SlideShare une entreprise Scribd logo
1  sur  31
Télécharger pour lire hors ligne
What the HEC? Security implications of
HDMI Ethernet Channel and other related
protocols
Andy Davis, Research Director NCC Group
UK Offices                North American Offices   Australian Offices
Manchester - Head Office   San Francisco            Sydney
Cheltenham                Atlanta
Edinburgh                 New York
Leatherhead               Seattle
London
Thame


European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Agenda

• Why am I talking about video interfaces?
• What does HDMI bring with it?
• The CEC protocol – enabling the user to expend as little energy as possible
• CECSTeR – The CEC Security Testing Resource
• The HEC protocol – you mean I get network access too?
• HEC internals and potential security issues
• Conclusion
Why am I talking about video interfaces?

• It all started with a BlackBerry PlayBook research project…
• I was investigating USB security at the time (green interface)




• What other ports are available?
• A power connector (blue interface) – probably not that exciting…
• Hmm…microHDMI – what can I do with that? (red interface)
HDMI is an output isn’t it?

Well…yes and no


• Video out
• Audio out
• Display identification and capability advertisement in via EDID
• Remote control via CEC in and out
• Network data via HEC in and out
• Encryption and authentication data via HDCP and DPCP in and out
HDMI - High-Definition Multimedia Interface

• http://www.hdmi.org/manufacturer/specification.aspx (HDMI adopters only)
• Transmits encrypted uncompressed digital video and audio data using
  TMDS (Transition-Minimised Differential Signalling)
• Supports Enhanced DDC for display identification and capability
  advertisement
• Also it introduces a number of new technologies, which are potentially
  interesting from a security perspective; these include:
     • CEC – Consumer Electronics Control
     • CDC – Capability Discovery and Control
     • HDCP - High-bandwidth Digital Content Protection
     • HEC – HDMI Ethernet Channel
CEC – I’ve not heard of that before…

Trade names for CEC are:


• BRAVIA Link and BRAVIA Sync (Sony)
• VIERA Link , HDAVI Control, EZ-Sync (Panasonic)
• Anynet+ (Samsung)
• Aquos Link (Sharp)
• SimpLink (LG)
• EasyLink (Philips)
etc…
CEC - Consumer Electronics Control

Purpose:
• Control two or more HDMI devices using a single remote control
• Devices can control each other without user-intervention.


Physical:
• The architecture of CEC is an inverted tree
• One-wire bidirectional serial bus (AV.link)


Logical:
• Up to ten AV devices can be connected and the topology of a connected system is
  auto-discovered by the protocol.
Supported CEC commands
• One Touch Play, System Standby
• Pre-set Transfer, One Touch Record
• Timer Programming, System Information
• Deck Control , Tuner Control
• OSD Display, Device Menu Control
• Routing Control, Remote Control Pass
• Device OSD Name Transfer, System Audio Control
The CEC protocol

CEC Block layout:



CEC Header block:


CEC Message:


• Messages are either Directed or Broadcast
• Logical addresses are 0x0 – 0xF (0 always TV, F always broadcast)
• Physical addresses x.x.x.x (TV = 0.0.0.0)
Can we fuzz CEC?

• Feature rich protocol - could potentially yield some interesting security
  vulnerabilities in different implementations
• Arduino library - http://code.google.com/p/cec-arduino/
• Publicly available Arduino - CEC interface circuit:


• USB-CEC Adapter from Pulse Eight:




• USB-CEC Bridge from RainShadow Tech:
Introducing CECSTeR

• Consumer Electronics Control Security Testing Resource
• Download it here - http://tinyurl.com/ncctools
• Supports CEC and CDC (more on that later)
• Capture and display traffic
• Send arbitrary commands
• Fuzz the protocols
• Time for a demo…
HDMI Connectivity for the demo
What are the fuzzer results?

