00:00:00.000-->00:00:05.005 Alright, hey everybody, this is Ang Cui and Jaden Quitaria. They wanna talk to ya about a monitor 00:00:07.140-->00:00:12.145 darkly. Give 'em a round, can we, come on congratulate them for getting up here. [laughter & 00:00:17.818-->00:00:21.488 applause] >>Vegas! [applause] Thank you. Alright we're going to get stuff showing on the 00:00:21.488-->00:00:26.493 monitors. And it's all going to work. Alright. [clears throat/sighs] Okay! So uh this 00:00:32.766-->00:00:37.771 is work that we've done for the last two years in our spare time. So uh I wanted to tell you 00:00:37.771-->00:00:43.744 this story of how we did it and uh what we found uh over that time. So we have a big cast of 00:00:43.744-->00:00:49.416 characters okay. My name is Ang. Jaden is underneath this table he's will sometime reappear for 00:00:49.416-->00:00:55.455 this talk. Uh we have a very strong Canadian in Francois uh the who we worked with but he 00:00:55.455-->00:01:01.261 couldn't show up to this. Today we have uh person named Igor which we'll talk about. We have 00:01:01.261-->00:01:07.100 a very uh concerned area man named Chris. And the last but definitely not least we have 00:01:07.100-->00:01:11.004 area man of concern named Shakeve. And if you see his face in your monitor things are 00:01:11.004-->00:01:16.043 really going to be bad and he's actually in the in the audience today. So watch out. Alright! So 00:01:16.043-->00:01:21.014 today's primary main objective is to go after these little devices that you connect to your 00:01:21.014-->00:01:25.319 computer that puts pixels up on your monitors. We all know what they are. Okay and uh and 00:01:25.319-->00:01:29.756 motivation in why we are interested in monitors. You know a good hacker right is a lazy 00:01:29.756-->00:01:36.697 hacker so if you think about this page right [clears throat] uh When you see this page you 00:01:36.697-->00:01:41.168 think you're talking to your bank right? The little green pixels on the uh left side here 00:01:41.168-->00:01:46.506 right makes you think this is an encrypted communication and your safe. Now think about all the 00:01:46.506-->00:01:51.878 resources and the research and and the the money we spent to create this infrastructure uh so 00:01:51.878-->00:01:55.682 that we can have this internet with you know with SSL right that will show you these green 00:01:55.682-->00:01:59.319 pixels. You know you have to secure the browser you have to secure the kernel you have to 00:01:59.319-->00:02:02.689 secure the you know the infrastructure for doing certificates and all this other 00:02:02.689-->00:02:07.194 stuff. I would say we've probably cumulatively probably invested over a billion dollars 00:02:07.194-->00:02:11.431 to make this infrastructure exist today the way it does. Okay, so let's look at the 00:02:11.431-->00:02:15.669 content in which we see this website. Okay? So, we view it through this tiny little 00:02:15.669-->00:02:19.840 computer with a big screen on it that we call the monitor. Alright so the lazy hacker would 00:02:19.840-->00:02:25.912 say, you know if I wanted to break the pixels that show me green, I could either break the 00:02:25.912-->00:02:30.183 security for the [indiscernible] you know built with a billion dollars of investment or 00:02:30.183-->00:02:34.588 whatever the security is inside this little monitor right? And you know maybe it's not so great 00:02:34.588-->00:02:39.593 and that's what we're here to talk about. Okay so this whole thing started bank in 2015 when 00:02:42.529-->00:02:48.735 uh Jaden and I got really sweet new monitors and we bought these things and we said Wow! This is 00:02:48.735-->00:02:53.507 beautiful and uh as soon as we plugged it in you know we noticed that this really curious 00:02:53.507-->00:02:59.579 thing right the USB device on it said you know TUSB34 pin boot device right? And USB 23C 00:02:59.579-->00:03:03.750 solution. So we looked at that and we said ah that's very interesting, right? So like a 00:03:03.750-->00:03:10.090 minute of Googling later we found this really useful uh Dell forum uh response by Chris uh so 00:03:10.090-->00:03:14.761 somebody asked, Hey you know I uh I don't have a driver for this you know T34 you know 00:03:14.761-->00:03:18.765 [indiscernible] boot device you know what is it for? Is it a problem? And Chris from Dell 00:03:18.765-->00:03:22.135 says, Eh don't worry about it. You know that driver is only there for firmware updates which 00:03:22.135-->00:03:26.306 we'll probably never do. Right? But if you want the driver here it is. And I looked at that and 00:03:26.306-->00:03:32.279 said how interesting. Right? So Jaden and I started thinking and I say, Hey Jaden let's tear down 00:03:32.279-->00:03:36.349 this 34-inch monitor that we have laying around. >>Well we already have awesome monitors. 00:03:36.349-->00:03:40.454 Uh why don't we take that uh that 3-quarter inch which is not doing anything? >>Yea and then 00:03:40.454-->00:03:44.491 we're cool with this but then Chris hears this right you know nearby and he says like these 00:03:44.491-->00:03:48.495 monsters have no heart. Like there's no end to their savagery. And I also have a 00:03:48.495-->00:03:54.167 million VIM plug-ins and my life is sad. Right? [laughter] And and we said aww this is really 00:03:54.167-->00:03:57.804 the saddest thing I've ever seen so what are we going to find these monitors? >>Why don't we 00:03:57.804-->00:04:01.241 go to the interns? They don't need monitors. >>Yeah we can >>They have like 24 of them 00:04:01.241-->00:04:05.378 sitting around doing nothing. >>Yeah we got a pit of interns they get 24-inch monitors. They 00:04:05.378-->00:04:10.183 don't need them. Right? So we started looking at the 24 tens instead of the curved ones. And 00:04:10.183-->00:04:14.988 uh like 15 minutes of Googling