King Kévin
9087beec8e
|
||
|---|---|---|
| coraleda/subc | ||
| geda/symbols | ||
| library@939ae5450b | ||
| .gitignore | ||
| .gitmodules | ||
| .qeda.yaml | ||
| CHANGELOG.md | ||
| DEVELOPMENT.md | ||
| LICENSE.txt | ||
| README.md | ||
| Rakefile | ||
| gafrc | ||
| hdmi_firewall.lht | ||
| hdmi_firewall.sch | ||
| mass_prop.sh | ||
| pnp_fab.tab | ||
| version | ||
README.md
The HDMI firewall protects your HDMI equipment from being hacked.
purpose
HDMI is mainly used to transfer audio and video, but also offers a number of additional features (e.g. HPD, CEC, HEAC, MHL). This increases the attack surface, and since the security of their implement in embedded devices is far from ideal, an attacker could exploit them and inject malicious code. Now your unsuspicious video equipment is compromised and threatens your IT/network security. And your monitor could then in turn hack back any other equipment connected to it.
For example, let's imagine you invite an external guest for a presentation inside your company. You offer to connect to a video-projector so he can show his slides. This is the perfect opportunity for the guest to hack the video-projector. Next time an employee connects to this projector, his laptop is hacked back. And voila, the innocent guest managed to infiltrate your company network, and can exfiltrate confidential information.
The HDMI firewall blocks all the additional features, and only allow the equipment to receive audio and video data. It is based on the research of Pierre-Michel RICORDEL and José LOPES-ESTEVES from ANSSI/SDE/ST/LSF presented at the IT security conference SSTIC 2021.
usage
You first have to copy the Extended Display Identification Data (EDID) information of the equipment to protect. This data includes information such as the supported resolutions. You can read it out using the I²C-based Display Data Channel (DDC) interface. Write the EDID data on the EEPROM of the HDMI firewall, and break the tab using pliers to enable write protection. This will prevent attackers from injecting any malicious payload. This only has to be done once (per monitor to protect).
Now plug in the HDMI firewall in the monitor to be protected. Connect the cable going to the untrusted device on the HDMI firewall. Your equipment is now protected.
To re-write the EEPROM of the HDMI firewall in case you want to protect another monitor, you can re-disable write protection by putting a solder blob across the two pads marked WP.
By default, the 5V supplied by the monitor are forwarded to the device. To further reduce the attack surface, you can disable this by cutting the trace between the two pads marked 5V. The risk is that some monitors rely on this signal to detect when a device is plugged in.
limitations
High-bandwidth Digital Content Protection (HDCP) is not supported since the DDC interface is limited to the EDID information.
mode of operation
To protect the monitor, the HDMI firewall only forwards the signal lines used for audio/video (A/V) data transfer (D0, D1, D2, CK). All other signal lines are unconnected (CEC, SDA, SCL, utility/HEAC+, HPD). This will block all non A/V interfaces (e.g. DDC, HPD, CEC, HEAC, MHL) The SDA/SCL lines used for the DDC interface to provide the EDID information to the device are connected to an EEPROM on the firewall. This is where you need to copy the monitor information to. This limits the DDC interface to the EDID information.