53 lines
2.9 KiB
Markdown
53 lines
2.9 KiB
Markdown
the HDMI firewall protects your HDMI equipment from being hacked.
|
|
|
|
purpose
|
|
=======
|
|
|
|
HDMI is mainly used to transfer audio and video, but also offers a number of additional features (e.g. HPD, CEC, HEAC, MHL).
|
|
This increases the attack surface, and since the security of their implement in embedded devices if far from ideal, an attacker could exploit them and inject malicious code.
|
|
Now your unsuspicious video equipment is compromised and threatens your IT/network security.
|
|
And your monitor could then in turn hack back any other equipment connected to it.
|
|
|
|
For example, if you invite an external guest for a presentation inside your company.
|
|
For that you offer to connect to a video-project so he can show his slides.
|
|
This is the perfect opportunity for the guest to hack the video-project.
|
|
And next time an employee connect to this project, his laptop is hacked back.
|
|
And voila, the innocent guest managed to infiltrate your company network, and can exfiltrate confidential information.
|
|
|
|
The HDMI firewall block all the additional features, and only allow the equipment to receive audio and video data.
|
|
It is based on the research of Pierre-Michel RICORDEL and José LOPES-ESTEVES from ANSSI/SDE/ST/LSF presented during [SSTIC 2021](https://sstic.org/2021/presentation/un_pare_feu_pour_le_hdmi/).
|
|
|
|
usage
|
|
=====
|
|
|
|
You first have to copy the Extended Display Identification Data (EDID) information of the equipment to protect.
|
|
This data includes information such as the supported resolutions.
|
|
You can read it out using the I²C-based Display Data Channel (DDC) interface.
|
|
Then disable the write protect on the HDMI firewall using the switch (the LED will turn off).
|
|
Write the EDID data on the EEPROM of the HDMI firewall, and turn back on the write protection (the LED will turn on).
|
|
This will prevent attackers from injecting any malicious payload.
|
|
This only has to be done once (per monitor to protect).
|
|
|
|
Now connect the monitor to be protected on the corresponding port of the HDMI firewall.
|
|
Only allow users to connect on the untrusted device port.
|
|
Your equipment is not protected.
|
|
|
|
limitations
|
|
===========
|
|
|
|
High-bandwidth Digital Content Protection (HDCP) is not supported since the DDC interface is limited to the EDID information.
|
|
|
|
By default, turn the 5V forwarding off using the second switch on the HDMI firewall.
|
|
This reduces further more the attack surface.
|
|
If the monitor is not able to detect the connected device, then turn it back on.
|
|
|
|
mode of operation
|
|
=================
|
|
|
|
To protect the monitor, the HDMI firewall only forwards the signal lines used for audio/video (A/V) data transfer (D0, D1, D2, CK).
|
|
All other signal lines are unconnected (CEC, SDA, SCL, utility/HEAC+, HPD).
|
|
This will block all non A/V interfaces (e.g. DDC, HPD, CEC, HEAC, MHL)
|
|
The SDA/SCL lines used for the DDC interface to provide the EDID information to the device are connected to an EEPROM on the firewall.
|
|
This is where you need to copy the monitor information to.
|
|
This limits the DDC interface to the EDID information.
|