later we found this really nice document that described a USB 00:04:14.988-->00:04:20.427 firmware upgrade instruction. Okay? And this instruction is insultingly clear because the 00:04:20.427-->00:04:24.231 first instruction that's that's the power goes into the power wall thing. Right? And then the 00:04:24.231-->00:04:30.403 USB goes into the USB thing. But then you know it talks about this uh U24 ten ISP tool in 00:04:30.403-->00:04:36.009 incir or in circuit programmer. Uh and then we get you know we started to get very interesting 00:04:36.009-->00:04:41.047 results. Right? So we're seeing screen shots of this Dell utility that doesn't require any 00:04:41.047-->00:04:45.152 administrative privilege. That you know starts up a bunch of stuff and at the end of the day 00:04:45.152-->00:04:51.091 right? Runs you know things like app tests and a lot of other mystery. And uh just does the 00:04:51.091-->00:04:55.662 firmware upgrade for you. So we looked at the the output of this program we say you know what is 00:04:55.662-->00:05:00.000 an app test? Like what is this all about? We started Googling right? We found a lot of you 00:05:00.000-->00:05:04.704 know documents mentioning genesis and g-probe and all this other stuff. And we also found 00:05:04.704-->00:05:09.709 these documents from you know the late 90's and early 2000's that had this all these mystery 00:05:09.709-->00:05:13.580 hardware that updates firmware from these really old monitors. So if you see the one on the 00:05:13.580-->00:05:18.552 bottom there's a a parallel port with power supply going to VGA. Right? And somehow this hardware 00:05:18.552-->00:05:23.657 changes firmware on on monitors. Uh so we start Googling more! Alright we find mention of SD 00:05:23.657-->00:05:29.196 micro, analog, safina and Dell. So we're trying to figure out what this is all about! Okay? Uh 00:05:29.196-->00:05:33.266 so like days n days of Googling later we figured out that roughly how this happens. So app 00:05:33.266-->00:05:39.806 tests us is a thing that is used by g-probe which was created by a company named Genesis and they 00:05:39.806-->00:05:43.210 were a big player in the on screen display controller market. You know in the early 00:05:43.210-->00:05:48.949 2000's. Right? From there we did a lot of Googling and here's what happened. Okay? So in 2002 00:05:48.949-->00:05:55.589 Genesis created G-probe and G-probe were Genesis was in 2008 later sold to SD micro. And then 00:05:55.589-->00:06:02.095 SD Micro threw in some of their IP and created this called the ST DP 6000 something. Right? 00:06:02.095-->00:06:07.701 That chip was then sourced to Intellucks which is partially owned by Foxconn which is then 00:06:07.701-->00:06:12.005 what something that the analyst built a board that was eventually used in Dell 00:06:12.005-->00:06:18.078 monitors. Alright? So this is how you know somebody wrote 2 various and secret codes in 2002 00:06:18.078-->00:06:22.382 that caused you know probably a few hundred million printer monitors in the world being 00:06:22.382-->00:06:26.586 vulnerable today. So that's you know how it happened basically. And now we were able to get a 00:06:26.586-->00:06:30.590 copy of g-probe. Alright? So this is a screen shot of what it looks like. You know the imp 00:06:30.590-->00:06:36.263 interesting thing to look at here is it the software says we can connect to the monitor via 00:06:36.263-->00:06:42.168 things like serial. Right? And also USB. And uh we're looking at things like the DDC 2 BI. 00:06:42.168-->00:06:47.340 Right? So that's something that's important to look at come back to later. So we got a copy 00:06:47.340-->00:06:51.011 of this from [indiscernible] tool. Right? We ran into the virtual machine. We dumped a lot 00:06:51.011-->00:06:56.349 of USB traffic and we noticed that there are DDC packets imbedded inside USB packets. 00:06:56.349-->00:07:01.554 Okay? So Jaden's going to talk a little bit about what DDC is. >>So uh DDC is like a display 00:07:01.554-->00:07:07.727 data channel communications. Set up by uh b-cell. So this used by the host adapter to query the 00:07:07.727-->00:07:11.865 monitor about uh hardware capabilities. What is the vendor? What resolution does it 00:07:11.865-->00:07:16.736 support? And blah blah blah. And then if you go to the there's multiple versions of uh DDC 00:07:16.736-->00:07:21.741 which exist. Uh there's DDC 2B, 2BI, AB, d 2B plus. And what we're working with here is 2BI. 00:07:24.010-->00:07:29.582 And which is um a next version of 2B which works all that I can see and talks to the post 00:07:29.582-->00:07:35.655 adapter. So here is what uh any [indiscernible] of communication started with uh host adapter to 00:07:35.655-->00:07:39.993 the monitor happens. It sends a [indiscernible] with the code CF. Uh which is [indiscernible] 00:07:39.993-->00:07:46.266 vendor code. Uh and it is wrapped over uh its wrapped in USB mass storage uh back end 00:07:46.266-->00:07:51.271 which sent over to USB. Then uh the USB request log contains the DDC 2BI package which is 00:07:54.140-->00:07:59.546 encapsulation over G-probe packet. Uh to do like different commands. So one of the command 00:07:59.546-->00:08:04.718 if you look in here is run go command. Which allow us to put PC anywhere in the monitor. 