My CEC targets:
• Sony PS3 – no results
• Panasonic Blu-ray player (DMP-BD45) – “random” lockups
• BlackBerry PlayBook (very limited CEC functionality) - no results
• XBMC (using Pulse-eight USB-CEC Adapter) – Permanent DoS
     • It “bricked” the Pulse-eight adapter!
• Potentially interesting commands include:
     • “Vendor command” – Opcode 0x89
     • “Set OSD string” – opcode 0x64
     • “Set OSD name” – opcode 0x47
     • “CDC command” – opcode 0xF8
HEC - HDMI Ethernet Channel

• Introduced in HDMI v1.4 (latest version is 1.4a)


• Consolidates video, audio, and data streams into a single HDMI cable


• The primary intention is to reduce the amount of cables required to connect
  AV devices together.


• Uses CDC (Capability Discovery and Control) to control Ethernet channels
CDC (Capability Discovery and Control)

CDC is used to:
• Discover potential HDMI Ethernet channels
• Activate and deactivate channels
• Communicate status of channels
CDC messages are sent with the CEC “CDC Message” (0xF8) opcode
All CDC messages are sent to the CEC logical broadcast address (0xF)
CDC message format:
HEC (CDC) Messages

The following messages are used for Capability Discovery and Control:


•   <CDC_HEC_InquireState>
•   <CDC_HEC_ReportState>
•   <CDC_HEC_SetState>
•   <CDC_HEC_RequestDeactivation>
•   <CDC_HEC_NotifyAlive>
•   <CDC_HEC_Discover>
•   <CDC_HEC_SetStateAdjacent>
HEC potential combinations

Possible HECs within a certain HDMI network:




(referenced from HDMI specification v1.4a)
HEC States

• PHEC (Potential HDMI Ethernet Channel) – part of a PHEC if at least one
  HDMI connection is HEC capable


• VHEC (Verified HDMI Ethernet Channel) – part of a VHEC after CDC has
  confirmed HEC capability of all devices in a PHEC via a
  <CDC_HEC_Discover> message


• AHEC (Active HDMI Ethernet Channel) – part of an AHEC after activation of
  all devices in a VHEC via a <CDC_HEC_SetState> message
Network loop prevention

•   Routing loops such as shown
    here are managed using RSTP
    (Rapid Spanning Tree
    Protocol)
Network loop prevention

•   Routing loops such as shown
    here are managed using RSTP
    (Rapid Spanning Tree
    Protocol)


•   HEC2 is disabled to remove
    the loop
Network loop prevention

•   Routing loops such as shown
    here are managed using RSTP
    (Rapid Spanning Tree
    Protocol)


•   HEC2 is disabled to remove
    the loop


•   If HEC1 link is broken, HEC2 is
    restored
Queue control

•   Devices in a HEC network are expected to prioritise traffic. Time sensitive
    application traffic should be forwarded with higher priority than activities
    such as file downloads:
      •   On-line gaming
      •   Video
      •   VoIP
•   This is achieved using a 3 bit priority field in VLAN tags
This is all very interesting, but…

•   I’m never going to be pentesting a home AV network!
•   HDMI connectors are appearing on new laptops and PCs – soon these
    protocols will be implemented in all the major operating systems


•   If I found a bug in an HDMI enabled TV, so what?
•   Plasma/LCD TVs are becoming part of the corporate network infrastructure


•   So how could HDMI protocols affect corporate users?
HEC Risk #1 – Corporate boundary breach


                     • Network-enabled projectors and TVs could
                       circumvent corporate security boundaries


                     • Will users be aware of the capabilities of
                       this technology within their own devices?
HEC Risk #2 – Endpoint Protection Circumvention

                         • HDMI could be used to connect
                           unauthorised network-enabled devices to
                           the corporate network


                         • Endpoint Protection systems (unless they
                           are HEC-aware) will be unable to detect
                           this


                         • Unauthorised devices could introduce
                           malware or exfiltrate sensitive data
HEC Risk #3 – Unauthorised Network Extension


                          • HDMI could be used to create
                            an unauthorised extension to
                            the corporate network


                          • This “private network” would not
                            be visible to corporate network
                            monitoring tool / NIDS devices
Testing HDMI Ethernet Channel

Have I tested any HEC-enabled devices?
no…
The only device I could find that supports HEC is the T+A Blu-ray receiver:




It costs £6000!
Another corporate HDMI security risk

Remember hardware-based key loggers?


