One Billion Monitors Vulnerable to Hijacking and Spying

"We can now hack the monitor and you shouldn't have blind trust in those pixels coming out of your monitor..." a security researcher tells Motherboard. "If you have a monitor, chances are your monitor is affected." An anonymous Slashdot reader quotes Motherboard's article: if a hacker can get you to visit a malicious website or click on a phishing link, they can then target the monitor's embedded computer, specifically its firmware...the computer that controls the menu to change brightness and other simple settings on the monitor. The hacker can then put an implant there programmed to wait...for commands sent over by a blinking pixel, which could be included in any video or a website. Essentially, that pixel is uploading code to the monitor. At that point, the hacker can mess with your monitor...

[T]his could be used to both spy on you, but also show you stuff that's actually not there. A scenario where that could dangerous is if hackers mess with the monitor displaying controls for a power plant, perhaps faking an emergency. The researchers warn that this is an issue that could potentially affect one billion monitors, given that the most common brands all have processors that are vulnerable...
"We now live in a world where you can't trust your monitor," one researcher told Motherboard, which added "we shouldn't consider monitors as untouchable, unhackable things."

Re:please consider

[Wizy]

The link to the article us where it always is, right next to the title in green text. This one says vice.com. It has been like this for awhile.

Inexcusable

[ytene]

For years now (decades) we've seen cases where a bunch of software engineers thought it would be "cool" to add a new feature in a piece of software, only to implement something insecurely and as a result compromise an entire package or platform. Slowly, oh so slowly, our industry has woken up to the wisdom of starting a design with security and then only adding features when we must, and when they can be shown to be secure.

Along comes the Internet of Things and suddenly it feels like the hardware industry thinks that it has been given a free pass to go and be utterly stupid all over again. I know it's only been a couple of years since the news broke, but if there is one thing that Edward Snowden taught the world, it's that we weren't being paranoid enough.

Back when appliances were relatively dumb, countries around the world came up with quality testing schemes to enable consumers to verify that a product they bought had been tested to a minimum range of safety requirements (for example, in the UK there is the Kitemark). We have already passed the point where we need a cyber equivalent.

Do readers think we'll ever get there? Or do you supposed that there is too much money being spent by lobbyists to ensure that it never happens?

Re:Inexcusable

[AmiMoJo]

Calm down. TFA is bullshit.

I'm a firmware engineer. Let me tell you a bit about how monitors work internally. The data rate for video is way, way too high for any kind of inexpensive CPU to handle. It's all done by ASICs, which are fixed function. They have a few programmable parameters, but the most you will be able to so is configure things like gamma/contrast/brightness and change scaling options, stuff like that.

There is a CPU in there (more accurately an MCU), to do menus and talk to the PC, but it can't see what's on screen. The data rate is too high, it doesn't even connect to that bus. It doesn't need to, it just sends commands to the ASIC to to the overlay graphics. So this idea that a hacker could infect the firmware and then communicate via a flashing pixel is bollocks, the CPU can't even see the pixels.

Apart from bricking or irritating the user, I can't see any practical use for this. If the hacker can get to the point where they can talk to the monitor's firmware anyway, they already p0wned your system remotely or are standing next to it. I can't really see much opportunity for an evil maid attack.

Re: Inexcusable

[PhunkySchtuff]

[user@localhost ~]$ ping yvan256.amish.org
PING yvan256.amish.org (144.131.380.158): 56 data bytes
64 bytes from 144.131.380.158: icmp_seq=0 ttl=59 time=14.368 hrs
64 bytes from 144.131.380.158: icmp_seq=1 ttl=59 time=11.156 hrs
64 bytes from 144.131.380.158: icmp_seq=2 ttl=59 time=12.062 hrs
64 bytes from 144.131.380.158: icmp_seq=3 ttl=59 time=11.772 hrs
64 bytes from 144.131.380.158: icmp_seq=4 ttl=59 time=11.867 hrs
^C

Re:Link to the story

[NotInHere]

Two links that are ten times more informative:
http://boingboing.net/2016/08/...
https://www.defcon.org/html/de...

Re:please consider

[JohnFen]

It took me about five minutes to find the link you're referring to. I had no idea that links were provided next to the title on /. -- probably because, at least on my browser, the link is almost entirely covered up by the "Displays" and "Security" icons.

Story is insulting to slashdotters

[BenJeremy]

Wow, some idiot discovered there is a data channel to monitors... that has no practical "hacking" application. Said channel is frequently only used to transfer information about the monitor to the hosting device.

This isn't Hollywood, but expect some moron screenwriter to now use this in their plot.

Re:Security missing in education

[amigabill]

I'm just finishing up an MS degree in Electrical and Computer Engineering, my BS degree was in Computer Engineering. While we're being taught coding, and I started in CE instead of EE to get a stronger focus on the computer science portion, I've never been taught about secure programming. The CS portion of the CE degree mostly used Module-2 at the time, to impress the importance of consistent typing and what not, but in terms of how to make your code secure from malware attacks, or what a security weakness looks like or how to correct it, I've never seen that in general programming or embedded programming courses. I have no idea... And I don't know where to go and get an idea. I understand it's important, and after I do my last presentation for my last course in MS degree this coming week, I do want to seek out some resources about how to do that. I have a book about TDD for Embedded C programming, but surely that's not enough for security coverage, it seems more about correct functionality. I suspect that one could pass functional testing yet still have security holes...

So where do I go to learn effective "secure programming"? Do I go and take some MOOCs about white-hat hacking to learn how to break in, and then try not to leave those holes? Are those things applicable to embedded programming, or are they only about breaking into servers and websites?

I look forward to good suggestions, so that more of us can become capable of doing better in this regard.

Sounds like sensationalist bullshit to me

[gweihir]

First, the attack surface of a monitor is pretty bad. In VGA, all you get is an I2C line. It will be hard to even mount attacks. Second, there are a lot of different firmware versions out there. And third, no, the "computer" in a monitor cannot usually read individual pixels (or any screen-content at all), it is by far not fast enough for that and it will usually not even have access to that data-stream. This "Computer" is a small MCU, not anything general-purpose or fast.

Seems to me somebody wants to improve their fame by posting horror-stories with little or no connection to actual reality.

This is why...

[wbr1]

...I only used punched cards. Including that box of random cards I found in the parking lot.

Re:please consider

[pete6677]

This is yet another example of what happens when we keep letting hipster developers ruin the internet by stripping out useful navigation and visibility features.

So, this now seems appropriate.

[fahrbot-bot]

Who monitors the monitors?

Re:Once again, analog is better

[JohnFen]

This could never happen with an analog monitor

True. With an analog monitor, you have to use Van Eck phreaking instead.