00:08:04.718-->00:08:10.557 >>How how convenient right? And uh if we look into the g-probe documentation right? Uh all the 00:08:10.557-->00:08:15.261 trace algorithms are laid out here for you. They're very simple. So again we're taking 00:08:15.261-->00:08:19.566 messages that are supposed to go into I2C packet into USB and sending it over to the monitor 00:08:19.566-->00:08:25.271 via the USB interface. Okay so yeah let me show you a really simple uh communication between 00:08:25.271-->00:08:30.343 the host and the the monitor. So I"ll play the monitor. Jade will play the host. Okay? >>Um 00:08:30.343-->00:08:36.182 monitor initiate incoming communication. Give me registry. >>I as the monitor say I 00:08:36.182-->00:08:41.087 acknowledge your request for initiation of communication. >>I acknowledge your acknowledgement 00:08:41.087-->00:08:47.360 that you started that you want to initial communication. >>Okay I have uh acknowledge that you 00:08:47.360-->00:08:51.498 have run the read registry command. End of acknowledgement. Okay, but we're not done yet. 00:08:51.498-->00:08:55.268 Alright this is just the send the command. >>Okay this is like 6 packets to send the command. 00:08:55.268-->00:08:58.838 Uh hey monitor let's do a communication again. Uh give me the response of my previous 00:08:58.838-->00:09:03.009 command. >>I acknowledge your request for initiation of communication. >>I acknowledge 00:09:03.009-->00:09:06.279 your acknowledgement that you want the communication. [laughter] >>Okay I have the 00:09:06.279-->00:09:11.985 result for you from re-register. End of communication. Goodbye. >>So 12 packets to get 2 bytes 00:09:11.985-->00:09:17.090 out of the monitor. [laugher] >> Great. But uh it works. You know that's how that's how the 00:09:17.090-->00:09:20.360 monitors doing it. Right? And this is the mechanism that the monitor uses to updated the 00:09:20.360-->00:09:24.097 firmware from USB into the onscreen display controller. Okay? So we read some 00:09:24.097-->00:09:28.535 documentation let's void void the warranty let's figure out what the hardware looks like. So 00:09:28.535-->00:09:32.272 we opened up the back of the monitor. This is pretty typical. Right? The top of the board is 00:09:32.272-->00:09:36.543 where all the power stuff is and the digital stuff is on the bottom. Okay? And uh here is an 00:09:36.543-->00:09:40.013 architectural diagram. Right? So you have main SD micro uh on the upper left hand corner. Notice 00:09:40.013-->00:09:42.015 that that chip sits on an IC2 bus which is connected to a multi-plexor chip and that's the 00:09:42.015-->00:09:44.951 uh the 48 53. Right? And that multi-plexor again sits on a second IC2 bus which is 00:09:44.951-->00:09:49.956 connected to a USB controller. Right? Which is the thing we are talking to. So traffic comes 00:09:57.931-->00:10:01.901 into this USB controller. Goes into the I2C bus. Goes through this multi-plexor then 00:10:01.901-->00:10:06.473 eventually ends up directly on the I2C bus for the uh onscreen display controller. So we're 00:10:06.473-->00:10:11.845 able to able to send raw I2C packets through USB to this machine. There that's how things 00:10:11.845-->00:10:16.549 work. And we flipped the board over. This is pretty typical. We found an SPI flash chip that we 00:10:16.549-->00:10:20.353 were able to dump. So we dumped the code. And us this is something we like to do. We like 00:10:20.353-->00:10:25.859 to do 2-D render you know visualization of entropy. Ah so you know off the top of er of 00:10:25.859-->00:10:29.362 the top off with our heads we looked at this thing and we said I have no idea what that is. 00:10:29.362-->00:10:32.932 That looks pretty sweet. Right? Uh it's high entropy followed by low entropy There's certainly a 00:10:32.932-->00:10:37.437 pattern there. Uh this stuff you know somewhere in the middle probably looks like code. Uh 00:10:37.437-->00:10:42.609 stuff over here maybe data. Right? It's high entropy. Right? I mean it's low entropy but it 00:10:42.609-->00:10:46.646 looks like there some stuff in there that's interesting. And who knows? Maybe this is 00:10:46.646-->00:10:51.117 compressed data. We don't really know. And then we took it and we just ran a string on this thing. 00:10:51.117-->00:10:54.787 And you know we're seeing a lot of stuff that we're you know we saw in the documentation. So 00:10:54.787-->00:10:59.559 there's app test. Right? I mentions of you know picture in picture. And things like OSD 00:10:59.559-->00:11:03.730 high and OSD show right? So this looks like we're on the right track. We want to play with 00:11:03.730-->00:11:09.302 these things. So, then I said obviously let's throw this in ida and see what happens. Right? 00:11:09.302-->00:11:13.573 And this is what ida did. Right? And you know we looked and it and we said oh this is really 00:11:13.573-->00:11:18.845 hard. We can't figure out how to to disassemble turbo 186. Which is the architecture here. So we 00:11:18.845-->00:11:23.917 started Googling around and it seems like somebody on open universe in 2008 probably did 00:11:23.917-->00:11:28.354 exactly this research but maybe didn't tell anybody. Because they're asking about exactly the 00:11:28.354-->00:11:31.991 same architecture and exactly the same format. And I think the binary is actually from one of 00:11:31.991-->00:11:36.229 these us former updates. So we looked at this. And we said oh we don't like [indiscernible] so 00:11:36.229-->00:11:39.832 we're going to go do something more fun. Right? And we put it down. And we didn't work on it 00:11:39.832-->00:11:45.238 for like 6 months. Ah and then 2016 comes along right? And Jaden and I are sitting around 00:11:45.238-->00:11:49.409 and this is really bothering us. You know. I have no idea how this works. Like computers are 00:11:49.409-->00:11:55.815 hard. So we just said write Igor an email. Right? And uh in 6 hours or 8 hours Igor responds 00:11:55.815-->00:12:00.286 and it says like here's a long in full explanation of how ida works and turbo 186. And also I 00:12:00.286-->00:12:03.723 already disassembled this thing for you simple. >>So this [indiscernible] tag says 00:12:03.723-->00:12:05.725 basically uh [indiscernible]......monitor to update the [indiscernible] on 00:12:05.725-->00:12:10.730 the device. And he was it was like uh 200 kilobyte um I think? 