Presentation Material
Abstract
There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector.
We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna.
Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date.
AI Generated Summary
This research investigates the security of computer monitors, focusing on vulnerabilities in their firmware and display controllers that allow an attacker to manipulate pixels on the screen without user interaction or administrative privileges. The work centered on Dell monitors using chips derived from the Genesis G-Probe system, a legacy firmware update mechanism from the early 2000s that remains prevalent in hundreds of millions of devices.
Key findings involved reverse-engineering the communication protocol. Firmware updates and control commands are transmitted via USB (or DDC/I2C on video cables) using a layered protocol that encapsulates G-Probe packets. The monitor’s internal architecture was discovered to contain at least two separate processors: an On-Chip Microcontroller (OCM) handling system tasks and an On-Screen Display (OSD) processor dedicated to rendering graphics. These communicate via shared memory and DMA.
The researchers developed techniques to read and write arbitrary memory, execute code, and control the OSD. By analyzing OSD command packets and the color lookup table (which uses 4-bit indices mapping to 32-bit colors), they gained the ability to inject persistent images anywhere on the screen and read pixel data from the framebuffer. This enables attacks such as forging security indicators (e.g., SSL padlocks), overlaying malicious content, or exfiltrating data by subtly modulating pixel colors.
Practical implications are significant. The attack surface exists across common interfaces (USB, HDMI, VGA) and requires no special hardware beyond a standard connection. An implant could receive commands via pixel patterns embedded in benign images or videos streamed to the monitor, providing a stealthy command-and-control channel. The research demonstrates that the visual output of a trusted display cannot be assumed authentic, undermining a fundamental user trust vector. Tools and proof-of-concept code were released to the public.