2

In his presentation, A Monitor Darkly, Ang Cui demonstrates how to manipulate images on the monitor by getting the firmware to execute commands embedded in a pixel contained in an image being displayed.

At first, he mentions that this is being done to a monitor with an firmware implant with the firmware acting asthe command-and-control, but later he says We take this pixel, we put it on the internet... We can put this pixel on photos... videos... movies... And once we do this we can distribute this pixel down to millions and milions of monitors and we can update them all at the same time and we can have direct command-and-control down to those exact monitors.

Does getting this exploit to work require physical compromise of the device, i.e., having had the monitor manually installed on the device?

Whereas in the presentation, he the code he executes are used to change images on the display, are other kinds of code execution possible with this? Would the only possible effects from using this exploit be relegated to the images displayed with no permenent changes to disk/operating system? What's the worst that can be done with this exploit?

Finally, if I suspect and implant were loaded onto my monitor, are there any ways of detecting it and would reflashing the firmware be enough to get rid of it?

user942937
  • 983
  • 8
  • 14

1 Answers1

3

It's an interesting presentation, I had not seen this before.

My reading of this is:

step #1 is modify the display controller firmware. So yes, physical compromise of the device, but it could conceivably be done via classic imported malware.

Only after the display controller firmware is modified is there a capability to have the display altered under the direction of custom encoded pixels.

The modified controller could then be commanded to display Red as Green, or insert custom text to appear at designated screen coordinates.

He does rather cavalierly talk about distributing custom pixel code in pictures and videos, but he is overly casual in his speech. This is essentially a form of steganography. The existence of the steg content does nothing without external code running to extract and parse it. In short, the monitor has to already be compromised.

I don't believe there is any mechanism for the compromised display controllers to write back and compromise the main computer OS or memory but can not state that with complete confidence.

As far as dealing with a compromised display controller, yes re-flashing the firmware would eliminate the compromise. Can it be detected? I don't know if the display firmware is even readable. If it is, you'd still have to have a reference to detect it.

Bottom line is that the threat vector is firmware flashing, and even then it's limited to altering the display.

user10216038
  • 8,123
  • 2
  • 18
  • 22