Ang Cui

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Ang Cui
Dr. Ang Cui of Red Balloon Security.jpg
Ang Cui

February 7, 1983
Beijing, PRC
OccupationCybersecurity researcher and consultant
OrganizationRed Balloon Security
Known forThrangrycat, Funtenna, Monitor Darkly

Ang Cui (pinyin: āng Cuī) is an American cybersecurity researcher[1] and entrepreneur. He is the founder and CEO of Red Balloon Security in New York City,[2] a cybersecurity firm that develops new technologies to defend embedded systems against exploitation.[3]


Cui was formerly a researcher with Columbia University's Intrusion Detection Systems Lab where he worked while pursuing his Ph.D. in computer science at Columbia University.[4][5][6] His doctoral dissertation, entitled “Embedded System Security: A Software-Based Approach,” focused on scientific inquiries concerning the exploitation and defense of embedded systems.[7] Cui received his Ph.D. in 2015, and founded Red Balloon Security to commercialize his firmware defense technology now known as Symbiote.[8][9]

Cui has publicly demonstrated security vulnerabilities in widely used commercial and consumer products, including Cisco[10][11] and Avaya VoIP phones,[12][13][14] Cisco routers[15][16] and HP LaserJet printers.[17][18][19][20] He has presented his research at industry events including Black Hat Briefings,[21][22][23][24] DEF CON conference,[25][26] RSA Conference,[27] REcon security conference[28] and the Auto-ISAC 2018 Summit.[29] Cui's security research has earned the 2011 Kaspersky Labs American Cup Winner,[30] 2012 Symantec Research Labs Graduate Fellowship[31] and the 2015 DARPA Riser[32]

In 2017, the United States Department of Homeland Security cited his company with the “Crossing the Valley of Death” distinction for the development of a commercially available cyber defense system for critical infrastructure facilities, which was produced following a 12-month DHS funded pilot study to evaluate cyber sabotage risks to the building systems of a DHS Biosafety Level 3 facility.[33][34][35]

Security Research[edit]


Cui is best known for his role in the development of Symbiote, a host-based firmware defense technology for embedded devices.[36]

Symbiote is injected into the firmware of a legacy embedded device where it provides intrusion detection functionality.[37][38][39][40] It does so by constantly checking the integrity of static code and data at the firmware level, in order to prevent unauthorized code or commands from executing. Symbiote is operating system agnostic and is compatible with most embedded devices.[41][42][43] Red Balloon Security has already released Symbiote for commercial printer brands like HP[44] and other devices.

On June 21, 2017, Red Balloon Security announced the launch of Symbiote for Automotive Defense, an automotive version of the standard Symbiote technology, at the Escar USA Conference in Detroit.[45]

In 2016, Popular Science named Symbiote one of the “9 Most Important Security Innovations of the Year.”[46]

HP LaserJet Printers[edit]

In 2011, Cui was part of a research effort at Columbia University, directed by Professor Salvatore Stolfo, to examine security vulnerabilities in HP LaserJet printers.[47] The project found chers announced significant security flaws in these devices which could allow for a range of remote attacks, including triggering a fire hazard by forcing the printer's fuser to continually heat up.[18]

HP released a firmware update soon after these findings were released.[20] However, team claimed they found 201 vulnerable HP laser jet printers in the U.S. Department of Defense's network and two at HP's headquarters months after the security patch was released.[41] In 2015, HP licensed Cui's Symbiote technology to use as a firmware defense against cyber attacks for its LaserJet Enterprise printers and multifunction printers.[48]

Cisco IP Phones[edit]

At the 29th Chaos Communication Congress in December 2012, Cui and Solfo presented the findings of their DARPA funded research study, which exposed a vulnerability in Cisco IP phones (CiscoUnified IP Phone 7900 series) that could allow an attacker to turn them into bugging devices.[49] The exploit gained root access to the device's firmware, which could enable the interception of phone calls. It would also allow an attacker to remotely activate the phone's microphone in order to eavesdrop on nearby conversations.[10]


