true for all the parts of your computer. Your keyboard, hard drives, and monitor are all individual computers, and what you think of as your computer is actually a collection of computers working together. So just as the NSA directly attacks the computer that is the hard drive, this attack targets the computer that is your monitor.

Posted on August 11, 2016 at 1:09 PM • 33 Comments

Comments

BharathAugust 11, 2016 1:43 PM

Is this tempest attack? What is new? The application of tempest on monitors instead of attempting to figure out the decryption key?

H. WIlkerAugust 11, 2016 3:12 PM

The most unexpected computers in peoples' computer setups are sitting in the connectors of Thunderbolt cables.

hawkAugust 11, 2016 3:18 PM

So why is the stock for cyber security companies in the tank and some are laying off?

Is it because the enterprise client has wised up to the me-too shit products and services? Or is because threats are seen more like weather-related events, inevitable; you can't stop the attacks so only try so hard, anything more is a waste of money. Or is because enterprise decision makers are overloaded, like bailing water from a canoe headed over the falls.

SpartanusAugust 11, 2016 6:09 PM

Well, we're all going to die, then. Because there is simply NO WAY all of that stuff can be secured.

It's like email: if security is not built in from the start, then it's too late.

OttoAugust 11, 2016 7:30 PM

From what I can find, it seems like the problem is that the monitor firmware can be updated over USB or HDMI, but you'd need running code I the connected computer to do it, not just displaying the wrong image.

Details would be nice. Until then, it seems like a very limited attack surface, since if you can run code on the connected computer, reprogramming the monitor firmware is mainly a way to have "staying power".

RoastbeefAugust 11, 2016 7:52 PM

Perhaps I can give a little context... The original IBM VGA monitors (which defined the VGA pinout) only supported a couple of sync frequencies, the computer told the monitor which frequency speed it wanted by driving the sync pins either active high or active low (2 sync pins with one bits of information each: 4 frequency sets). This became unacceptable in the days of SuperVGA so two previously unused pins were used to create "DDC". Effectively a small I2C EEPROM was put in the monitor which the display adapter could read to figure out what frequencies the monitor supported, and since there was plenty of room they also included stuff like model and serial number of the monitor.

The more modern history I assume goes like: Zoom forward and now we have one embedded chip in the monitor doing on-screen display, PiP and god knows what else. Hey! We can reduce our chip count (and save $$$) by integrating the DDC EEPROM into this chip. They want a USB hub in the monitor? Well we have spare room on our die, we'll integrate the USB into our chip too.

It appears these guys have figured out how to use DDC to do way more that EEPROM stuff, and once in figured out how to move the attack to the USB connection too.

Just WonderingAugust 11, 2016 8:20 PM

Can you tell the difference between a tree, and a digital image of a tree?

GweihirAugust 11, 2016 8:43 PM

I have severe doubts this works in general. A standard PC monitor has a rather low-powered MCU doing the control (think 16MHz Arduino-class or the like), and that is what is attached to the I2C line. It should not be able to capture anything from the screen in the first place, as it is far, far too slow and the necessary data-lines will not even be connected. What it can do is tell the chips actually handling the video to adjust setting and to display some overlay for the menu, but usually much more coarse than on pixel-level.

That said, this is different for any "smart" monitor and smart TV as these are actually PCs with graphics cards. As the monitor that was hacked here has picture-in-picture capabilities, it is quite possible that is has full and programmable video capturing hardware and a main controller that quite a few orders of magnitude more powerful than what is found in a standard monitor. With that kind of hardware, the described attack is a lot more plausible. With a standard monitor it is simply not as there is almost nothing to hack in there and what is in there gives you almost no capabilities.

My take would be that while this is a nice hack, almost all PC monitors will not be affected at all and the press has (again) not understood what this is about when they reported that vast numbers of users would be vulnerable.

Rebecca HadronAugust 11, 2016 11:33 PM

@ianf

thanks for attacking my use of english. You are right - people only belong here if they are british or north american native english speakers. I apologise for having to master three other languages before I had the chance to pick up english.
But, it's worth mentioning - THEM can be tolerable as a personal pronoun for an individual when they are lacking a gender and a personal noun, in otherwords, anonymous. albeit a bit wonky grammatically speaking. You may be interested to know HEN is the pronoun when gender is not known.

So. I am naming and identifying you as a troll. I was considering creating a change.org petition to have you banned for a year but realised it would
1. simply be a pure dose of dopamine for your addiction, namely: attention seeking.
2. Be quite divisive and create more noise on the forum which is the opposite of my intentions

You are synonymous with Paris Hilton, for me. I see you and think 'what are you for? What do you do? why are you here?'
BTW calling me Hedwig - very good - I got it. That was actually funny. Right back to the GDR for you.

PS why are you the only person whom indents entire paragraphs of text in arbitrary places? I have searched through my Chicago Style Manual to decipher your formatting choices. No luck.
You have a unique way of making your own text appear to be quoted text.

I am not surprised people here are working on identifying your geolocation. I'd place you as a Midlands native - Yorkshireman

rAugust 11, 2016 11:42 PM

@ianf,

Crumpets.