2 megabyte. Uh and he had 00:12:14.200-->00:12:18.538 reversed uh everything and uh it was perfectly uh disassembled. And he gave it back to us. So we 00:12:18.538-->00:12:22.041 thought uh like we could do something like this with the formula monitor. >>Yeah so you 00:12:22.041-->00:12:25.111 know I read his email and I said I'm just going to do exactly what you did. Right? I got 00:12:25.111-->00:12:29.916 segment city everywhere. And nothing worked out. And I failed. And Jaden said let's now 00:12:29.916-->00:12:36.556 do that. >>So let's be monkeys and press space. So we we added a hard key which uh if you add 00:12:36.556-->00:12:40.793 like um space or like it jumps to different references you won't get a control for analysis 00:12:40.793-->00:12:46.366 but likely [indiscernible]. So if [indiscernible] is looking at it please sorry. Um so while we 00:12:46.366-->00:12:51.371 have now um we can run code but we want to do our um we want to run some sort of code on it. 00:12:53.539-->00:12:57.777 Right? So we use uh we went through the g-probe um documentation and we found 3 00:12:57.777-->00:13:00.713 commands. One is registry which uh [indiscernible].......One code uh placing PC anywhere we 00:13:00.713-->00:13:05.718 want. And uh ram write which allow us to batch shell code uh into the memory. And uh there's 00:13:08.921-->00:13:13.926 no MMU so this is [indiscernible]. So we want so there's a concept of app test uh 00:13:16.596-->00:13:21.768 which is basically a unit test inside the monitor. Uh so it creates a context and it uh 00:13:21.768-->00:13:27.440 tears down the context and does something inside it. >>Yeah so now that we have this ability to 00:13:27.440-->00:13:31.811 write code into memory and then run code right? We want to highjack something that seems 00:13:31.811-->00:13:36.616 like it might be useful. Uh to see if we can do a very simple hello world. So we found there's 00:13:36.616-->00:13:40.420 one function that says you know always the fill rectangle you know that sounds like a good 00:13:40.420-->00:13:43.756 idea. We want to just put a rectangle on the screen to see if we can actually do this. 00:13:43.756-->00:13:46.793 >>That's batch it using [indiscernible] >>All right so Jaden wrote this thing and it 00:13:46.793-->00:13:50.963 turn out to be the grossest code that we've seen to that point. It gets way worse than this. 00:13:50.963-->00:13:55.601 Right? So this is what it looks like. Uh >>And I have I have looked at this for 3 weeks. 00:13:55.601-->00:13:59.272 >>Yeah and if you stare at this for hours and hours it will make you want to puke. Um >>It will 00:13:59.272-->00:14:05.278 get us close. >>And Jaden definitely did stare at this for hours and hours. And okay so now 00:14:05.278-->00:14:09.315 okay now that we're able to dump some memory from the firmware. Right? We're looking at the code 00:14:09.315-->00:14:13.720 with some most of it disassembled. Right? We notice that most the virtual memory 00:14:13.720-->00:14:18.257 address map is between this and this. Okay. But there's all these far calls to this very 00:14:18.257-->00:14:20.259 mysterious memory region. >>So we started uh we thought like um there's no reference to it and 00:14:20.259-->00:14:23.663 we do not understand how to get this code. So we started dumping code. Um we um so we wrote a USB 00:14:23.663-->00:14:25.665 dump and uh so we took there is there is a command which is listed called grand read. Uh be 00:14:25.665-->00:14:27.667 we were not able to make it work. Although it works now. So we used uh a reg read uh which 00:14:27.667-->00:14:32.672 allowed us dump 2 bytes at a time. So imagine like uh doing those 12 packet transfers to get 00:14:44.617-->00:14:51.457 2 bytes out. Uh so uh I wrote a memory dumper which allowed us to do uh 1 megabyte dump per 8 00:14:51.457-->00:14:55.094 minutes. >>Per 8 minutes. So remember those tall commands that you had to do. Right? We're 00:14:55.094-->00:15:00.166 doing those USB commands for what it is 100 bytes at a time right? So >>Yeah >>We this is 00:15:00.166-->00:15:05.171 what we did it was dumb. Jaden writes the USB dumper. We dump and we wait and we dump and we 00:15:07.673-->00:15:11.410 wait and we dump. And this is very slow. Right? And then Francois comes along says like 00:15:11.410-->00:15:15.381 you guys dump too slow and totally do this differently. So he went off and he said I"m just 00:15:15.381-->00:15:20.453 going to reimplement the UR of using GPIO pins in the sock uh that's going to be way faster. 00:15:20.453-->00:15:23.523 And we're like no way that's going to work. You know. Two days later he comes back and he 00:15:23.523-->00:15:27.827 says you are implemented. Okay? He has a highjacked standard in standard out. So all of a sudden 00:15:27.827-->00:15:32.932 we had a u-art over GPIO pins on the monitor that not only allowed us dump arbitrary memory 00:15:32.932-->00:15:37.904 it also allowed us to highjack all these these very important very useful debug messages. >>So 00:15:37.904-->00:15:41.874 it is very important important to know that right now we're working with the assumption that 00:15:41.874-->00:15:47.413 there is only one um micro controller and that suck. Ah but after dumping the F thousand 00:15:47.413-->00:15:51.884 range we realized that it's actually a hardware obstruction there to talk to another chip. 00:15:51.884-->00:15:57.323 Uh and the processor inside the sock which which uh it's called OSD now on screen display whose 00:15:57.323-->00:16:03.462 main uh function is to display midges on the on the on the monitor. But the other OCM which 00:16:03.462-->00:16:08.000 is on chip micro controller is actually talking to other device uh uh that are common place 00:16:08.000-->00:16:13.840 inside the sock and other um external interfaces. So the which is uh is 8000 00:16:13.840-->00:16:20.346 [indiscernible] is mapped to is uh OCM and F