At the 2015 Black Hat Briefings cybersecurity conference,[22][50] Cui unveiled a firmware exploit called “Funtenna”[51] which manipulates the electronic processes within common devices like printers, phones, and washing machines in order to create radio signals which could secretly transmit data outside of a secure facility.[52][53][54] The attack could even work with devices within an air-gapped system.[55][56]

News outlets such as Ars Technica and Motherboard noted Funtenna's potential for turning infected devices into covert spying tools.[55][21]

Monitor Darkly[edit]

At the DEF CON 24 security conference in 2016,[57] Cui, along with his principal scientist Jatin Kataria and security researcher Francois Charbonneau, demonstrated[58] previously unknown vulnerabilities in the firmware of widely used computer monitors, which an attacker could exploit to both spy on the user's screen activity and to manipulate what the user sees and engages with on the screen.[59][60]

Called “Monitor Darkly,” the firmware vulnerability was reported to affect Dell, HP, Samsung and Acer computer monitors.[61]

The vulnerability was specific to the monitors’ on-screen-display (OSD) controllers, which are used to control and adjust viewing options on the screen, such as brightness, contrast or horizontal/vertical positioning.[62] However, as Cui, Kataria and Charbonneau noted in their talk abstract for the 2016 REcon security conference, with the Monitor Darkly exploit, the OSD can also be used to “read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels.”[63]

The security news site CSO Online said about the vulnerability, “By exploiting a hacked monitor, they could manipulate the pixels and add a secure-lock icon by a URL. They could make a $0 PayPal account balance appear to be a $1 billion balance. They could change ‘the status-alert light on a power plant's control interface from green to red.’”[61]

The exploit was later used in a Season 3 episode of the Mr. Robot show, in which the FBI uses it to take screenshots of Elliot Alderson’s computer.[64][65]


At the 2017 REcon security conference, Cui and security researcher Rick Housley demonstrated[66] a new method for hacking processors through the use of an electromagnetic pulse, or EMP.[67]

Known as electromagnetic fault injection (EMFI), this class of attacks has been investigated before, but Cui and Housley’s new technique, known as “BadFET," is adapted to exploit modern computers and embedded devices, by impacting multiple components within these devices at the same time.[68] By using a 300 volt EMP pulse from 3 millimeters away, the BadFET attack bypasses the Secure Boot protection that keeps processors from running untrusted code.[68]

Cui and Housley also introduced an open source EMFI platform that makes BadFET available to other security researchers, for further analysis, testing and development.[67]


On May 13, 2019, Cui and his research team (composed of Jatin Kataria, Richard Housley and James Chambers)[69] jointly announced with Cisco[70] a critical vulnerability in Cisco's secure boot process[71] identified as CVE-2019-1649,[72][73] and referred to as “Thrangrycat”[74] by Red Balloon Security.

The vulnerability affects a key hardware security component developed by Cisco known as the Trust Anchor module (TAm).[75] The vulnerability is considered significant, as TAm underpins the secure boot process in numerous Cisco devices, including routers and switches.[76] As WIRED Magazine explained in its reporting on the Thrangrycat vulnerability: "Known as the Trust Anchor, this Cisco security feature has been implemented in almost all of the company’s enterprise devices since 2013. The fact that the researchers have demonstrated a way to bypass it in one device indicates that it may be possible, with device-specific modifications, to defeat the Trust Anchor on hundreds of millions of Cisco units around the world. That includes everything from enterprise routers to network switches to firewalls.”[77]

Cisco describes the TAm as a “proprietary, tamper-resistant chip”[78] that is “found in many Cisco products” and “helps verify that Cisco hardware is authentic.”[79]

The vulnerability could enable an attacker to modify the firmware of this module to gain persistent access on a network and carry out many different types of malicious activity, including data theft, importing malware and physical destruction of equipment.[80][81]

The New York Times called Thrangrycat “super alarming,”[82] with WIRED Magazine warning it has “massive global implications.”[77]

Thrangrycat is believed to be the first security vulnerability to be named with emoji symbols.[83]


