Slashdot Mirror
One Billion Monitors Vulnerable to Hijacking and Spying (vice.com)
"We can now hack the monitor and you shouldn't have blind trust in those pixels coming out of your monitor..." a security researcher tells Motherboard. "If you have a monitor, chances are your monitor is affected." An anonymous Slashdot reader quotes Motherboard's article:
if a hacker can get you to visit a malicious website or click on a phishing link, they can then target the monitor's embedded computer, specifically its firmware...the computer that controls the menu to change brightness and other simple settings on the monitor. The hacker can then put an implant there programmed to wait...for commands sent over by a blinking pixel, which could be included in any video or a website. Essentially, that pixel is uploading code to the monitor. At that point, the hacker can mess with your monitor...
[T]his could be used to both spy on you, but also show you stuff that's actually not there. A scenario where that could dangerous is if hackers mess with the monitor displaying controls for a power plant, perhaps faking an emergency. The researchers warn that this is an issue that could potentially affect one billion monitors, given that the most common brands all have processors that are vulnerable...
"We now live in a world where you can't trust your monitor," one researcher told Motherboard, which added "we shouldn't consider monitors as untouchable, unhackable things."
[T]his could be used to both spy on you, but also show you stuff that's actually not there. A scenario where that could dangerous is if hackers mess with the monitor displaying controls for a power plant, perhaps faking an emergency. The researchers warn that this is an issue that could potentially affect one billion monitors, given that the most common brands all have processors that are vulnerable...
"We now live in a world where you can't trust your monitor," one researcher told Motherboard, which added "we shouldn't consider monitors as untouchable, unhackable things."
please consider posting a link to the actual article.
Here's a link to the story. Sadly it doesn't include any more detail than the summary.
For years now (decades) we've seen cases where a bunch of software engineers thought it would be "cool" to add a new feature in a piece of software, only to implement something insecurely and as a result compromise an entire package or platform. Slowly, oh so slowly, our industry has woken up to the wisdom of starting a design with security and then only adding features when we must, and when they can be shown to be secure.
Along comes the Internet of Things and suddenly it feels like the hardware industry thinks that it has been given a free pass to go and be utterly stupid all over again. I know it's only been a couple of years since the news broke, but if there is one thing that Edward Snowden taught the world, it's that we weren't being paranoid enough.
Back when appliances were relatively dumb, countries around the world came up with quality testing schemes to enable consumers to verify that a product they bought had been tested to a minimum range of safety requirements (for example, in the UK there is the Kitemark). We have already passed the point where we need a cyber equivalent.
Do readers think we'll ever get there? Or do you supposed that there is too much money being spent by lobbyists to ensure that it never happens?
The link is relative instead of absolute so it's easy to find where it should go.
But the article just says "omg! Be scared! You must be more scared! They could destroy the world!" but says absolutely nothing about what the attack actually is or what is required to exploit it.
Having magic images that take over all monitors strains credibility to the breaking point. But monitors have I2C connections to the video source, for reporting their resolution and for other non video data. It's not at all implausible that this could be used to attack the monitor, which could then be triggered by video data later. Of course the attacker would have to have physical access first, or remotely hack the video driver, in order to send the I2C commands.
And of course some monitors have USB connections (say for speakers) that might be an attack surface, but that is a much narrower target than the article claims.
Basically this is just junk reporting. 204 no content.
networkworld
tomsguide
While this was not my original reason, this article makes me smug for using a pair of old 1280x1024 monitors. I run one over DVI, one over VGA. Especially VGA ones are a dime a dozen, if you shop around you can get a high quality used one under $20. With old monitors it's random whether you get one that flickers, has a high blue/etc loss or similar flaws -- but even if you can't return, it's $20 for another try. VGA ones also require adjustment, but if you press auto-adjust over a proper test screen rather than your desktop, analog-to-digital artifacts can be almost completely eliminated.
VGA provides no way for smuggling malware, and DVI ones are way too old to be vulnerable for such tricks. As an extra bonus, you get a sane aspect ratio rather than a modern narrow strip.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
CRT is outdated technology and there is residual radiation. It requires heavy glass and you can't build larger screens with it.