Here’s an HDMI video logger - VideoGhost:


•   http://www.keydemon.com/tiny_frame_grabber/
     •   “2GB storage”
     •   “7 year battery life”


This is potentially much more powerful than a key logger!
Conclusions

•   As users demand more and more “seamless” functionality in a plug-and-
    play world there will be a greater need for bi-directional data to be flowing in
    A/V links between devices
•   HDMI Ethernet Channel could have a major impact on corporate security,
    but the technology is still very new and largely unsupported
•   As well as checking for hardware key loggers you should now also be
    checking for video loggers connected to your corporate workstations
•   Before long every laptop will have an HDMI port and they will all support
    CEC, CDC and HEC!
Questions?


Andy Davis, Research Director NCC Group
andy.davis@nccgroup.com

Contenu connexe

Tendances

Hdmi Bit Rate Calculator
Hdmi Bit Rate CalculatorHdmi Bit Rate Calculator
Hdmi Bit Rate CalculatorMaryArmenta
 
Digital Video Course Section 1
Digital Video Course  Section 1Digital Video Course  Section 1
Digital Video Course Section 1ericlsnider
 
CANSPY: A platform for auditing CAN devices
CANSPY: A platform for auditing CAN devicesCANSPY: A platform for auditing CAN devices
CANSPY: A platform for auditing CAN devicesPriyanka Aash
 
Building Voice
Building Voice Building Voice
Building Voice Videoguy
 
Atlona Sales Presentation Ii
Atlona Sales Presentation IiAtlona Sales Presentation Ii
Atlona Sales Presentation Iimikeg112
 
HDBaseT Alliance Members New Products at ISE 2014
HDBaseT Alliance Members New Products at ISE 2014HDBaseT Alliance Members New Products at ISE 2014
HDBaseT Alliance Members New Products at ISE 2014HDBaseT
 
Designing Triple-Play Apps Using DSP Resource Boards
Designing Triple-Play Apps Using DSP Resource BoardsDesigning Triple-Play Apps Using DSP Resource Boards
Designing Triple-Play Apps Using DSP Resource BoardsVideoguy
 
Video over IP Networks -by Jim Jachetta, CEO, VidOvation - Moving Video Forward
Video over IP Networks -by Jim Jachetta, CEO, VidOvation - Moving Video ForwardVideo over IP Networks -by Jim Jachetta, CEO, VidOvation - Moving Video Forward
Video over IP Networks -by Jim Jachetta, CEO, VidOvation - Moving Video ForwardVidOvation - Moving Video Forward
 
Drp393
Drp393Drp393
Drp393ciperi
 
How To Successfully Implement IP Video
How To Successfully Implement IP VideoHow To Successfully Implement IP Video
How To Successfully Implement IP VideoVideoguy
 
LDI 2012 System Integration
LDI 2012 System IntegrationLDI 2012 System Integration
LDI 2012 System IntegrationLauraFrank
 
Installation Issues for Converged AV/IT Systems
Installation Issues for Converged AV/IT SystemsInstallation Issues for Converged AV/IT Systems
Installation Issues for Converged AV/IT SystemsrAVe [PUBS]
 
Qvpro datasheet
Qvpro datasheetQvpro datasheet
Qvpro datasheetciperi
 
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CEC
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CECDEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CEC
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CECFelipe Prado
 

Tendances (19)

Hdmi cables
Hdmi cablesHdmi cables
Hdmi cables
 
Hdmi Bit Rate Calculator
Hdmi Bit Rate CalculatorHdmi Bit Rate Calculator
Hdmi Bit Rate Calculator
 
Digital Video Course Section 1
Digital Video Course  Section 1Digital Video Course  Section 1
Digital Video Course Section 1
 
HVTpaperDI2003v5
HVTpaperDI2003v5HVTpaperDI2003v5
HVTpaperDI2003v5
 
HDMI
HDMIHDMI
HDMI
 
CANSPY: A platform for auditing CAN devices
CANSPY: A platform for auditing CAN devicesCANSPY: A platform for auditing CAN devices
CANSPY: A platform for auditing CAN devices
 