How the hell did you figure out she wasn't a native english speaker? I must've missed it.


@Ms. Hadron,

"people only belong here if they are british or north american native english speakers."

Bzzzt, try again.

"You have a unique way of making your own text appear to be quoted text."

If that's true, it should be self-explanatory - and it most certainly isn't a unique trait if that's true.

rAugust 12, 2016 12:16 AM

@Rebecca Hadron,

If you're against trolling why bait ianf in a thread he hasn't polluted?


@All,

For the sake of being hopefully wrong, I'm going to post the following...
Partially in response to: https://www.schneier.com/blog/archives/2016/08/friday_squid_bl_538.html#c6731096


@Roastbeef,

They actually attacked the USB interface first (I believe). If you look at the slides[1][2] they made note of a serial(?) interface like on Android phones (over usb) and started investigating from there. I think they moved off from the USB/HDMI interface to DVI/VGA (i2c) afterwards.

My gut is telling me that the exploitability (and thus exploitability) of this goes at least as far back as DVI. (see your own comment)

If they are actually able to infiltrate the hub controller portion then this **could** enable various keyboard (keylogger, keystroke injection) and mouse attacks (click injection, DoS) (directly) not to mention emulated network controllers and the alteration of data on removable drives.

I guess the **BIG** question here is how much space is available to play with or needed?

If signaling through pixel modulation is possible in the receiving direction then modularity and on-the-fly reprogramming is a concern. (requires read and polling)

Where WRITE is concerned vs on-screen information I don't really see that being a major threat as I don't think it can write-back into the main cpu from the topical application of display overlays but... HDMI/thunderbolt/display port may enable DMI or something else.

So there's a definate need to explore this technology, the funny thing is - we're all up in arms over the unwired IoT.

This really makes me extra curious about the never-decoded modules that existed in stuxnet and flame, do you know how many times I've eye-balled monitors with usb ports somewhere?


@Just Wondering,

"Can you tell the difference between a tree, and a digital image of a tree?"

You are sort-of taking the inverse position of a similar statement I've made concerning steganography and digitally acquired images on another thread/topic. And again, reinforcing something I've had to point out to yearlings hijacking camera feeds before. You are, in this case not refering to live feed grains as I was in their case - the scenario you present is exponentially more difficult to perform without some sort of electronic assistance. Thankfully: jpeg is lossy (and static) where png and gif are not lossy and gif is potentially not static. There are transformations that could get in the way that would require a considerable amount of preparation before hand unless that was done over a video stream of something.

People need to be able to identify visual artifacts in the security field, if you can't (in the case he's presenting it wont matter as there's no real high ground to take electronically in this scenario) you're pretty well screwed.

I'm not a fear monger, are you? Was that spoken from experience?

IF there is a 2-way component of this there IS cause for serious concern.


@All,

I guess at this point, we need to plug our monitors into a raspberry pi and vnc/ssh into the larger slave units we now possess.

Have you ever switched monitors? Maybe you upgrade the monitor on your normal PC and the air-gapped one get's the old one.

The people that would have this technology, would be the same people that worked out an 8-way manufacturer replacement firmware.


@Gweihir,

"the described attack"

Anything that allows a monitor-overlay is effectively PiP, while I respect your objectivity towards the difference in the respective feature sets... That's a risk you're willing to take. Does a potential head-start date of 2008 make you feel more comfortable? (see the slides)


@Clive,

Now the "funtenna" (from the slides) comment is REALLY making me anxious.

-----
[1] https://www.redballoonsecurity.com/presentation/Recon_0xA_A_Monitor_Darkly.pdf
[2] https://www.redballoonsecurity.com/presentation/DEFCON24_A_Monitor_Darkly.pdf
[3] https://github.com/redballoonshenanigans/monitordarkly

I think that covers this development for now, lots of work obviously needs to be done in this case but this is potentially very volatile. This isn't an alarmist position to be taking is it?

WaelAugust 12, 2016 1:50 AM

@Rebecca Hadron,

Don't feel bad! (S)he makes worse mistakes... Really!

You are synonymous with Paris Hilton

It's starting to make sense now! First time I see someone swear by her body parts on a technical forum (last two lines.)

rAugust 12, 2016 5:03 AM

@Wael,

I likely should've put that in 'quotes'.

But maybe(?)(!) I'm not that complex.

Clive RobinsonAugust 12, 2016 5:17 AM

@ Spartanus,

... if security is not built in from the start, then it's too late.

Actually you need to consider things differently, that is more in the way an engineer working with physical components does.

In electronics individual basic components like resistors capacitors inductors transistors etc are not secure items, they can not be...

However by grouping them into circuits you can make the functioning of that circuit secure by some measure. You can then build a number of such secure circuits together to make secure systems. What you have to avoid however is the "weak link" that renders an otherwise secure sysyem, less secure or insecure. So by carefull design at some given point in time you have a secure system

The problem there however is "at some given point in time", as has been noted attacks "only get better". That is once a new class of attack is discovered it does not go away, it evolves. Thus a system that was once considered secure --because a falt instance/class was unknown-- is now insecure. Thus you have to evolve your defenses appropriately[1]. We have seen this problem with "air-gaps", that were once considered the most secure systems. It is know well known that simply having physical separation is now insufficient, you need to consider EM and acoustic / mechanical seperation to ensure there is no energy from one "secure" system leaking out by radiation or conduction thus crossing to an "insecure" or "hostile" point taking information with it. Thus you have to think now of "energy-gapping", harder than "air-gapping" but by no means impossible to do, just costly in most cases.