  1. ^ Newman, Lily Hay (2018-01-18). "A New Way to Track Down Bugs Could Help Save IoT". Wired. ISSN 1059-1028. Retrieved 2019-03-03.
  2. ^ "Company Overview of Red Balloon Security, Inc". Bloomberg.
  3. ^ Lim, Dawn. "Startup Red Balloon Security Offers to Protect Printers, Phones, and Other Devices from Hackers". MIT Technology Review. Retrieved 2019-03-03.
  4. ^ Vamosi, Robert. "Cisco VoIP Phones Affected By On Hook Security Vulnerability". Retrieved 2019-03-03.</refdref name="auto">"The Columbia University Intrusion Detection Systems Lab". Retrieved 2019-03-03.
  5. ^ "Ang Cui | Columbia University -". Retrieved 2019-03-03.
  6. ^ "The Columbia University Intrusion Detection Systems Lab". Retrieved 2019-03-03.
  7. ^ Cui, Ang (2015). Embedded System Security: A Software-based Approach (Thesis). Columbia University. doi:10.7916/d8ns0tn9.
  8. ^ "DHS S&T Funded Technology Helps Protect Devices from Cyber Attacks". Department of Homeland Security. 3 November 2015. Retrieved 27 April 2019.
  9. ^ Ang Cui; Salvatore J. Stolfo. "Defending Embedded Systems with Software Symbiotes" (PDF). Retrieved 28 April 2019.
  10. ^ a b Goodin, Dan (2013-01-10). "Hack turns the Cisco phone on your desk into a remote bugging device". Ars Technica. Retrieved 2019-03-03.
  11. ^ "SEAS Computer Scientists Find Vulnerabilities in Cisco VoIP Phones | Columbia Engineering". 2017-01-31. Retrieved 2019-03-03.
  12. ^ "How to hack Avaya phones with a simple text editor". Security Affairs. 2015-04-22. Retrieved 2019-03-03.
  13. ^ Darren Pauli. "Infosec bod's brag: Text editor pops Avaya phones FOREVER". Retrieved 2019-03-03.
  14. ^ "Avaya to Patch Zero Days That Turn IP Phone into Radio Transmitters". Retrieved 2019-03-03.
  15. ^ Stolfo, Salvatore; Kataria, Jatin; Cui, Ang (2011). "Killing the Myth of Cisco IOS Diversity: Recent Advances in Reliable Shellcode Design". doi:10.7916/D8TB1H7N. Cite journal requires |journal= (help)
  16. ^ Snyder, Chris. "A cybersecurity expert showed us how hackers can tap into an office phone and listen to everything you're saying". Business Insider. Retrieved 2019-03-03.
  17. ^ Zetter, Kim (2011-11-29). "Hackers Can Remotely Set Ablaze HP Printers, Researchers Say". Wired. ISSN 1059-1028. Retrieved 2019-03-03.
  18. ^ a b Brodkin, Jon (2011-11-29). "HP printers can be remotely controlled and set on fire, researchers claim (updated)". Ars Technica. Retrieved 2019-03-03.
  19. ^ "Print Me If You Dare" (PDF). Retrieved 28 April 2019.
  20. ^ a b Welch, Chris (2011-12-24). "HP releases firmware fix for laserjet printer exploit". The Verge. Retrieved 2019-03-03.
  21. ^ a b Franceschi-Bicchierai, Lorenzo (2015-08-05). "How To Turn a Cheap Printer Into A Stealthy Bugging Device". Motherboard. Retrieved 2019-03-03.
  22. ^ a b "Black Hat USA 2015". Retrieved 2019-03-03.
  23. ^ "Black Hat USA 2013". Retrieved 2019-03-03.
  24. ^ "Black Hat USA 2012". Retrieved 2019-03-03.
  25. ^ "DEF CON® 24 Hacking Conference - Speakers". Retrieved 2019-03-03.
  26. ^ Franceschi-Bicchierai, Lorenzo (2016-08-06). "Hackers Could Break Into Your Monitor To Spy on You and Manipulate Your Pixels". Motherboard. Retrieved 2019-03-03.
  27. ^ "Ang Cui | RSA Conference". Retrieved 2019-03-03.
  28. ^ [1][dead link]
  29. ^ "In the Fast Lane – Auto-ISAC". Retrieved 2019-03-03.