Surf Communication Solutions - Voice Video Gw
Surf Communication Solutions - Voice Video GwSurf Communication Solutions - Voice Video Gw
Surf Communication Solutions - Voice Video Gw
 
Building Voice
Building Voice Building Voice
Building Voice
 
Atlona Sales Presentation Ii
Atlona Sales Presentation IiAtlona Sales Presentation Ii
Atlona Sales Presentation Ii
 
HDBaseT Alliance Members New Products at ISE 2014
HDBaseT Alliance Members New Products at ISE 2014HDBaseT Alliance Members New Products at ISE 2014
HDBaseT Alliance Members New Products at ISE 2014
 
Designing Triple-Play Apps Using DSP Resource Boards
Designing Triple-Play Apps Using DSP Resource BoardsDesigning Triple-Play Apps Using DSP Resource Boards
Designing Triple-Play Apps Using DSP Resource Boards
 
Video over IP Networks -by Jim Jachetta, CEO, VidOvation - Moving Video Forward
Video over IP Networks -by Jim Jachetta, CEO, VidOvation - Moving Video ForwardVideo over IP Networks -by Jim Jachetta, CEO, VidOvation - Moving Video Forward
Video over IP Networks -by Jim Jachetta, CEO, VidOvation - Moving Video Forward
 
Drp393
Drp393Drp393
Drp393
 
How To Successfully Implement IP Video
How To Successfully Implement IP VideoHow To Successfully Implement IP Video
How To Successfully Implement IP Video
 
LDI 2012 System Integration
LDI 2012 System IntegrationLDI 2012 System Integration
LDI 2012 System Integration
 
Video-over-IP for AV
Video-over-IP for AVVideo-over-IP for AV
Video-over-IP for AV
 
Installation Issues for Converged AV/IT Systems
Installation Issues for Converged AV/IT SystemsInstallation Issues for Converged AV/IT Systems
Installation Issues for Converged AV/IT Systems
 
Qvpro datasheet
Qvpro datasheetQvpro datasheet
Qvpro datasheet
 
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CEC
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CECDEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CEC
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CEC
 

En vedette

Drive it Like you Hacked It - New Attacks and Tools to Wireles
Drive it Like you Hacked It - New Attacks and Tools to Wireles Drive it Like you Hacked It - New Attacks and Tools to Wireles
Drive it Like you Hacked It - New Attacks and Tools to Wireles E hacking
 
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кодаРазвитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кодаPositive Hack Days
 
Introduction of HDMI
Introduction of HDMIIntroduction of HDMI
Introduction of HDMIdrawtenor74
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMMintive
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsPawel Rzepa
 

En vedette (7)

Smart TV Insecurity
Smart TV InsecuritySmart TV Insecurity
Smart TV Insecurity
 
Drive it Like you Hacked It - New Attacks and Tools to Wireles
Drive it Like you Hacked It - New Attacks and Tools to Wireles Drive it Like you Hacked It - New Attacks and Tools to Wireles
Drive it Like you Hacked It - New Attacks and Tools to Wireles
 
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кодаРазвитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
 
Introduction of HDMI
Introduction of HDMIIntroduction of HDMI
Introduction of HDMI
 
American Fuzzy Lop
American Fuzzy LopAmerican Fuzzy Lop
American Fuzzy Lop
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMM
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugs
 

Similaire à What the HEC? Security implications of HDMI Ethernet Channel and other related protocols - 44CON 2012

Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
Case Study At91RM9200 Data Hub Controller
Case Study At91RM9200 Data Hub ControllerCase Study At91RM9200 Data Hub Controller
Case Study At91RM9200 Data Hub ControllerPromwad
 
CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkChristopher Grayson
 
Hip case study tcs iitb
Hip case study tcs iitbHip case study tcs iitb
Hip case study tcs iitbArpan Pal
 
Videoconferencing Technology Workshop
Videoconferencing Technology WorkshopVideoconferencing Technology Workshop
Videoconferencing Technology WorkshopVideoguy
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN
 
HOME AUTOMATION USING INTERNET OF THINGS.pptx
HOME AUTOMATION USING INTERNET OF THINGS.pptxHOME AUTOMATION USING INTERNET OF THINGS.pptx
HOME AUTOMATION USING INTERNET OF THINGS.pptxKhanArshidIqbal
 
