Don’t miss: New Android bug spreads over 900 million phones at risk
Ang Cui and Jatin Katarina work day-to-day at the company Red Balloon Security, and used their stage time at the fair to demonstrate how the tiny pixels on the screen can be manipulated to show something completely different from what’s actually there.
It was when the two researchers took apart a Dell monitor that they discovered that the controller inside any display can be used to log—and even change—its pixels. At the show, they showed how the hacked screen could change small details on a web page. Specifically the payment service Paypal, where they changed an account’s visible balance from 0 to 1,000,000 dollars.
The hack is the result of more than two years of research, so it is unlikely that the world would already be flooded with hacked displays. Ang Cui and Jatin Katarina have also examined screens from brands such as Samsung, Acer and Hewlett Packard and found that the same vulnerability can most likely be exploited in these as well. The core of the problem lies in the firmware contained in the display controller.
“There is no security consideration in how monitor firmware is updated – it’s wide open in there,” said Ang Cui at the Defcon trade show.
In order to lay the foundation for the hack, however, the perpetrator must first make physical contact with your monitor via an HDMI or USB connector.
By taking control of the pixels on the computer screen, cybercriminals could, for example, spy on the user, or destroy the screen by “burning” a permanent text box where a ransom is demanded for the message to be removed.