Ang Cui & Jatin Kataria - A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors


Manage episode 215601412 series 2427673
By DEF CON. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

Materials: CON 24/DEF CON 24 presentations/DEFCON-24-Ang-Cui-and-Jatin-Kataria-A-Monitor-Darkly-UPDATED.pdf

A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors
Ang Cui PHD, CEO & Chief Scientist, Red Balloon Security?
Jatin Kataria Principal Research Scientist, Red Balloon Security?
Francois Charbonneau Research Scientist, Red Balloon Security

There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector.


We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna.


Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date.
Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security. Dr. Cui received his PhD from Columbia University in 2015. His doctoral dissertation, titled "Embedded System Security: A Software-based Approach", focused exclusively on scientific inquiries concerning the exploitation and defense embedded systems. Ang has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, he has uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Dr. Cui is also the author of FRAK and the inventor of Software Symbiote technology. Ang has received various awards on his work on reverse engineering commercial devices and is also the recipient of the Symantec Graduate Fellowship and was selected as a DARPA Riser in 2015.


Jatin Kataria is a Principal Research Scientist at Red Balloon Security. His research focus is on the defense and exploitation of embedded devices. Jatin earned his master’s degree from Columbia University and a bachelor’s degree from Delhi College of Engineering. Previously, he has worked as a System Software Developer at NVIDIA and as an Associate Software Engineer at Mcafee.


Francois Charbonneau is a embedded security researcher who spent the better part of his career working for the Canadian government until he got lost and wondered into New York City. He now works as a research scientist for Red Balloon Security where he lives a happy life, trying to make the world a more secure place, one embedded device at a time.

104 episodes