Dial-a-Word
by Daniel Hargett
The information in this article should never be used to access any computer or device that you do not own or have permission to pen-test.
What is Digital Signage?
Digital signage is any TV with a computer connected to it that is designed to educate, entertain, or inform.
A good example is when you go to McDonald's and the menus are displayed on TV screens rather than traditional paper or lightbox menus. Digital signage also encompasses any type of informational kiosk as well.
As LCD TVs have gotten bigger and thinner, more and more are being used in businesses to display information for guests or employees. They will almost always be displaying videos or images and, just from looking at the screen, you can't tell much about the system powering it. This article is designed to teach you how to determine what is powering the screen and how to access that system for your own benefit.
Scope
This article will introduce you to digital signage terminology and common types of digital signage. We'll then delve into how they can hacked on the local level. Digital signage networks are usually vast, but much fun can be had simply by getting access to the physical device. This is the realm we'll discuss today.
The Three Most Common Types of Digital Signage Installations
Screens and a Computer - This would be one or more screens connected to a computer (or player, as in digital media player) that displays information. A standard install will have the player mounted behind the screen. You may also find a bunch of wires running into the wall. This means the player has been installed in a network closet somewhere or is part of a larger distribution system.
System on a Chip (SoC) - This is a screen with a computer built into it, so there is no external player to see or tinker with. An example of this is a Samsung Smart TV with the Tizen OS on it.
USB/Memory Card - This is a normal TV where someone has plugged a USB drive or inserted a memory card with images/videos that just display on the screen.
Physical Access
Gaining physical access to these devices is typically very simple.
Since their purpose is to communicate a message to everyone nearby, they are usually placed in public areas. You can check behind the screen and poke around in most spaces without arousing suspicion. If you do this at a large busy place, like an airport, you can do nearly anything you want without question. If you want a trickier target, like those McDonald's screens, you will need to use social engineering.
The best way to help your social engineering is to get a look at the back of the screen or the player connected to the device. Look for any kind of inventory sticker or a logo sticker. Digital signage integrators like to put stickers on the devices that direct people to a support number or just to brand the device as theirs, so you can usually find one pretty quickly. If you cannot find one, a quick Yandex search can quickly inform you on what company manages these devices as well.
Once you know who manages the screens, you can proactively approach an employee and let them know you're from that company and were sent to the location to troubleshoot an issue. If they express distrust, you can always tell them that even though it is displaying correctly, the device needs to be online to update content and it currently isn't connected to the Internet. That excuse will work 90 percent of the time. Most employees don't know much about these screens or care, so a cursory cover story will go a long way. Wear a polo shirt and jeans, look professional, and carry some kind of backpack or toolbox with some tools and a mouse/keyboard. It's always handy to have a couple of TV remotes (or a universal remote) packed with you as well.
Determine the Type of Installation
Once you have comfortable physical access to the device, you need to determine what is powering the screen.
Look behind it and check for a computer. If you don't see one, check and see if there are cables going into the wall behind it. If there are no wires or only a power cable, then you are likely looking at a SoC or USB/memory card setup. If you see the display cable (usually HDMI, but sometimes VGA) going into the wall or into a box with Ethernet coming out the other side into a wall, then you are likely looking at a unit that has the player placed in a network closet nearby.
The most common type of dedicated digital signage player is called BrightSign. These are easy to spot as they will be entirely purple in color. These run embedded Linux and you cannot do anything with them locally. Hacking these is out of the scope of this article. Another box you may run into could have a red ComQi logo on them. These are also embedded Linux devices and you will not be able to hack them locally.
There are many other types of installations you may find. There are many ways to set up a screen and a computer to display information. I am trying to cover the most common cases you will find. Now that you have determined the system type, let's move on to the fun part!
Hacking a Windows Player
Outside of BrightSign, this is by far the most common scenario you will run into.
I would recommend bringing a wireless keyboard/mouse for these. You can connect the receiver and walk away; people might think it's being remotely controlled by someone not even in the building.
