HDMI Firewall 를 소개합니다.

HDMI Firewall 를 소개합니다.

README 에서는 아래와 같이 소개하고 있고요...
The HDMI firewall prevents devices from hacking HDMI equipment, and vice-versa.

한마디로 정리하자면..아래와 같습니다. 

HDMI 방화벽은 장치가 HDMI 장비를 해킹하는 것을 방지하고 그 반대의 경우도 마찬가지입니다.

그리고, HDMI Firewall 의 특징을 간략하게 정리해 보면 아래와 같습니다.

• HDMI는 오디오/비디오 전송용으로 주로 사용되지만, 다양한 부가 기능을 제공 (HPD, CEC, HEAC, MHL)
• 이를 통해 공격이 가능해져서, 공격자가 악성코드를 삽입 가능
  → 예) 외부인이 발표를 위해 사내 프로젝터에 HDMI를 연결했을 때 해킹해두면, 차후에 직원이 프로젝터에 연결시 다시 랩탑을 해킹 가능하고, 이를 통해 외부에서 회사 네트웍에 침투 가능
• HDMI 방화벽은 오디오/비디오 전송만 가능케 하고 나머지 인터페이스를 블로킹 하는 어댑터 장비

목적은 아래와 같고요..

purpose

HDMI is mainly used to transfer audio and video, but also offers a number of additional features (e.g. HPD, CEC, HEAC, MHL). This increases the attack surface, and since the security of their implement in embedded devices is far from ideal, an attacker could exploit them and inject malicious code. Now your unsuspicious video equipment is compromised and threatens your IT/network security. And your monitor could then in turn hack back any other device connected to it.

For example, let's imagine you invite an external guest for a presentation inside your company. You offer to connect to a video-projector so he can show his slides. This is the perfect opportunity for the guest to hack the video-projector. Next time an employee connects to this projector, his laptop is hacked back. And voila, the innocent guest managed to infiltrate your company network, and can exfiltrate confidential information.

The HDMI firewall blocks all additional interfaces, and only allows audio and video data transfer. It is based on the research of Pierre-Michel Ricordel and José Lopes Esteves from ANSSI/SDE/ST/LSF presented at the IT security conference SSTIC 2021. Some security research and vulnerabilities around CEC and EDID are listed in slide 4.

설치는 아래와 같이 하면 됩니다.

installation

For the HDMI firewall to be used correctly, it needs a copy of the EDID data from the monitor to protect.

These instructions are for Linux. For Windows see the instructions provided in the original research slides (untested).

Install tools to read/write I²C devices:

• for Debian-based distributions

sudo apt install i2c-tools

Make the I²C buses user accessible (under /dev/i2c-*):

sudo modprobe i2c-dev

Now we have to figure out which I²C bus corresponds to the HDMI port. First list the available buses:

sudo i2cdetect -l

You should see something like this:

i2c-0	smbus     	SMBus PIIX4 adapter port 0 at 0b00	SMBus adapter
i2c-1	smbus     	SMBus PIIX4 adapter port 2 at 0b00	SMBus adapter
i2c-2	smbus     	SMBus PIIX4 adapter port 1 at 0b20	SMBus adapter
i2c-3	i2c       	AMDGPU DM i2c hw bus 0          	I2C adapter
i2c-4	i2c       	AMDGPU DM i2c hw bus 1          	I2C adapter
i2c-5	i2c       	AMDGPU DM i2c hw bus 2          	I2C adapter
i2c-6	i2c       	AMDGPU DM i2c hw bus 3          	I2C adapter
i2c-7	i2c       	AMDGPU DM aux hw bus 0          	I2C adapter
i2c-8	i2c       	AMDGPU DM aux hw bus 2          	I2C adapter
i2c-9	i2c       	AMDGPU DM aux hw bus 3          	I2C adapter
i2c-10	i2c       	DPMST                           	I2C adapter
i2c-11	i2c       	DPMST                           	I2C adapter

Candidate buses are 3 to 9, used by the GPU (number after i2c- in the first column).

Disconnect everything from the HDMI port, and scan for devices on each I²C bus (replace BUS with the bus number):

sudo i2cdetect -y BUS

Since nothing is connected, no device should be detected, and the output should look like this:

     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:                         -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

Now connect the HDMI firewall on the device side to your HDMI port and re-scan for devices. If you see the following result, you found the I²C bus of the HDMI port. Else continue with the next bus.

     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:                         -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: 50 51 52 53 54 55 56 57 -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

Now connect the monitor you want to copy the EDID from directly to the HDMI port.

We will use the EEPROM module to dump the EDID:

sudo modprobe eeprom

Display the EDID overview and ensure the Model Name corresponds to your monitor (here a DELL 2408WFP on bus number 4):

ddcmon 4

Checksum:               OK
EDID Version:           1.3
Manufacturer ID:        DEL
Model Number:           0xA02C
Model Name:             DELL 2408WFP
Serial Number:          G286H9642GLS
Manufacture Time:       2009-W23
Display Input:          Digital
Monitor Size (cm):      52x32
Gamma Factor:           2.20
DPMS Modes:             Active Off, Suspend, Standby
Color Mode:             RGB Multicolor
Vertical Sync (Hz):     56-76
Horizontal Sync (kHz):  30-83
Max Pixel Clock (MHz):  170
Timing:                 640x480 @ 60 Hz
Timing:                 640x480 @ 75 Hz
Timing:                 720x400 @ 70 Hz
Timing:                 800x600 @ 60 Hz
Timing:                 800x600 @ 72 Hz
Timing:                 800x600 @ 75 Hz
Timing:                 1024x768 @ 87 Hz (interlaced)
Timing:                 1024x768 @ 75 Hz
Timing:                 1152x864 @ 75 Hz
Timing:                 1280x1024 @ 60 Hz
Timing:                 1600x1200 @ 60 Hz
Timing:                 1920x1200 @ 60 Hz

Dump the complete EDID (replace BUS with corresponding bus number):

cat /sys/bus/i2c/devices/BUS-0050/eeprom > edid.bin

Connect the HDMI firewall device port to your HDMI output. Ensure Write Protect is disabled (by default until the tab is broken, and no solder across the WP pads is added). WARNING: writing data to the wrong I²C bus could permanently damage your computer or other devices.

Free the I²C access to the EEPROM:

sudo modprobe -r eeprom

Write the extracted EDID data to the HDMI firewall (replace BUS with corresponding bus number):

for addr in `seq 0 255`; do echo $addr; sudo i2cset -y BUS 0x50 $addr 0x`xxd -p -l 1 -s $addr edid.bin`; done

To verify the data has been written correctly, compare original data with the one on the EEPROM:

# display original dumped data
xxd -g 1 edid.bin
# display data written on EEPROM
sudo i2cdump -y BUS 0x50

Once writing the EDID to the HDMI firewall memory succeeded, break the tab using pliers to write protect the memory. This will prevent attackers from storing a malicious payload. You can now use the HDMI firewall (only for this monitor).

Feel free to put shrink tube or tape around the HDMI firewall. This will prevent the electronics from getting shorted when entering in contact with neighbouring metal objects.

자세한 사항은 아래 홈페이지 참고하시면 될것 같네요..

오늘의 블로그는 여기까지고요..

오늘도 믿고봐주셔서 진심으로 감사합니다.