  30. ^ "Ang Cui and Jatin Kataria win Kaspersky Labs American Cup | The Columbia University Intrusion Detection Systems Lab". Retrieved 2019-03-03.
  31. ^ "Graduate Fellowship Program | Symantec". Retrieved 2019-03-03.
  32. ^ "DARPA Rising Event Highlights Emerging Leaders in Science and Technology". Retrieved 2019-03-03.
  33. ^ "Re-inventing Cybersecurity R&D: How DHS is Innovating to Deliver More Secure Systems" (PDF). Retrieved 28 April 2019.
  34. ^ "R&D SHOWCASE AND TECHNICAL WORKSHOP 2016" (PDF). Retrieved 28 April 2019.
  35. ^ "Cyber Security Division Overview and Silicon Valley Innovation Program" (PDF). Retrieved 28 April 2019.
  36. ^ "Symbiote technology created by Ang Cui and Salvatore Stolfo named one of Popular Science's "Best of What's New" | Department of Computer Science, Columbia University". Retrieved 2019-03-03.
  37. ^ Ang Cui; Salvatore J. Stolfo. "Defending Embedded Systems with Software Symbiotes" (PDF). Retrieved 28 April 2019.
  39. ^ "Defending Embedded Systems with Software Symbiotes". ResearchGate. Retrieved 2019-03-03.
  40. ^ "Symbiote Technology to Repair Vulnerable Firmware |". Retrieved 2019-03-03.
  41. ^ a b Newman, Lily Hay. "Meet the Symbiote: The Ironclad, Adaptable Future of Antivirus Protection". Retrieved 2019-03-03.
  42. ^ Choi, Charles Q. "Auto-Immune: "Symbiotes" Could Be Deployed to Thwart Cyber Attacks". Scientific American. Retrieved 2019-03-03.
  43. ^ Newman, Lily Hay (2014-03-10). "The Internet of Things Needs Anti-Virus Protection". Slate Magazine. Retrieved 2019-03-03.
  44. ^ Wood, Lamont (2016-06-01). "Printer security: Is your company's data really safe?". Computerworld. Retrieved 2019-03-03.
  45. ^ Ng, Alfred. "This add-on could save millions of cars from hackers". Roadshow. Retrieved 2019-03-03.
  46. ^ "The 9 Most Important Security Innovations Of The Year". Popular Science. Retrieved 2019-03-03.
  47. ^ Sullivan, Bob (2011-11-29). "Exclusive: Millions of printers open to devastating hack attack, researchers say". NBC News. Retrieved 2019-03-03.
  48. ^ "DHS S&T Funded Technology Helps Protect Devices from Cyber Attacks". Department of Homeland Security. 2015-11-03. Retrieved 2019-03-03.
  49. ^ Storm, Darlene (2013-01-08). "Remotely listen in via hacked VoIP phones: Cisco working on eavesdropping patch". Computerworld. Retrieved 2019-03-03.
  50. ^ Blue, Violet. "Black Hat 2015: Cool talks, hot threat intel". ZDNet. Retrieved 2019-03-03.
  51. ^ GitHub - funtenna/funtenna_2015: Funtenna P0C code demonstrated at Blackhat 2015., funtenna, 2019-01-07, retrieved 2019-03-03
  52. ^ Newman, Lily Hay (2015-08-05). "A Printer That Sings Your Data for Hackers to Hear". Slate. ISSN 1091-2339. Retrieved 2019-03-03.
  53. ^ Pagliery, Jose (2015-08-05). "How your washing machine can steal computer files". CNNMoney. Retrieved 2019-03-03.
  54. ^ "Funtenna Malware Takes to the Airwaves to Steal Data". eWEEK. Retrieved 2019-03-03.
  55. ^ a b Gallagher, Sean (2015-08-06). ""Funtenna" software hack turns a laser printer into a covert radio". Ars Technica. Retrieved 2019-03-03.
  56. ^ "This Antenna Can Remotely Steal Data From Devices using Sound Waves". The Hacker News. Retrieved 2019-03-03.
  57. ^ "DEF CON® 24 Hacking Conference - Speakers". Retrieved 2019-05-24.
