100 lines
6.7 KiB
Markdown
100 lines
6.7 KiB
Markdown
The HDMI firewall prevents devices from hacking HDMI equipment, and vice-versa.
|
|
|
|
<img src="picture/front_v2.webp" title="front" height="250"/>
|
|
<img src="picture/back_v2.webp" title="back" height="250"/>
|
|
|
|
purpose
|
|
=======
|
|
|
|
HDMI is mainly used to transfer audio and video, but also offers a number of additional features (e.g. HDCP, CEC, HEC, ARC, MHL).
|
|
This increases the attack surface, and since the security of their implement in embedded devices is far from ideal, an attacker could exploit them and inject malicious code.
|
|
Now your unsuspicious video equipment is compromised and threatens your IT/network security.
|
|
And your monitor could then in turn hack back any other device connected to it.
|
|
|
|
For example, let's imagine you invite an external guest for a presentation inside your company.
|
|
You offer to connect to a smart TV or video-projector so he can show his slides.
|
|
This is the perfect opportunity for the guest to hack it.
|
|
Now your smart TV can act as a spy in your network.
|
|
Or next time an employee connects to the projector, his laptop is hacked back.
|
|
And voila, the innocent guest managed to infiltrate your company network, and can exfiltrate confidential information.
|
|
|
|
The HDMI firewall can block all additional interfaces, and only allow audio and video data transfer.
|
|
It is based on the research of Pierre-Michel Ricordel and José Lopes Esteves from ANSSI/SDE/ST/LSF presented at the IT security conference [SSTIC 2021](https://sstic.org/2021/presentation/un_pare_feu_pour_le_hdmi/).
|
|
Some security research and vulnerabilities around CEC and EDID are listed in [slide 4](https://www.sstic.org/media/SSTIC2021/SSTIC-actes/un_pare_feu_pour_le_hdmi/SSTIC2021-Slides-un_pare_feu_pour_le_hdmi-lopes-esteves_ricordel.pdf).
|
|
|
|
usage
|
|
=====
|
|
|
|
First plug the HDMI cable going to the monitor on the HDMI firewall on the port labeled **MONITOR**.
|
|
Then plug the HDMI cable going to the device on the HDMI firewall on the port labeled **DEVICE**.
|
|
That's it, your equipment (monitor and device) are now protected.
|
|
But the firewall should be fine tuned as described below.
|
|
|
|
The HDMI firewall comes with a generic HD profile, but this might not correspond to the capabilities of your monitor.
|
|
The resulting image could be distorted, or completely missing.
|
|
Thus, you first have to copy the Extended Display Identification Data (EDID) information of the equipment to protect.
|
|
This data includes information such as the supported resolutions.
|
|
The HDMI firewall can copy the EDID from the monitor:
|
|
|
|
1. ensure the firewall is connected to the monitor
|
|
1. unplug the device from the firewall
|
|
1. toggle the small switch labeled EDID/7 to the ALLOW/ON position
|
|
1. ensure the SDA/2 and SCL/3 switches are on the BLOCK/OFF position
|
|
1. plug the device to the firewall
|
|
1. this will power the firewall, which will copy the monitor EDID onto its internal memory, shown by a short blink of the ERROR LED
|
|
1. unplug the device, and switch back the EDID/7 switch to the BLOCK/OFF position so the firewall keeps and uses the copied EDID information
|
|
1. when connecting the device back in, you should see the same name as the monitor, with a '|' at the end, indicating you are using the write-protected EDID from the firewall
|
|
|
|
The HDMI firewall allows to select which interfaces are blocked using the switches.
|
|
The highest security is provided when blocking all lines by setting the switches to the BLOCK position.
|
|
If you still trust your equipment enough and want to use a feature, you can set the corresponding switch to the ALLOW/ON position:
|
|
|
|
- 5V: some monitors require this line to detect when a device is plugged in, and since currently no other information is transferred over this line, it is rather safe to enable it
|
|
- Display Data Channel (DDC): High-bandwidth Digital Content Protection (HDCP) uses this interface. To enable it, switch SDA and SCL on. Warning: since the EDID is also transferred over this interface, the firewall can't provide a write-protected copy of it. Instead the original monitor EDID is used, maybe not write-protected.
|
|
- Consumer Electronics Control (CEC): this interface allows to remotely control equipment, such as setting the volume and powering on/off all connected devices and monitors at once
|
|
- HDMI Ethernet Channel (HEC), Audio Return Channel (ARC), and Mobile High-Definition Link (MHL): to enable these interfaces, switch UTIL and HPD on to forward the HEAC+ and HEAC- lines
|
|
|
|
The HDMI firewall can also be used to provide custom EDID, as it sometimes is faulty in the monitor.
|
|
For that you need to program the raw binary EDID (with up to 1 extension block) onto the STM8S103 EEPROM using the RST and SWIM lines made available on the back of the board.
|
|
|
|
limitations
|
|
===========
|
|
|
|
The HDMI firewall use impedance controlled lines: 4-layer impedance controlled board, differential pair routing, intra- and inter-pair length matching.
|
|
This should allow and audio any video signal to be transmitted to the monitor.
|
|
But I only have 2K equipment I could test it on.
|
|
I could not test the firewall against 4K, 8K, or 3D capable monitors.
|
|
CEC remote control has been tested.
|
|
But I don't have any equipment using HDCP, HEC, ARC, or MHL.
|
|
Thus I could also not test these interfaces.
|
|
|
|
The firewall only supports EDID with up to 1 extension block.
|
|
This is the case for all monitors I've seen.
|
|
Some high end monitors supporting numerous features might have additional extensions blocks.
|
|
Thus the firewall might prevent from using the monitor to its full potential.
|
|
You can still use the original EDID from the monitor by setting the SDA/2 and SCL/3 switches to the ALLOW/ON position.
|
|
The DDC channel won't be firewalled anymore though.
|
|
|
|
Feel free to report any success or issues to `hdmi@cuvoodoo.info`.
|
|
|
|
availability
|
|
============
|
|
|
|
The HDMI firewall is available on [tindie](https://www.tindie.com/products/cuvoodoo/hdmi-firewall/).
|
|
|
|
The schematic pdf and board gerbers are available as [release](https://git.cuvoodoo.info/kingkevin/board/releases/tag/hdmi_firewall_v2).
|
|
|
|
troubleshooting
|
|
===============
|
|
|
|
If the monitor does not detect the device or does not display anything (but should), try to re-enable the 5V forward (as per default) by switching the 5V/1 switch to ALLOW/ON.
|
|
|
|
If the ERROR LED stays on, it means copying the EDID failed:
|
|
|
|
- be sure the monitor is connected before you connect the device (which powers the firewall)
|
|
- be sure the SDA/2 and SCL/3 switches are set to BLOCK so the firewall can use the DDC interface to read the EDID
|
|
- the EDID of the monitor might be corrupted or have an invalid checksum, in which case the firewall will not copy it
|
|
- the firewall EEPROM memory has worn out or is defective (it should last 300 thousand copies)
|
|
|
|
To read and play with EDID under Linux, you can use the instructions provided for the previous [HDMI firewall v1](https://git.cuvoodoo.info/kingkevin/board/src/tag/hdmi_firewall_v1/README.md).
|