← Back to context

Comment by gkbrk

14 hours ago

A monitor cannot install software on your computer by the way. It's Windows installing this software automatically (for some reason), so the blame should be on Microsoft.

Autorun of malware when you plugged in a USB drive was also a Windows issue, I'd classify this as the same security problem.

> A monitor cannot install software on your computer by the way.

I think everyone in the HN crowd knows that.

> the blame should be on Microsoft

No, they blame should ALSO be on Microsoft, they are the enablers.

  • > I think everyone in the HN crowd knows that.

    I actually did not. I know there is some degree of two-way communication over HDMI/DP, and was curious if this was how the software was installed. I think discussing the technical details is a great use of the HN comment section.

    (Wifi enabled display device -> HDMI -> Device) would be an incredibly interesting attack vector.

  • “I think everyone in the HN crowd knows that.”

    I would think everyone in the HN crowd would be aware of HEAC, the hdmi Ethernet channel, etc.

    With full access to the hosts tcp/ip stack, we’d do well not to overlook the potential vectors for a monitor to install software on your computer… especially when the operating system is complicit.

  • Ok, I don't use Windows and never will, so wasn't aware of this feature, and it would've been nice to have that context. Thought maaybe LG is exploiting a vuln in Windows via USB-C or over one of the niche HDMI features, but gathered it's not that.

> Autorun of malware when you plugged in a USB drive was also a Windows issue, I'd classify this as the same security problem.

Not really. AutoRun ran whatever was on the USB drive, with no oversight. This installs a driver from a company that's supposed to be reputable enough to get their driver signed by MS and pass validation. LG breached that trust here.

  • > that's supposed to be reputable enough to get their driver signed by MS and pass validation. LG breached that trust here.

    I think you overestimated how reputable is enough.

Actually it frequently can, since a modern monitor is often on USB and in a position to impersonate a keyboard and/or mouse.

I wouldn't put it past most of these companies.

The monitor should absolutely take the major part of the blame by being the source of the malware and poisoning the system for everyone else.

  • its not the source though is it? its not like it's downloaded via the hdmi cable, it comes from Microsoft that offer the service of installing crap

  • Ironically if Microsoft responded by just never signing LG software again, but kept this auto-install thing in, LG monitors would become the best to use with Windows.

Blame should be on the user for buying Windows

  • You are describing 'the blame should be on Windows'.

    The consequence of Windows having the blame is that one should not buy it.

  • that's funny; because my root cause analysis didn't show the user as the person making the decision to show themselves ads? did yours, or was the victim blaming intentional?

    • Not making the specific decision (showing ads) but making the general decision (giving power to Microsoft). Blaming customers for buying MS products is not really much different than blaming Trump voters for voting for him. In both cases risks were obvious beforehand.