uh and OSD has its own code running inside s ram. 00:16:20.346-->00:16:25.251 Um its own kind of processor. >>Yeah so at this point you know we now know that we're now 00:16:25.251-->00:16:28.955 working with just one processor there's at least 2 different processors inside the sock. 00:16:28.955-->00:16:32.725 Right? And they communicate using some memory map register that we don't really understand 00:16:32.725-->00:16:37.530 yet. And uh we kind of hit a wall. So we spent like a million years Googling and clicking on 00:16:37.530-->00:16:40.900 pretty much everything that we're not supposed to. Right? Until we found this beautiful 00:16:40.900-->00:16:45.771 site Dot 88 which is a place where people upload you know awesome proprietary documents 00:16:45.771-->00:16:51.043 for the internet and stuff. And uh you'll probably want to open this in a VM but it did give us 00:16:51.043-->00:16:55.882 the exact data sheet for this chip that we're working with and from there we found pretty much 00:16:55.882-->00:16:59.752 everything we needed to know about how this chip worked. Uh and we were right about this 00:16:59.752-->00:17:03.456 assumption that there is an OCM and an OSD chip and or OSD processor and they are 00:17:03.456-->00:17:08.261 completely separate. And they work more or less asynchornously from each other. Okay? So now 00:17:08.261-->00:17:11.864 that we have the data sheet we've done all the stuff you know let's try to display a 00:17:11.864-->00:17:15.968 picture. Right? Let's get that to work. First uh there are 3 things that we have to solve. 00:17:15.968-->00:17:19.939 And if we solve these things we we got picture display. Okay? We'll have to figure out where 00:17:19.939-->00:17:24.543 to transfer the image to the monitor. Alright? We have to figure out how to trigger the 00:17:24.543-->00:17:28.681 image display function to you know display that image that we transferred. And then we also 00:17:28.681-->00:17:32.952 have to figure out you know what a color is. Right? How the colors represented in this this 00:17:32.952-->00:17:38.424 monitor. >>So uh when you start booting the monitor right? Like if this image comes up. So the 00:17:38.424-->00:17:42.161 the theory was that it defined this image we will be able to find the code which loads this 00:17:42.161-->00:17:47.166 image and our quest will be over. But uh I I we had drunk sober and >>Very sober 00:17:49.835-->00:17:54.073 [indiscernible as they talk over each other] >>And uh after a few hours we came with our own 00:17:54.073-->00:17:59.045 analysis and uh we put said that this is not a Dell image so what is this? um >>Well uh I mean so 00:17:59.045-->00:18:02.581 we looked at some part of the code. Right? This clearly doesn't hold the Dell logo. 00:18:02.581-->00:18:05.551 Right? But you know what about stuff like this on the on the left side? Right? Like maybe 00:18:05.551-->00:18:08.955 that's you know some representation of image. You know what is the thing on the 00:18:08.955-->00:18:14.794 left? Right? And if you stare at that too long it also does crazy things to your brain. Um okay! 00:18:14.794-->00:18:21.400 So then you know Francois comes along. Right? And uh we you know >>Yeah after like after few days 00:18:21.400-->00:18:25.871 uh he came up with me like he wanted to [indiscernible] to stare at. And uh I looked at it 00:18:25.871-->00:18:32.578 for hours and uh Duh come on that's obviously an OSD command packet uh >>Great! I mean don't 00:18:32.578-->00:18:37.049 you see that? Obviously right? This is just you know in memory of run time. Right? Just a big 00:18:37.049-->00:18:41.988 ol' blob of binary and Jaden stares at this thing and he says obviously this is this 00:18:41.988-->00:18:48.127 structure. >>So uh this OSD command packet allows the OSD to display packet uh anywhere in 00:18:48.127-->00:18:52.231 the screen. You can specify the coordinates. You can specify the size. You can specify the color. 00:18:52.231-->00:18:57.303 How many bits per pixel have to be used uh and uh what we understood after a lot of 00:18:57.303-->00:19:02.241 reverse analysis uh of the um I rom [indiscernible] This is how it actually works. So you write 00:19:05.478-->00:19:10.850 the OSD packet inside the OCM memory map. And then you engage the main engine to map this 00:19:10.850-->00:19:15.855 memory over to s ram of OSD. And uh as long like uh as OSD is working asynchronously um it 00:19:17.890-->00:19:22.762 reads the packet and displays image. And similarly you can transfer the image to the OSD 00:19:22.762-->00:19:26.565 using the main memory mapping. So this solved this first 2 questions which was transfer and 00:19:26.565-->00:19:32.505 display image. Right? And uh the APS which were used to do this was SD ram read uh to check 00:19:32.505-->00:19:38.177 verify our write. And the SD ram write which showed us to do all this. And this is what we came 00:19:38.177-->00:19:43.649 with. This is probably the most gross blinking um box blinking program I have ever and if you 00:19:43.649-->00:19:48.587 look at it for hours you I have the [indiscernible] once. >>Uh alright wait you gotta see it. 00:19:48.587-->00:19:55.361 You guys all have to watch this with us now. Wait hold why did that >>So you will see >>No it 00:19:55.361-->00:19:58.497 doesn't want to play. Hold on. No No You're not gonna get >>Doesn't want to come up >>Your 00:19:58.497-->00:20:03.502 not off the hook. You gotta watch this video. [pause] >>Okay. So as you will see that 00:20:05.704-->00:20:11.744 the blob [indiscernible] moved the box around anywhere on the screen. And uh >>That's so 00:20:11.744-->00:20:16.348 nauseating >>There is there was a blinking blob which I figured out after recon. >>Right but 00:20:16.348-->00:20:20.086 this is after days of looking at this non-stop. So the last question we have to figure out 