Ang Cui


Ang Cui is an American cybersecurity researcher and entrepreneur. He is the founder and CEO of Red Balloon Security in New York City, a cybersecurity firm that develops new technologies to defend embedded systems against exploitation.

Career

Cui was formerly a researcher with Columbia University's Intrusion Detection Systems Lab where he worked while pursuing his Ph.D. in computer science at Columbia University. His doctoral dissertation, entitled “Embedded System Security: A Software-Based Approach,” focused on scientific inquiries concerning the exploitation and defense of embedded systems. Cui received his Ph.D. in 2015, and founded Red Balloon Security to commercialize his firmware defense technology now known as Symbiote.
Cui has publicly demonstrated security vulnerabilities in widely used commercial and consumer products, including Cisco and Avaya VoIP phones, Cisco routers and HP LaserJet printers. He has presented his research at industry events including Black Hat Briefings, DEF CON conference, RSA Conference, REcon security conference and the Auto-ISAC 2018 Summit. Cui's security research has earned the 2011 Kaspersky Labs American Cup Winner, 2012 Symantec Research Labs Graduate Fellowship and the 2015 DARPA Riser
In 2017, the United States Department of Homeland Security cited his company with the “Crossing the Valley of Death” distinction for the development of a commercially available cyber defense system for critical infrastructure facilities, which was produced following a 12-month DHS funded pilot study to evaluate cyber sabotage risks to the building systems of a DHS Biosafety Level 3 facility.

Dukedom

In 2020, Cui received the noble title of duke from the Principality of Sealand. Cui's royal title grants him an official territory, or duchy, of one square foot within the micronation, which he has named SPACE. As a Duke of the Principality of Sealand, Cui joins the ranks of notable figures who have also received nobility titles from the micronation, including English cricketeer Ben Stokes and musician Ed Sheeran.

Security Research

Symbiote

Cui is best known for his role in the development of Symbiote, a host-based firmware defense technology for embedded devices.
Symbiote is injected into the firmware of a legacy embedded device where it provides intrusion detection functionality. It does so by constantly checking the integrity of static code and data at the firmware level, in order to prevent unauthorized code or commands from executing. Symbiote is operating system agnostic and is compatible with most embedded devices. Red Balloon Security has already released Symbiote for commercial printer brands like HP and other devices.
On June 21, 2017, Red Balloon Security announced the launch of Symbiote for Automotive Defense, an automotive version of the standard Symbiote technology, at the Escar USA Conference in Detroit.
In 2016, Popular Science named Symbiote one of the “9 Most Important Security Innovations of the Year.”

HP LaserJet Printers

In 2011, Cui was part of a research effort at Columbia University, directed by Professor Salvatore Stolfo, to examine security vulnerabilities in HP LaserJet printers. The project found chers announced significant security flaws in these devices which could allow for a range of remote attacks, including triggering a fire hazard by forcing the printer's fuser to continually heat up.
HP released a firmware update soon after these findings were released. However, team claimed they found 201 vulnerable HP laser jet printers in the U.S. Department of Defense's network and two at HP's headquarters months after the security patch was released. In 2015, HP licensed Cui's Symbiote technology to use as a firmware defense against cyber attacks for its LaserJet Enterprise printers and multifunction printers.

Cisco IP Phones

At the 29th Chaos Communication Congress in December 2012, Cui and Solfo presented the findings of their DARPA funded research study, which exposed a vulnerability in Cisco IP phones that could allow an attacker to turn them into bugging devices. The exploit gained root access to the device's firmware, which could enable the interception of phone calls. It would also allow an attacker to remotely activate the phone's microphone in order to eavesdrop on nearby conversations.

Funtenna

At the 2015 Black Hat Briefings cybersecurity conference, Cui unveiled a firmware exploit called “Funtenna” which manipulates the electronic processes within common devices like printers, phones, and washing machines in order to create radio signals which could secretly transmit data outside of a secure facility. The attack could even work with devices within an air-gapped system.
News outlets such as Ars Technica and Motherboard noted Funtenna's potential for turning infected devices into covert spying tools.

Monitor Darkly

At the DEF CON 24 security conference in 2016, Cui, along with his principal scientist Jatin Kataria and security researcher Francois Charbonneau, demonstrated previously unknown vulnerabilities in the firmware of widely used computer monitors, which an attacker could exploit to both spy on the user's screen activity and to manipulate what the user sees and engages with on the screen.
Called “Monitor Darkly,” the firmware vulnerability was reported to affect Dell, HP, Samsung and Acer computer monitors.
The vulnerability was specific to the monitors’ on-screen-display controllers, which are used to control and adjust viewing options on the screen, such as brightness, contrast or horizontal/vertical positioning. However, as Cui, Kataria and Charbonneau noted in their talk abstract for the 2016 REcon security conference, with the Monitor Darkly exploit, the OSD can also be used to “read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels.”
The security news site CSO Online said about the vulnerability, “By exploiting a hacked monitor, they could manipulate the pixels and add a secure-lock icon by a URL. They could make a $0 PayPal account balance appear to be a $1 billion balance. They could change ‘the status-alert light on a power plant's control interface from green to red.’”
The exploit was later used in a Season 3 episode of the Mr. Robot show, in which the FBI uses it to take screenshots of Elliot Alderson’s computer.

BadFET

At the 2017 REcon security conference, Cui and security researcher Rick Housley demonstrated a new method for hacking processors through the use of an electromagnetic pulse, or EMP.
Known as electromagnetic fault injection, this class of attacks has been investigated before, but Cui and Housley’s new technique, known as “BadFET," is adapted to exploit modern computers and embedded devices, by impacting multiple components within these devices at the same time. By using a 300 volt EMP pulse from 3 millimeters away, the BadFET attack bypasses the Secure Boot protection that keeps processors from running untrusted code.
Cui and Housley also introduced an open source EMFI platform that makes BadFET available to other security researchers, for further analysis, testing and development.

Thrangrycat

On May 13, 2019, Cui and his research team jointly announced with Cisco a critical vulnerability in Cisco's secure boot process identified as CVE-2019-1649, and referred to as “Thrangrycat” by Red Balloon Security.
The vulnerability affects a key hardware security component developed by Cisco known as the Trust Anchor module. The vulnerability is considered significant, as TAm underpins the secure boot process in numerous Cisco devices, including routers and switches. As WIRED Magazine explained in its reporting on the Thrangrycat vulnerability: "Known as the Trust Anchor, this Cisco security feature has been implemented in almost all of the company’s enterprise devices since 2013. The fact that the researchers have demonstrated a way to bypass it in one device indicates that it may be possible, with device-specific modifications, to defeat the Trust Anchor on hundreds of millions of Cisco units around the world. That includes everything from enterprise routers to network switches to firewalls.”
Cisco describes the TAm as a “proprietary, tamper-resistant chip” that is “found in many Cisco products” and “helps verify that Cisco hardware is authentic.”
The vulnerability could enable an attacker to modify the firmware of this module to gain persistent access on a network and carry out many different types of malicious activity, including data theft, importing malware and physical destruction of equipment.
The New York Times called Thrangrycat “super alarming,” with WIRED Magazine warning it has “massive global implications.”
Thrangrycat is believed to be the first security vulnerability to be named with emoji symbols.