Which makes security feal like a "Red Queen's Race", but that's also true of life in general. The trick to surviving is compartmentalising and prioritizing, to reduce complexity and risk thus make things more managable in a mainly unknown environment, security is no different.

Clive RobinsonAugust 12, 2016 5:44 AM

@ r,

How the hell did you figure out she wasn't a native english speaker? I must've missed it.

Maybe ianf fancies himself as a "Prof. Henry Higgins"[1] unfortunately his english is not up to it... (which might account for his cantankerous nature).

[1] Watch the 54year old film "My Fair Lady" staring Audrey Hepburn as "Eliza Dolittle" and the irrepressible Stanly Holloway who plays her father.

Dirk PraetAugust 12, 2016 5:55 AM

@ Rebecca Hadron

I apologise for having to master three other languages before I had the chance to pick up english.

So it would appear that you're living in the Geneva area, Switserland, then? Say hi to the good folks of Skopia art gallery from me.

@ Just Wondering

Can you tell the difference between a tree, and a digital image of a tree?

The primary reason why people get attacked and mauled to death in zoos and on safaris.

Clive RobinsonAugust 12, 2016 6:26 AM

@ Dirk Praet,

So it would appear that you're living in the Geneva area...

One of a number of possibilities including parts of the "Tri-Border Area" of South America, if the assumption is solely three non english languages.

Dirk PraetAugust 12, 2016 7:02 AM

@ Clive

One of a number of possibilities including parts of the "Tri-Border Area" of South America, if the assumption is solely three non english languages.

Nobody is called Hadron, so combined with the three languages (French, German and Italian) taught at school before English in Switserland, I took that as a reference to the LHC in Geneva.

k15August 12, 2016 11:47 AM

This can also be done with license plates, or what look like license plates. Brave new world.

SchneieronSecurityFanAugust 12, 2016 12:37 PM

The monitor in question, the Dell U2410, does not have any firmware updates on Dell's website. Dell's website has operating system drivers, however. The online manual does not mention anything about how to upgrade the firmware. I was thinking that the attack can be eliminated by just upgrading or reflashing the most recent firmware.

The monitor has USB, HDMI, DVI, DisplayPort, composite, component and VGA inputs.

rAugust 12, 2016 1:52 PM

@All,

The top of the README.md from the source tree, there's a comment relating to the 'funtenna' comment in the slides:

"There are two other demos included. funtenna.py toggles a GPIO pin, which can be picked up by an SDR (we found a signal at 15.3 MHz)."

Happy hacking. :)

Freezing_in_BrazilAugust 12, 2016 3:48 PM

@Clive Robinson

One of a number of possibilities including parts of the "Tri-Border Area" of South America, if the assumption is solely three non english languages.

There are 3 three-border-three-languages spots in Spouth America:

    French Guyana [French] - Suriname [Dutch] - Brazil [Portuguese]

    Suriname - Brazil - Guyana [English]

    Guyana - Brazil - Venezuela [Spanish]

Other three-border spots are all Spanish-Portuguese or Spanish-Spanish

Regards.

Freezing_in_BrazilAugust 12, 2016 3:59 PM

Adding that Guyana and Suriname speak a creole version of their respective metropolitan languages.

What Could Possibly Go WrongAugust 12, 2016 4:48 PM

@Roastbeef

Effectively a small I2C EEPROM was put in the monitor which the display adapter could read to figure out what frequencies the monitor supported, and since there was plenty of room they also included stuff like model and serial number of the monitor.

The more modern history I assume goes like: Zoom forward [...]

I seem to recall from a privacy perspective thinking the whole cpuid thing went the wrong way in our modern actual history. I'm curious if there had been a Snowden like illuminater when the cpuid feature was being 'snuck in under (everybody but Schneier's) radar', whether or not things might have evolved radically differently. Instead we had the silent and secretly grinning NSA fantasizing about how much fun they'd have in the coming decades.

David DonahueAugust 13, 2016 4:27 PM

@Tor User,

The discussion/concern topic you posted as a Tor bug is not a bug, so it was closed for being made in an inappropriate venue.

That said, this venue is really far the mark for Tor concerns and completely inappropriate.

I'm not a mod here, but I'd please ask that you only post here if you're discussing "Hacking Your Computer Monitor"

Mods: Feel free to delete my post as off-topic if you delete @Tor User's as nobody needs to read more off-topic spam.

yoshiiAugust 16, 2016 2:45 PM

Non-Solicited Suggestions...

try not to have enemies.
try not to be a target of difficult people.
try not to overreact.
try not to make assumptions.
try not to assume that you are a target or that you have enemies.

try to live a good life and enjoy it.
try to avoid doing harm.

stay educated.

the universe is full of surprises.
don't be surprised by that.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.