00:20:20.086-->00:20:24.457 you know what is a color? Right? I mean is it a 32 bit color? How is it represented? So we did the 00:20:24.457-->00:20:28.994 reasonable thing and filled a rectangle with rows n rows of you know of color and 00:20:28.994-->00:20:35.401 incremental values from 0 1 2 3 4 etc. Uh so instead of getting very similar colors we got these 00:20:35.401-->00:20:41.574 colors. Right? So you know why is color 0 basically the same as color 2? Why is 1 totally 00:20:41.574-->00:20:46.345 different? Okay? And uh we didn't really know. Let's do some science. We take a tiny 00:20:46.345-->00:20:52.017 little microscope and we point it at specific pixels in order for us to figure out you know 00:20:52.017-->00:20:58.090 what color gets rendered into what um pixel value. So filled every rectangle with um value oh 00:20:58.090-->00:21:04.130 it's 3 3. Okay? And this is what we saw. So if you looked at it right R is blank. G is 100%. And 00:21:04.130-->00:21:08.768 B is 100% Right? So this is you know individual pixel cells that we're looking at. And then we 00:21:08.768-->00:21:14.473 said okay. Let's do instead of you know the same pattern we'd do augs 3 3 augs 0 0 augs 3 3 00:21:14.473-->00:21:20.913 augs 0 0. So Jaden how many bits does the monitor use to represent each color? 00:21:20.913-->00:21:25.518 >>[indiscernible] So if 0 represents transparency and there's 2 pixels missing so its 00:21:25.518-->00:21:31.290 4 bits per pixel. >>Right and then >>How do you encode colors with 4 bits? Right? In normal 00:21:31.290-->00:21:35.060 RGB world each color each [indiscernible] is presented using 8 bit. And there 00:21:35.060-->00:21:40.966 [indiscernible] 32 bit color. So how do you do this [indiscernible]? >>Yeah so 00:21:40.966-->00:21:46.105 right? If you have 4 bits then you can have 1 bit for our 1 bit for B you know etc. And that's 00:21:46.105-->00:21:49.842 clearly not whats happening here. So it turns out this monitor uses a thing called 00:21:49.842-->00:21:54.380 color lookup table. Which is basically this index structure right? That uses 4 bits then can 00:21:54.380-->00:21:59.852 actually do 32 bit colors. So this allows you to save space. Right? You can have at most 16 00:21:59.852-->00:22:05.024 different colors. but you can have colors that are 32 bit deep. Um so now the big question 00:22:05.024-->00:22:11.664 is how where's the lookup table? Can we change it? Can we modify it? Uh and then we did a very 00:22:11.664-->00:22:16.702 you know again very sober very collaborative work with Francois. Right? And we did this 00:22:16.702-->00:22:21.707 for days n days to try and figure this out. Where he dumped lots of memory and we helped a 00:22:21.707-->00:22:26.612 lot. And uh like 2 days later okay we finally find the structure that we think is the 00:22:26.612-->00:22:30.649 lookup table. >>So it works in a similar way how we were transferring the images in the 00:22:30.649-->00:22:35.754 command packets. So you generate specific color lookup table structure. And you write OSM 00:22:35.754-->00:22:39.758 memory um memory map that [indiscernible] displays the color for that specific image. 00:22:39.758-->00:22:42.761 >>Okay so we have everything that we need. Okay we gonna uh display a photo. And we did. 00:22:42.761-->00:22:45.297 Okay? So look at that. We have tiny little SSL locks. We have as many as want wherever we want 00:22:45.297-->00:22:47.299 it. And that was sort of the point of this. Right? Uh but I looked at it and I said we still 00:22:47.299-->00:22:52.304 only have 16 colors. And that SSL lock actually had something like 20 >>26 >>26 colors! So 00:22:57.543-->00:23:02.481 that's not enough colors Jaden. We need more colors. >>It's really hard has been really hard 00:23:04.884-->00:23:09.488 now. >>Yeah. >>So we went through some docs and uh we figured out like uh the hardware 00:23:09.488-->00:23:15.527 does support at least a bit per pixel. So uh and and until recon we didn't have we had only 4 bit 00:23:15.527-->00:23:19.265 per pixel but now we have uh fixed up to get 256 colors and the code is [indiscernible]. Uh 00:23:19.265-->00:23:25.738 but after going over more analysis of the documentation there is the documentation that 00:23:25.738-->00:23:30.242 we found. We we found a break point so which means that we can hold the monitor figure out 00:23:30.242-->00:23:34.146 everything and this is like after like 90% of the research we have already done. We're 00:23:34.146-->00:23:40.085 spending like weeks on it. Um even months and now if if we were to have access to this 00:23:40.085-->00:23:44.056 break point we would have finished it in probably like half 1-n-half weeks or 2 weeks. 00:23:44.056-->00:23:47.126 >>Yeah so at this point Jaden and I just kind of like put our hands up in the air and was like 00:23:47.126-->00:23:51.997 argh I can't believe we missed that one. Or that's terrible. You know so we said like interns 00:23:51.997-->00:23:55.367 go do the rest of it. Right? Break point everything reverse it tell us what it is and 00:23:55.367-->00:23:59.204 Francois helped. The interns went out uh dumped the static dumped the heat you know found 00:23:59.204-->00:24:03.375 pretty much everything we needed to do. All the demos that I'll show you later. Uh and then we 00:24:03.375-->00:24:09.281 find the treasure. >>This was very surprising because we the OSD should be allowed to display 00:24:09.281-->00:24:13.452 a pixel on the image on the screen but it should it is very surprising that it has the 00:24:13.452-->00:24:18.324 capability to read pixels anywhere on the screen. And what can you do with that now? >>Yeah 00:24:18.324-->00:24:22.761 we'll talk about that in a little bit. So we presented some of the research uh at recon and 00:24:22.761-->00:24:26.598 after the presentation people who actually knew how monitors worked came up