HEAnets' Video Conferencing Service
HEAnets' Video Conferencing ServiceHEAnets' Video Conferencing Service
HEAnets' Video Conferencing ServiceVideoguy
 
Living bits and things 2013 - Using peer-to-peer and distributed technologies...
Living bits and things 2013 - Using peer-to-peer and distributed technologies...Living bits and things 2013 - Using peer-to-peer and distributed technologies...
Living bits and things 2013 - Using peer-to-peer and distributed technologies...Carsten Rhod Gregersen
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT GatewayLF Events
 
7 reasons why video conferencing world will never
7 reasons why video conferencing world will never7 reasons why video conferencing world will never
7 reasons why video conferencing world will neverTrueConf
 
Welcome to hello real world
Welcome to hello real worldWelcome to hello real world
Welcome to hello real worldAkihiko Kigure
 
TM4C-IoT-Gateway-with-Security-Protection_0.pdf
TM4C-IoT-Gateway-with-Security-Protection_0.pdfTM4C-IoT-Gateway-with-Security-Protection_0.pdf
TM4C-IoT-Gateway-with-Security-Protection_0.pdfssuser8b324e
 
Cloaking is the new perimeter
Cloaking is the new perimeterCloaking is the new perimeter
Cloaking is the new perimeterTempered
 
Cloaking is the new perimeter
Cloaking is the new perimeterCloaking is the new perimeter
Cloaking is the new perimeterTempered
 

Similaire à What the HEC? Security implications of HDMI Ethernet Channel and other related protocols - 44CON 2012 (20)

Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Case Study At91RM9200 Data Hub Controller
Case Study At91RM9200 Data Hub ControllerCase Study At91RM9200 Data Hub Controller
Case Study At91RM9200 Data Hub Controller
 
Iot in-production
Iot in-productionIot in-production
Iot in-production
 
CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home Network
 
Hip case study tcs iitb
Hip case study tcs iitbHip case study tcs iitb
Hip case study tcs iitb
 
Videoconferencing Technology Workshop
Videoconferencing Technology WorkshopVideoconferencing Technology Workshop
Videoconferencing Technology Workshop
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
 
HOME AUTOMATION USING INTERNET OF THINGS.pptx
HOME AUTOMATION USING INTERNET OF THINGS.pptxHOME AUTOMATION USING INTERNET OF THINGS.pptx
HOME AUTOMATION USING INTERNET OF THINGS.pptx
 
HEAnets' Video Conferencing Service
HEAnets' Video Conferencing ServiceHEAnets' Video Conferencing Service
HEAnets' Video Conferencing Service
 
Living bits and things 2013 - Using peer-to-peer and distributed technologies...
Living bits and things 2013 - Using peer-to-peer and distributed technologies...Living bits and things 2013 - Using peer-to-peer and distributed technologies...
Living bits and things 2013 - Using peer-to-peer and distributed technologies...
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
7 reasons why video conferencing world will never
7 reasons why video conferencing world will never7 reasons why video conferencing world will never
7 reasons why video conferencing world will never
 
NodeGrid Bold
NodeGrid BoldNodeGrid Bold
NodeGrid Bold
 
Welcome to hello real world
Welcome to hello real worldWelcome to hello real world
Welcome to hello real world
 
Unizen Smart Automation Brochure-2015
Unizen Smart Automation Brochure-2015Unizen Smart Automation Brochure-2015
Unizen Smart Automation Brochure-2015
 
TM4C-IoT-Gateway-with-Security-Protection_0.pdf
TM4C-IoT-Gateway-with-Security-Protection_0.pdfTM4C-IoT-Gateway-with-Security-Protection_0.pdf
TM4C-IoT-Gateway-with-Security-Protection_0.pdf
 
SmartTV Security
SmartTV SecuritySmartTV Security
SmartTV Security
 
Cloaking is the new perimeter
Cloaking is the new perimeterCloaking is the new perimeter
Cloaking is the new perimeter
 
Cloaking is the new perimeter
Cloaking is the new perimeterCloaking is the new perimeter
Cloaking is the new perimeter
 