I fully agree that there shouldn't be such a sideloading API for monitors and that the monitors should be as dumbed down as possible, but I don't think that CRT is the answer. The task the firmware of a monitor executes should be so simple that it can be done right and without security bugs, can't it.
Wow, some idiot discovered there is a data channel to monitors... that has no practical "hacking" application. Said channel is frequently only used to transfer information about the monitor to the hosting device.
This isn't Hollywood, but expect some moron screenwriter to now use this in their plot.
I'm just finishing up an MS degree in Electrical and Computer Engineering, my BS degree was in Computer Engineering. While we're being taught coding, and I started in CE instead of EE to get a stronger focus on the computer science portion, I've never been taught about secure programming. The CS portion of the CE degree mostly used Module-2 at the time, to impress the importance of consistent typing and what not, but in terms of how to make your code secure from malware attacks, or what a security weakness looks like or how to correct it, I've never seen that in general programming or embedded programming courses. I have no idea... And I don't know where to go and get an idea. I understand it's important, and after I do my last presentation for my last course in MS degree this coming week, I do want to seek out some resources about how to do that. I have a book about TDD for Embedded C programming, but surely that's not enough for security coverage, it seems more about correct functionality. I suspect that one could pass functional testing yet still have security holes...
So where do I go to learn effective "secure programming"? Do I go and take some MOOCs about white-hat hacking to learn how to break in, and then try not to leave those holes? Are those things applicable to embedded programming, or are they only about breaking into servers and websites?
I look forward to good suggestions, so that more of us can become capable of doing better in this regard.
First, the attack surface of a monitor is pretty bad. In VGA, all you get is an I2C line. It will be hard to even mount attacks. Second, there are a lot of different firmware versions out there. And third, no, the "computer" in a monitor cannot usually read individual pixels (or any screen-content at all), it is by far not fast enough for that and it will usually not even have access to that data-stream. This "Computer" is a small MCU, not anything general-purpose or fast.
Seems to me somebody wants to improve their fame by posting horror-stories with little or no connection to actual reality.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
...I only used punched cards. Including that box of random cards I found in the parking lot.
Silence is a state of mime.
which run in an special protected mode of the computer and abstracts the attached HW interfaces so that a program can not control the HS directly but a well defined subset of functions on this HW by calling another program.
Lets call the first program "os kernel" and the second one "device driver", and let's call the mode of the processor "ring 0".
To be clear on it: i would hope that the monitor firmware is somehow signed. OTOH, hacking my monitor still would require to pass the device driver on the computer, so i am not terribly worried, since the 1 Billion monitors do not have a coherent interface to firmware manipulations, and the picture that a pixel "uploads code" is accurate only an very abstract level, since in most monitors these pixels probably are not processed in the memory which can execute code. Those institutions with enough programming capacities to hack these already would have had access (swapping packets at the post) before delivery to circumvent it all.
I don't know what's wrong with Slashdot these days, but 50% of all my posts "magically vanish" these days.
I'll try again, shorter story but you'll get the geist of it:
This isn't new. Your camera, your keyboard and virtually any gadget has an embedded system in it, they have an entire computer in it if you like, they can easily fit a whole server gateway in there. But it's not as easy to do this as it might seem, so most of you have very little to worry about. Example. Say your monitor now has been successfully infiltrated with malicious code now, it still has to "hack" your windows installation and place a relay daemon there that'll have to avoid being detected by your anti-virus software or windows defender. Furthermore, if the malware is neatly compressing and transporting the image from your monitor on a separate protocol layer, you still have to have some kind of hidden client that can relay these packets to the network card or windows socket for the network card...or use the drivers, or inject into a stream of packets...all these things opens up an entirely new can of worms. Not even Windows knows all the networks in the world, I have a relatively modern computer...one of the most high end, and yet Windows 10 that came on a USB memory didn't even know what network chip my computer had, imagine a small embedded system entirely on its own...trying to figure out how to operate your computers network card, yay...good luck with that.