to us and said 00:24:26.598-->00:24:30.035 like hey stupid! You don't actually even need the USB cable because you know there 00:24:30.035-->00:24:37.009 [indiscernible] I 2 C channels on uh DVI HDMI and VGA etc. So we actually ported the code to 00:24:37.009-->00:24:42.848 run over the I 2 C interface. And now our demos do not require USB at all. Although it can be 00:24:42.848-->00:24:48.520 done over both channels. Um and that stuff [indiscernible]. Now, let's have some fun with it. 00:24:48.520-->00:24:53.192 Right? Let's make a monitor implant. So let's assume that we have a very simple base implant 00:24:53.192-->00:24:57.963 in the monitor. Okay? And let's also assume that I'm a sneaky guy and I have control over a 00:24:57.963-->00:25:03.736 pixel. Right? So if I blink the pixel I should be able to transmit data to my you know 00:25:03.736-->00:25:08.841 base monitor implant. And I can do something very much similar to command and control. Right? 00:25:08.841-->00:25:13.679 So every time I sample a pixel I can change the data and I can do something like the command type 00:25:13.679-->00:25:18.684 data data data which allows me to load or return code or return data X 2 code and do all sorts 00:25:18.684-->00:25:23.722 of other things. Now we take this pixel. We put it on the internet. Right? And as we know 00:25:23.722-->00:25:29.228 the internet is used for one thing. Right? So we can put this pixel on photos of cats. Right? 00:25:29.228-->00:25:34.266 We can do YouTube videos of cats. We even do you know movies about cats. And once we do this 00:25:34.266-->00:25:38.804 we can distribute this pixel down to millions and millions of monitors and we update them all 00:25:38.804-->00:25:43.041 at the same time. And we can have direct command command and control down to those exact 00:25:43.041-->00:25:47.980 monitors. Okay? And within our organization this is commonly known as cap base for domination 00:25:47.980-->00:25:54.953 plan #7. Okay? Uh now so in the end what do we do? Okay? We figured out that we can change 00:25:54.953-->00:25:59.625 whatever pixel on the screen wherever we want. Uh we can also see every pixel on the screen 00:25:59.625-->00:26:03.562 which is really cool. And uh for those folks who have followed our previous research we even 00:26:03.562-->00:26:07.866 got Funtana to work on the monitors as well but that's its own conversation that we'll have 00:26:07.866-->00:26:13.872 later. So you know I've talked right we're going to do some demos. Okay? Uh and then first I 00:26:13.872-->00:26:18.877 have to figure out how do this work? [indiscernible] [long pause] We swear there's an 00:26:36.495-->00:26:42.367 actual monitor underneath this table and the demo is not rigged. Uh but shooting a camera 00:26:42.367-->00:26:47.372 at the monitor is a little bit difficult so does it work? >>I think your >>No 00:26:55.247-->00:27:00.185 >>[indiscernible] >>Alright [indiscernible] we go >>Okay so I'm gonna talk from under the 00:27:07.626-->00:27:12.631 table >>Yeah >>So first I'm going to show you how to put brand new people pictures on the 00:27:15.667-->00:27:20.672 screen and you can uh not remove it. So I'm so this is Shakib that we talked about. And his 00:27:23.041-->00:27:27.312 picture is going to be on the monitor. >>So this is a typical you know you put new machine no 00:27:27.312-->00:27:33.151 uh administrative privilege and where showing you know putting an image on the screen. Now we 00:27:33.151-->00:27:36.955 didn't do this in genhub but we can actually make this permanent. So imagine if that 00:27:36.955-->00:27:41.226 happened to you. How terrible your life would be? Alright? >>So my second attack will be 00:27:41.226-->00:27:46.798 you all know about fortune right? And it is not uh it doesn't have any D list uh 00:27:46.798-->00:27:49.902 capabilities. But I'm going to give it to you. >>We're going to secure fortune for everybody. 00:27:49.902-->00:27:53.672 >>We did! >>So check it out. Right? Can you like move it a little bit? If you can see that 00:27:53.672-->00:27:58.043 closely. Right? So we get to put SSL locks wherever we want. And if we just line it up right 00:27:58.043-->00:28:03.482 it'll be right on the browser where SSL lock ought to be. So now fortune has SSL. So yay! 00:28:03.482-->00:28:10.422 >>Uh the next stack will be the you if you guys know about [indiscernible] faces uh where 00:28:10.422-->00:28:14.993 you know in power plants and uh [indiscernible] operator [indiscernible] what has gone 00:28:14.993-->00:28:19.932 wrong in a power plant system or a nuclear fusion system. So if you look at that green light it 00:28:19.932-->00:28:26.338 tells that uh that uh whatever gun battle is perfectly working fine but I'm going to change 00:28:26.338-->00:28:32.578 that to [pause] what >>Alright. So what if we were able to right show the different status of the 00:28:32.578-->00:28:36.949 uh industrial control system just by changing the pixels that said this pump is good this pump 00:28:36.949-->00:28:42.120 is bad. What if we're able to change the operatives behavior just by changing the pixels on 00:28:42.120-->00:28:46.291 the monitor? Right? We'd have a fundamental trust of you know we trust that whatever pixels are 00:28:46.291-->00:28:50.162 coming out of the computer will be displayed on the monitor and we're seeing that this is 00:28:50.162-->00:28:54.866 actually not even true. Okay? So the last one we're going to do is going to show the uh the 00:28:54.866-->00:28:58.537 blinking pixel command and control. You know that we talked about? So on the left side 00:28:58.537-->00:29:02.441 right? We have a paypal page or paypal account. Uh I don't have any money in this paypal account 00:29:02.441-->00:29:07.312 which is really sad. Uh Jaden's going to change that for me. Alright? >>I'm gonna put how 00:29:07.312-->00:29:09.314 much money do you want? >>Like a mill million dollars. >>Okay let's do it. >>One million 00:29:09.314-->00:29:11.316 dollars. [pause] >>Alright so I also gave it uh SSL protection that fishing page. >>Great. 