Wireless personal area networks(PAN)
Wireless personal area networks(PAN)Wireless personal area networks(PAN)
Wireless personal area networks(PAN)
 

Plus de 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 

Plus de 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 

Dernier

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 

Dernier (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 

What the HEC? Security implications of HDMI Ethernet Channel and other related protocols - 44CON 2012

  • 1. What the HEC? Security implications of HDMI Ethernet Channel and other related protocols Andy Davis, Research Director NCC Group
  • 2. UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco Sydney Cheltenham Atlanta Edinburgh New York Leatherhead Seattle London Thame European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland
  • 3. Agenda • Why am I talking about video interfaces? • What does HDMI bring with it? • The CEC protocol – enabling the user to expend as little energy as possible • CECSTeR – The CEC Security Testing Resource • The HEC protocol – you mean I get network access too? • HEC internals and potential security issues • Conclusion
  • 4. Why am I talking about video interfaces? • It all started with a BlackBerry PlayBook research project… • I was investigating USB security at the time (green interface) • What other ports are available? • A power connector (blue interface) – probably not that exciting… • Hmm…microHDMI – what can I do with that? (red interface)
  • 5. HDMI is an output isn’t it? Well…yes and no • Video out • Audio out • Display identification and capability advertisement in via EDID • Remote control via CEC in and out • Network data via HEC in and out • Encryption and authentication data via HDCP and DPCP in and out
  • 6. HDMI - High-Definition Multimedia Interface • http://www.hdmi.org/manufacturer/specification.aspx (HDMI adopters only) • Transmits encrypted uncompressed digital video and audio data using TMDS (Transition-Minimised Differential Signalling) • Supports Enhanced DDC for display identification and capability advertisement • Also it introduces a number of new technologies, which are potentially interesting from a security perspective; these include: • CEC – Consumer Electronics Control • CDC – Capability Discovery and Control • HDCP - High-bandwidth Digital Content Protection • HEC – HDMI Ethernet Channel
  • 7. CEC – I’ve not heard of that before… Trade names for CEC are: • BRAVIA Link and BRAVIA Sync (Sony) • VIERA Link , HDAVI Control, EZ-Sync (Panasonic) • Anynet+ (Samsung) • Aquos Link (Sharp) • SimpLink (LG) • EasyLink (Philips) etc…
  • 8. CEC - Consumer Electronics Control Purpose: • Control two or more HDMI devices using a single remote control • Devices can control each other without user-intervention. Physical: • The architecture of CEC is an inverted tree • One-wire bidirectional serial bus (AV.link) Logical: • Up to ten AV devices can be connected and the topology of a connected system is auto-discovered by the protocol.
  • 9. Supported CEC commands • One Touch Play, System Standby • Pre-set Transfer, One Touch Record • Timer Programming, System Information • Deck Control , Tuner Control • OSD Display, Device Menu Control • Routing Control, Remote Control Pass • Device OSD Name Transfer, System Audio Control
  • 10. The CEC protocol CEC Block layout: CEC Header block: CEC Message: • Messages are either Directed or Broadcast • Logical addresses are 0x0 – 0xF (0 always TV, F always broadcast) • Physical addresses x.x.x.x (TV = 0.0.0.0)
  • 11. Can we fuzz CEC? • Feature rich protocol - could potentially yield some interesting security vulnerabilities in different implementations • Arduino library - http://code.google.com/p/cec-arduino/ • Publicly available Arduino - CEC interface circuit: • USB-CEC Adapter from Pulse Eight: • USB-CEC Bridge from RainShadow Tech:
  • 12. Introducing CECSTeR • Consumer Electronics Control Security Testing Resource • Download it here - http://tinyurl.com/ncctools • Supports CEC and CDC (more on that later) • Capture and display traffic • Send arbitrary commands • Fuzz the protocols • Time for a demo…