  58. ^ DEFCONConference (2016-11-10), DEF CON 24 - Ang Cui - A Monitor Darkly: Reversing and Exploiting Ubiquitous OSD Controllers, retrieved 2019-05-24
  59. ^ Franceschi-Bicchierai, Lorenzo (2016-08-06). "Hackers Could Break Into Your Monitor To Spy on You and Manipulate Your Pixels". Vice. Retrieved 2019-05-24.
  60. ^ Snyder, Chris. "Hackers can gain access to your computer monitor — a cybersecurity expert shows us how easy it is". Business Insider. Retrieved 2019-05-24.
  61. ^ a b Smith, Ms (2016-08-07). "Hacking computer monitors to spy and steal data". CSO Online. Retrieved 2019-05-24.
  62. ^ "What is on-screen display (OSD)? - Definition from". Retrieved 2019-05-24.
  63. ^ "A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors". REcon. June 18, 2016.
  64. ^ "'Mr. Robot' Rewind: Backdooring a monitor for FBI surveillance in Episode Two". GeekWire. 2017-10-20. Retrieved 2019-05-24.
  65. ^ Donovan, Kevin (2017-10-27). "Monitoring Mr. Robot". ObserveIT. Retrieved 2019-05-24.
  66. ^ "Defeating Secure Boot with EMFI" (PDF). REcon.
  67. ^ a b Housley, Rick; Cui, Ang (2017). "{BADFET}: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection". Cite journal requires |journal= (help)
  68. ^ a b Newman, Lily Hay (2017-06-21). "A Diabolical Way of Hacking a Chip With a Wave of Your Hand". Wired. ISSN 1059-1028. Retrieved 2019-05-24.
  69. ^ Kirk, Jeremy. "Cisco's 'Thrangrycat' Router Flaw Tough to Neuter". BankInfoSecurity. ISMG Network. Retrieved 14 May 2019.
  70. ^ "Cisco Secure Boot Hardware Tampering Vulnerability". Cisco Security Center. Cisco. Retrieved 13 May 2019.
  71. ^ Thomson, Iain. "It's 2019 so now security vulnerabilities are branded using emojis: Meet Thrangrycat, a Cisco router secure boot flaw". The Register. Retrieved 13 May 2019.
  72. ^ "CVE-2019-1649 Detail". National Vulnerability Database. NIST. Retrieved 13 May 2019.
  73. ^ "CVE-2019-1649". Common Vulnerabilities and Exposures. MITRE. Retrieved 24 May 2019.
  74. ^ Doctorow, Cory. "Thangrycat: a deadly Cisco vulnerability named after an emoji". Boing Boing. Retrieved 22 May 2019.
  75. ^ Barth, Bradley. "'Thrangrycat' flaw in millions of Cisco devices could enable 'Secure Boot' bypass". SC Magazine. SC Media. Retrieved 14 May 2019.
  76. ^ Kumar, Mohit. "Flaw Affecting Millions of Cisco Devices Let Attackers Implant Persistent Backdoor". The Hacker News. Retrieved 14 May 2019.
  77. ^ a b Newman, Lily Hay. "A Cisco Router Bug Has Massive Global Implications". WIRED. Conde Nast. Retrieved 13 May 2019.
  78. ^ "Cisco Trustworthy Technologies Data Sheet" (PDF). Cisco. Retrieved 24 May 2019.
  79. ^ "Cisco Secure Boot and Trust Anchor Module Differentiation Solution Overview". Cisco. Retrieved 24 May 2019.
  80. ^ Cimpanu, Catalin. "Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear". ZDNet. Retrieved 13 May 2019.
  81. ^ Robuck, Mike. "Red Balloon Security finds critical design flaw in Cisco routers, switches and firewalls". FierceTelecom. Retrieved 14 May 2019.
  82. ^ Warzel, Charlie. "The Internet Security Apocalypse You Probably Missed". The New York Times. Retrieved 21 May 2019.
  83. ^ Thomson, Iain. "It's 2019 so now security vulnerabilities are branded using emojis: Meet Thrangrycat, a Cisco router secure boot flaw". The Register. Retrieved 13 May 2019.