We think of our monitors as passive entities. The computer sends them data, and they somehow—magically?—turn it into pixels which make words and pictures.
But what if that wasn't the case? What if hackers could hijack our monitors and turn them against us?
As it turns out, that's possible. A group of researchers has found a way to hack directly into the tiny computer that controls your monitor without getting into your actual computer, and both see the pixels displayed on the monitor—effectively spying on you—and also manipulate the pixels to display different images.
"We can now hack the monitor and you shouldn't have blind trust in those pixels coming out of your monitor," Ang Cui, the lead researcher who come up with this ingenious hack, told me earlier this week.
"You shouldn't have blind trust in those pixels coming out of your monitor."
Cui, the chief scientist at Red Balloon Security and a recent PhD graduate from Columbia University, presented his findings at the Def Con hacking conference in Las Vegas on Friday along with Jatin Kataria and other colleagues.
During a demo at the Red Balloon offices in New York City earlier this week, Cui and his colleagues showed me how the hack works. Essentially, if a hacker can get you to visit a malicious website or click on a phishing link, they can then target the monitor's embedded computer, specifically its firmware. This is the computer that controls the menu to change brightness and other simple settings on the monitor.
The hacker can then put an implant there programmed to wait for further instructions. Then, the way the hacker can communicate with the implant is rather shrewd. The implant can be programmed to wait for commands sent over by a blinking pixel, which could be included in any video or a website. Essentially, that pixel is uploading code to the monitor. At that point, the hacker can mess with your monitor.
In practice, Cui said this could be used to both spy on you, but also show you stuff that's actually not there. A scenario where that could dangerous is if hackers mess with the monitor displaying controls for a power plant, perhaps faking an emergency.
"If you have a monitor, chances are your monitor is affected."
"Can I get you to shut down the power plant?" Cui asked rhetorically, with a sly smile. "I can do that."
The researchers warn that this is an issue that could potentially affect one billion monitors, given that the most common brands all have processors that are vulnerable.
"If you have a monitor, chances are your monitor is affected," Cui, who last year showed how to turn printers into bugging devices, told me.
The attack, however, has a downside, images are slow to load, so it's perhaps not the most effective way to manipulate things quickly on the victim's computer. But that wouldn't be an issue if hackers are targeting industrial control systems monitors, whose displays are mostly static.
For Cui, in any case, the point of the research is to show that this is possible, and that we shouldn't consider monitors as untouchable, unhackable things.
"We now live in a world where you can't trust your monitor," Cui concluded.