Ang Cui () is an American cybersecurity researcher and entrepreneur. He is the founder and CEO of Red Balloon Security in New York City, a cybersecurity firm that develops new technologies to defend embedded systems against exploitation.
Cui was formerly a researcher with Columbia University's Intrusion Detection Systems Lab where he worked while pursuing his Ph.D. in computer science at Columbia University. His doctoral dissertation, entitled âÂÂEmbedded System Security: A Software-Based Approach,â focused on scientific inquiries concerning the exploitation and defense of embedded systems. Cui received his Ph.D. in 2015, and founded Red Balloon Security to commercialize his firmware defense technology now known as Symbiote.
Cui has publicly demonstrated security vulnerabilities in widely used commercial and consumer products, including Cisco and Avaya VoIP phones, Cisco routers and HP LaserJet printers. He has presented his research at industry events including Black Hat Briefings, DEF CON conference, RSA Conference, REcon security conference and the Auto-ISAC 2018 Summit. Cui's security research has earned the 2011 Kaspersky Labs American Cup Winner, 2012 Symantec Research Labs Graduate Fellowship and the 2015 DARPA Riser
In 2017, the United States Department of Homeland Security cited his company with the âÂÂCrossing the Valley of Deathâ distinction for the development of a commercially available cyber defense system for critical infrastructure facilities, which was produced following a 12-month DHS funded pilot study to evaluate cyber sabotage risks to the building systems of a DHS Biosafety Level 3 facility.
In 2020, Cui received the noble title of duke from the Principality of Sealand. Cui's royal title grants him an official territory, or duchy, of one square foot within the micronation, which he has named SPACE. As a Duke of the Principality of Sealand, Cui joins the ranks of notable figures who have also received nobility titles from the micronation, including English cricketeer Ben Stokes and musician Ed Sheeran.
Cui is best known for his role in the development of Symbiote, a host-based firmware defense technology for embedded devices.
Symbiote is injected into the firmware of a legacy embedded device where it provides intrusion detection functionality. It does so by constantly checking the integrity of static code and data at the firmware level, in order to prevent unauthorized code or commands from executing. Symbiote is operating system agnostic and is compatible with most embedded devices. Red Balloon Security has already released Symbiote for commercial printer brands like HP and other devices.
On June 21, 2017, Red Balloon Security announced the launch of Symbiote for Automotive Defense, an automotive version of the standard Symbiote technology, at the Escar USA Conference in Detroit.
In 2016, Popular Science named Symbiote one of the âÂÂ9 Most Important Security Innovations of the Year.âÂÂ
In 2011, Cui was part of a research effort at Columbia University, directed by Professor Salvatore Stolfo, to examine security vulnerabilities in HP LaserJet printers. The project found chers announced significant security flaws in these devices which could allow for a range of remote attacks, including triggering a fire hazard by forcing the printer's fuser to continually heat up.
HP released a firmware update soon after these findings were released. However, team claimed they found 201 vulnerable HP laser jet printers in the U.S. Department of Defense's network and two at HP's headquarters months after the security patch was released. In 2015, HP licensed Cui's Symbiote technology to use as a firmware defense against cyber attacks for its LaserJet Enterprise printers and multifunction printers.
At the 29th Chaos Communication Congress in December 2012, Cui and Stolfo presented the findings of their DARPA funded research study, which exposed a vulnerability in Cisco IP phones (CiscoUnified IP Phone 7900 series) that could allow an attacker to turn them into bugging devices. The exploit gained root access to the device's firmware, which could enable the interception of phone calls. It would also allow an attacker to remotely activate the phone's microphone in order to eavesdrop on nearby conversations.
At the 2015 Black Hat Briefings cybersecurity conference, Cui unveiled a firmware exploit called âÂÂFuntennaâ which manipulates the electronic processes within common devices like printers, phones, and washing machines in order to create radio signals which could secretly transmit data outside of a secure facility. The attack could even work with devices within an air-gapped system.
News outlets such as Ars Technica and Motherboard noted Funtenna's potential for turning infected devices into covert spying tools.
At the DEF CON 24 security conference in 2016, Cui, along with his principal scientist Jatin Kataria and security researcher Francois Charbonneau, demonstrated previously unknown vulnerabilities in the firmware of widely used computer monitors, which an attacker could exploit to both spy on the user's screen activity and to manipulate what the user sees and engages with on the screen.
Called âÂÂMonitor Darkly,â the firmware vulnerability was reported to affect Dell, HP, Samsung and Acer computer monitors.
The vulnerability was specific to the monitorsâ on-screen-display (OSD) controllers, which are used to control and adjust viewing options on the screen, such as brightness, contrast or horizontal/vertical positioning. However, as Cui, Kataria and Charbonneau noted in their talk abstract for the 2016 REcon security conference, with the Monitor Darkly exploit, the OSD can also be used to âÂÂread the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels.âÂÂ
The security news site CSO Online said about the vulnerability, âÂÂBy exploiting a hacked monitor, they could manipulate the pixels and add a secure-lock icon by a URL. They could make a $0 PayPal account balance appear to be a $1 billion balance. They could change âÂÂthe status-alert light on a power plant's control interface from green to red.âÂÂâÂÂ
The exploit was later used in a Season 3 episode of the Mr. Robot show, in which the FBI uses it to take screenshots of Elliot AldersonâÂÂs computer.
At the 2017 REcon security conference, Cui and security researcher Rick Housley demonstrated a new method for hacking processors through the use of an electromagnetic pulse, or EMP.
Known as electromagnetic fault injection (EMFI), this class of attacks has been investigated before, but Cui and HousleyâÂÂs new technique, known as âÂÂBadFET," is adapted to exploit modern computers and embedded devices, by impacting multiple components within these devices at the same time. By using a 300 volt EMP pulse from 3 millimeters away, the BadFET attack bypasses the Secure Boot protection that keeps processors from running untrusted code.
Cui and Housley also introduced an open source EMFI platform that makes BadFET available to other security researchers, for further analysis, testing and development.
On May 13, 2019, Cui and his research team (composed of Jatin Kataria, Richard Housley and James Chambers) jointly announced with Cisco a critical vulnerability in Cisco's secure boot process identified as CVE-2019-1649, and referred to as âÂÂThrangrycatâ by Red Balloon Security.
The vulnerability affects a key hardware security component developed by Cisco known as the Trust Anchor module (TAm). The vulnerability is considered significant, as TAm underpins the secure boot process in numerous Cisco devices, including routers and switches. As WIRED Magazine explained in its reporting on the Thrangrycat vulnerability: "Known as the Trust Anchor, this Cisco security feature has been implemented in almost all of the companyâÂÂs enterprise devices since 2013. The fact that the researchers have demonstrated a way to bypass it in one device indicates that it may be possible, with device-specific modifications, to defeat the Trust Anchor on hundreds of millions of Cisco units around the world. That includes everything from enterprise routers to network switches to firewalls.âÂÂ
Cisco describes the TAm as a âÂÂproprietary, tamper-resistant chipâ that is âÂÂfound in many Cisco productsâ and âÂÂhelps verify that Cisco hardware is authentic.âÂÂ
The vulnerability could enable an attacker to modify the firmware of this module to gain persistent access on a network and carry out many different types of malicious activity, including data theft, importing malware and physical destruction of equipment.
The New York Times called Thrangrycat âÂÂsuper alarming,â with WIRED Magazine warning it has âÂÂmassive global implications.âÂÂ
Thrangrycat is believed to be the first security vulnerability to be named with emoji symbols.