PCWorld reports that the attack was revealed by Red Balloon Security researchers Ang Cui and Jatin Kataria at the DEF CON hackers convention on Friday. It allows an intruder to change the image on a monitor’s display without hijacking the computer it’s connected to. While difficult to accomplish, it could lead to a new class of malware that targets peripheral devices rather than computers themselves.
Cui and Kataria used Dell monitors for their proof-of-concept exploit. They warned the techniques they demonstrated could also be used to compromise monitors from other brands, including Samsung, Acer and HP.
The visible image projected onto a monitor’s screen is created by the display controller. This component of the monitor processes the data received from connected devices. It translates the supplied image into commands to illuminate display pixels, the last point in a picture’s journey from source to screen.
This makes it highly attractive to hackers. If the display controller was compromised, an attacker could use it to change the image on the monitor’s display, without the input device knowing. Cui and Kataria managed to do this after discovering Dell’s display controller has “no security.”
The monitor they used has a Genesis display controller shared with many other brands and models. Its debugging mode provides complete access to the monitor’s functions, including the ability to turn individual pixels on and off. The debugging mode is always active and can’t be disabled, giving attackers an entry point to the device.
Changing the image on a monitor may initially appear to have few advantages. An attacker could create the image of a button but without access to the operating system it would never respond to mouse “clicks.”
The technique could prove to be very attractive to ransomware creators though. An attacker could force a display to always show a specified message and then demand payment to restore its functionality. This message would persist across every input device, making the monitor unusable. The owner would need to pay up or buy a replacement monitor.
There’s another possible attack that’s arguably more sinister. By forcing the display controller to get pixels instead of setting them, a hacker could spy on a user’s actions by tracking the changes made to the display. The display controller could then be hijacked again, allowing the attacker to display their own messages in response to the user’s activities.
While the attack could be attractive, there’s currently no suggestion it’s being exploited in the wild. Display controller hacks have been viewed as too complex to be useful for years. While the researchers have proven they’re possible, the duo hasn’t made them much easier to execute.
Two years of work went into their DEF CON presentation on Friday, including many hours of reading about the intricacies of the Dell test monitor in their spare time. To be at all successful, hackers need to obtain physical access to the target monitor. They can then replace its firmware with a modified malicious version using the HDMI or USB port.
The attack may be difficult to utilise but the researchers say it shouldn’t be ignored. They warned that monitor manufacturers need to secure their products with stronger protections, preventing attackers from installing their own firmware or directly interacting with the display controller.