00:29:11.316-->00:29:17.889 [laughter/clapping] There ya go! >>I put a million dollars! >>And the way this is working is 00:29:17.889-->00:29:22.894 there's a tiny little blinking pixel on the right screen that's communicating to the monitor. 00:29:28.867-->00:29:34.072 Telling the monitor to put this image at this specific value. And uh we can do this of course 00:29:34.072-->00:29:38.110 in real time. >>But Ang I don't want to give you a million dollar. I want to change it now. 00:29:38.110-->00:29:44.483 I'm >>Noooo >>No let me let me >>[giggle] >>So what we're doing is uh we gonna so let's suppose 00:29:44.483-->00:29:49.488 we're going we gonna send a command and control packet our from our server. oops 00:29:57.996-->00:30:03.001 [indiscernible] [long pause] my server has gone down. [long pause] [laughter] [talking off 00:30:11.143-->00:30:15.213 mic] >>Okay so anyway that's a demo. Right? And all the all the code that went into this demo is 00:30:15.213-->00:30:20.218 up on our [indiscernible] Is it working? Is it working? >>Okay yep. >>Yeah? Okay. [long pause] 00:30:41.506-->00:30:46.511 [off mic noises] >>Okay so I'm going to give you how much you want to [long pause] >>No yeah I 00:30:50.415-->00:30:55.087 mean. Okay so anyway. All the code that went into this demo is in [indiscernible] ready. Uh the 00:30:55.087-->00:31:00.025 link is on [loud mic drop] [long pause] Okay so let's talk about what this means. Okay? 00:31:10.168-->00:31:13.872 Implication wise. You know the first question is you know how big is this problem really? 00:31:13.872-->00:31:18.043 Right? We looked at a single onscreen display implementation for one type of monitor. Uh you 00:31:18.043-->00:31:21.780 know we certainly found some vulnerabilities in it but you know is this a pervasive thing? 00:31:21.780-->00:31:26.118 So to answer that question we bought 4 other types of monitors that are very common. You know 00:31:26.118-->00:31:30.255 there on the budget end of things 24 monitors inch monitors that are approximately between 00:31:30.255-->00:31:36.828 $100 to $200. That we we looked at Samsung, Dell,Acer, HP. And uh what's inside these guys uh 00:31:36.828-->00:31:42.901 these chips these boards. Uh the bad news is they're not uh SD micro. They don't run g-code or 00:31:42.901-->00:31:47.773 g-probe. Uh the good news is this one is Amstar. That one is Amstar. And this one is also 00:31:47.773-->00:31:52.677 Amstar. And so is this one. Right? So is seems like Amstar is uh you know very pervasive 00:31:52.677-->00:31:57.449 right? A popular OSD controller that's used in the lower uh the cheaper segment of the market. 00:31:57.449-->00:32:01.620 And it turns out that this really cool dude named Alex Bohlen already did all the work 00:32:01.620-->00:32:07.225 for us. So he figured out the way to uh do firmware updates to all Amstar uh micr onscreen 00:32:07.225-->00:32:12.764 controllers. And uh this is actually like a featured inside the limits kernel now. Right? So 00:32:12.764-->00:32:17.636 that's the link. This work has already been done. Um so it looks like the same type of 00:32:17.636-->00:32:21.973 vulnerability that is fundamental to the Dell monitor is also within it's also within 00:32:21.973-->00:32:26.044 these other Amstar monitors which means you know it probably would have made more than a 00:32:26.044-->00:32:30.115 billion monitors. Right? So in the last 10 years and most of those it looks like will be 00:32:30.115-->00:32:34.619 vulnerable to some type of attack like this. Okay and uh the next question is you know 00:32:34.619-->00:32:39.391 how practical is this attack? I mean you guys have to make up your own mind about. Right? But 00:32:39.391-->00:32:44.529 keep in mind that we don't have to have any privilege uh on the on the computer in order to 00:32:44.529-->00:32:50.335 launch this type of thing. So any unprivileged code execution will allow permanent persistent 00:32:50.335-->00:32:55.040 firmware modification inside the monitor. Right? And uh last big question is you know how 00:32:55.040-->00:33:00.979 realistic is this fix? You know because I the way to fix this now right without a physical 00:33:00.979-->00:33:05.183 recall would be to have the vendor distribute a firmware update tool that patches some of 00:33:05.183-->00:33:10.522 these you know insecurities about firmware updates and code execution. Okay? But if they did 00:33:10.522-->00:33:14.659 that they would also release exactly the algorithm and the protocol for updating all the 00:33:14.659-->00:33:20.732 firmware all the monitors. So this is not exactly a simple thing to do. Um and uh you know 00:33:20.732-->00:33:24.603 this is um something that I would like the community to talk about. You know is monitor 00:33:24.603-->00:33:30.709 security important? I think it is. How do we actually uh secure the monitors that we have now? 00:33:30.709-->00:33:35.513 Right? And how do we build more secure monitors in the future. So uh that's pretty much my 00:33:35.513-->00:33:41.386 presentation and uh I have to say this, you know we're we're from Rebleware Security. We do 00:33:41.386-->00:33:45.523 imbedded security stuff when we're hired. So if you want to do this type of research, uh get 00:33:45.523-->00:33:50.595 in touch with us. And also big thanks to [indiscernible] Abbot who did a lot of the demo code. 00:33:50.595-->00:33:55.533 Um Bob drew all this stuff that wasn't terrible. And Brian who also helped a lot and he's in 00:33:55.533-->00:34:00.538 the front row. So thank you very much. This is where the code is Uh for all this work. Uh check 00:34:00.538-->00:34:05.543 it out. [applause]