The important piece here is closing out the digital signage software. This is the software that receives commands from a server on what to play and when to play it. Of course, the first thing to try is good old Ctrl+Alt+Del, open "Task Manager", and kill any unnecessary tasks. You'll know you've got the right one when the pictures/videos disappear from behind the "Task Manager". Most signage systems have a watchdog that will start the software right back up, but at least you now know the name of the software.
A quick Yandex search will reveal to you how to kill the signage software most of the time. Sometimes there is a password required to stop it. In that case, it's handy to know the name of the company that installed it, as it is usually something simple like companyname123 or companynamesupport. This is another place where social engineering can come in handy. If a password is required, you can always call the company that installed it posing as an installation tech and request it. These passwords are usually set to the same thing on all the devices, so even the lowliest phone techs will know it.
Another great tactic is to not even close the signage software. Simply hit Ctrl+Alt+Del and go up to "File -> Run" and start explorer.exe. If you can do that, it's now game over as you can see the installed software and uninstall it. If a system is using Windows 10 Kiosk Mode, this will be the way to do it every time. Some systems might also allow you to hit Ctrl+Tab to switch windows and you can then hit Alt+F4 to kill the software.
Once you have access to the OS or are able to get to the Control Panel where you can uninstall programs, uninstall the signage software and any remote access tools you might find (TeamViewer is common here). This will ensure your message stays up as long as possible. These systems usually have only the software required to display content, so you'll usually find it's pretty simple to figure out what needs to be taken off.
You can be pretty creative from here. You can open a web browser and display a video full screen. You can make the taskbar hide itself, disable the "Recycle Bin" icon, and change the wallpaper to your preferred image (or slideshow of images). The opportunities are nearly endless for displaying your own content on the screen!
Hacking a System on a Chip (SoC) Screen
These usually run on a very restricted OS like LG's webOS or Samsung's Tizen.
Some displays may have Android on them, but this is fairly uncommon. The best option for changing the display on these is a TV remote. It's best to factory reset the screen to get rid of the signage software. You can then insert an USB drive with your pictures, then switch the input to the USB drive. There are two issues you may run into while doing that:
1.) The screen will automatically switch back to the OS. If this happens, you will need to dig into the menus to locate a setting related to "input switching." You could also simply do a factory reset from the menus and continue on your way. This is quicker and ensures success.
2.) The remote doesn't work despite being compatible with the TV. This usually happens because commercial screens used in digital signage installations can have an external IR receiver that plugs into the back with a 1/8-inch (3.5 mm) jack. If the installer was smart, they would plug in the IR receiver to do what they needed, then unplug it so no one else can change things on the screen. These are easy to purchase on Amazon and, if you really need to control a screen, it'd be good to have one with you to plug into the screen. Also, make sure the batteries in your remote are good. If you have any phone except an iPhone, you can open your camera app, point the remote at the camera, press a button, and see the IR light blinking when you press remote buttons. This doesn't guarantee the batteries are full enough to work, but is a great way to check that they aren't empty.
Another thing to keep in mind concerns Samsung screens. They have a system called MagicINFO on them and, if the company managing the screen has purchased the right license for it, they could be able to see and control the screen at any time. Generally, if it's a Samsung display, you'll want to check for and unplug an Ethernet cable or do a factory reset to wipe the Wi-Fi connection information from it. Again, this ensures your content stays up as long as possible.
Hacking a USB/Memory Card Setup
These are the easiest to change the display on.
Simply power off the screen, pop out the storage device, plug it into your computer, and replace the existing files with your own. It's wise to stick to standard formats here (JPEG, PNG, MP4, etc.), as these systems can be limited in what formats they accept.
Hacking Almost Any Digital Signage Screen
Maybe you don't have the time to spend doing the things mentioned above.
What most screens do have in common is they have HDMI ports for their video signal. You can always unplug the device that is plugged in and replace it with a cheap Amazon Fire Stick or Chromecast. You can use your phone as a hotspot to connect those devices and change the content all you like.
Summary
There are many different types of signage setups, all with their own quirks.
I hope I have stimulated your mind into thinking about the possibilities of hacking a digital signage display. While I understand there are many other attack vectors and display setups, this article should get you covered on the basics so you can begin to explore all the screens out there!