It's not as dangerous as it seems, I'd worry more about that little independent computer that reside inside your INTEL processor.
What this world is coming to - is for you and me to decide.
Maybe start with this: https://www.amazon.com/Writing-Secure-Code-Strategies-Applications/dp/0735617228
There are a lot of free and paid resources out there. The difference I feel like is the paid ones hold your hand and walk you through, while the free ones require a little more knowledge on the topic. This is an exception, not a rule.
Your messages aren't "vanishing". Hackers have hacked your monitor to make it look that way.
Dump-a-Drumpf 2016/Forever
Who monitors the monitors?
It must have been something you assimilated. . . .
This could never happen with an analog monitor
True. With an analog monitor, you have to use Van Eck phreaking instead.
They changed the JS; if you block most of it, but whitelisted some, you have to add one of the new JS domains in to have it keep working. It seems to change which code it is actually using depending on if you clicked on nested stories already, or something. It looks like a bug that just only bites some people, and they don't mind the sloppy code so it stays.
Perhaps read some of Bruce Schneier's books. Applied Cryptography was an early one, but there are more recent books out now. I'd start listening to the Security Now podcast as well, as it provides some great examples of "how to do things wrong", and teaches a lot of fundamentals. Steve Gibson has written some real life crypto products, and does his homework on topics of the day.
Essentially, I've learned just enough to know that, even as a 20-year veteran programmer, I'm not sure I'd be able to write a secure system, as it's just not my expertise. It's horrifically difficult to do it right without a huge amount of experience specifically in that field. If anyone tells you its simple to do, they're a liar or a fool. Never, ever try to invent your own security protocols, and especially never invent your own cryptography behind closed doors. It's pretty much guaranteed that you'll get things disastrously wrong unless it stands up to a *lot* of open review by cryptography experts. Search WEP security for a history lesson.
Unfortunately, IoT companies are filled with lots of smart young engineers who have no idea security is so impossibly hard to get perfect on the first try, and they're building unbelievably stupid security flaws into all these internet-facing devices. Buy an IoT baby monitor today, and you've got reasonably good odds that anyone in the world could view your baby cam with only a modest amount of effort. It's actually that bad right now.
Good on you for being willing to acknowledge that you need to know more about the fundamentals.
Irony: Agile development has too much intertia to be abandoned now.
Really appreciate your post - there's some useful information in there.
However, with what you've explained [and, perhaps, in a way that is not remotely connected to the original article, there's another interesting possibility here.
Back when I was a kid in the 70s [maybe early 80s], the UK ran a television commercial from "Habitat", a UK company which offers home furnishings, kitchenware, linens, that sort of thing. All very stylish, modern and chic.
The commercial was accompanied by an audio soundtrack that included some very fast-tempo clapping, so that the images on the screen could change incredibly rapidly. This commercial ran for a little while - and Habitat seemed to do very well out of that particular campaign. Then along came a neuro-psychologist from one of the UK universities and pointed out that what Habitat had actually been doing was actually creating subliminal impression. Brainwashing, pure and simple. Apparently, it's possible to "flash up" an image very quickly, so quickly that your conscious mind won't even register it, but in such a way that your subconscious mind can actually read and store it. Later, when you go into light sleep and your brain transfers short-term memories to long-term storage, these images and their messages get imprinted...
So whilst this little detour may not have a huge amount to do with the OP, there are maybe some threats to the user of a computer in which the video system has been compromised. And interestingly, those threats might not be directed at the computer at all, but at the user.
Very difficult to spot, too, I'd reckon...
Subliminal advertising is complete bollox http://www.snopes.com/business...
That's not quite right - old monitors aren't nearly as thirsty as you state and new ones not nearly as thrifty. My modern LED backlit HP monitor consumes 35 watts (which is a far cry from 0 watts!). My old Sun 21inch Trinitron-tubed monitor used 135 watts (quite a bit less than the 200W-400W you supposed).
Oolite: Elite-like game. For Mac, Linux and Windows