  • 14. What are the fuzzer results? My CEC targets: • Sony PS3 – no results • Panasonic Blu-ray player (DMP-BD45) – “random” lockups • BlackBerry PlayBook (very limited CEC functionality) - no results • XBMC (using Pulse-eight USB-CEC Adapter) – Permanent DoS • It “bricked” the Pulse-eight adapter! • Potentially interesting commands include: • “Vendor command” – Opcode 0x89 • “Set OSD string” – opcode 0x64 • “Set OSD name” – opcode 0x47 • “CDC command” – opcode 0xF8
  • 15. HEC - HDMI Ethernet Channel • Introduced in HDMI v1.4 (latest version is 1.4a) • Consolidates video, audio, and data streams into a single HDMI cable • The primary intention is to reduce the amount of cables required to connect AV devices together. • Uses CDC (Capability Discovery and Control) to control Ethernet channels
  • 16. CDC (Capability Discovery and Control) CDC is used to: • Discover potential HDMI Ethernet channels • Activate and deactivate channels • Communicate status of channels CDC messages are sent with the CEC “CDC Message” (0xF8) opcode All CDC messages are sent to the CEC logical broadcast address (0xF) CDC message format:
  • 17. HEC (CDC) Messages The following messages are used for Capability Discovery and Control: • <CDC_HEC_InquireState> • <CDC_HEC_ReportState> • <CDC_HEC_SetState> • <CDC_HEC_RequestDeactivation> • <CDC_HEC_NotifyAlive> • <CDC_HEC_Discover> • <CDC_HEC_SetStateAdjacent>
  • 18. HEC potential combinations Possible HECs within a certain HDMI network: (referenced from HDMI specification v1.4a)
  • 19. HEC States • PHEC (Potential HDMI Ethernet Channel) – part of a PHEC if at least one HDMI connection is HEC capable • VHEC (Verified HDMI Ethernet Channel) – part of a VHEC after CDC has confirmed HEC capability of all devices in a PHEC via a <CDC_HEC_Discover> message • AHEC (Active HDMI Ethernet Channel) – part of an AHEC after activation of all devices in a VHEC via a <CDC_HEC_SetState> message
  • 20. Network loop prevention • Routing loops such as shown here are managed using RSTP (Rapid Spanning Tree Protocol)
  • 21. Network loop prevention • Routing loops such as shown here are managed using RSTP (Rapid Spanning Tree Protocol) • HEC2 is disabled to remove the loop
  • 22. Network loop prevention • Routing loops such as shown here are managed using RSTP (Rapid Spanning Tree Protocol) • HEC2 is disabled to remove the loop • If HEC1 link is broken, HEC2 is restored
  • 23. Queue control • Devices in a HEC network are expected to prioritise traffic. Time sensitive application traffic should be forwarded with higher priority than activities such as file downloads: • On-line gaming • Video • VoIP • This is achieved using a 3 bit priority field in VLAN tags
  • 24. This is all very interesting, but… • I’m never going to be pentesting a home AV network! • HDMI connectors are appearing on new laptops and PCs – soon these protocols will be implemented in all the major operating systems • If I found a bug in an HDMI enabled TV, so what? • Plasma/LCD TVs are becoming part of the corporate network infrastructure • So how could HDMI protocols affect corporate users?
  • 25. HEC Risk #1 – Corporate boundary breach • Network-enabled projectors and TVs could circumvent corporate security boundaries • Will users be aware of the capabilities of this technology within their own devices?
  • 26. HEC Risk #2 – Endpoint Protection Circumvention • HDMI could be used to connect unauthorised network-enabled devices to the corporate network • Endpoint Protection systems (unless they are HEC-aware) will be unable to detect this • Unauthorised devices could introduce malware or exfiltrate sensitive data
  • 27. HEC Risk #3 – Unauthorised Network Extension • HDMI could be used to create an unauthorised extension to the corporate network • This “private network” would not be visible to corporate network monitoring tool / NIDS devices
  • 28. Testing HDMI Ethernet Channel Have I tested any HEC-enabled devices? no… The only device I could find that supports HEC is the T+A Blu-ray receiver: It costs £6000!
  • 29. Another corporate HDMI security risk Remember hardware-based key loggers? Here’s an HDMI video logger - VideoGhost: • http://www.keydemon.com/tiny_frame_grabber/ • “2GB storage” • “7 year battery life” This is potentially much more powerful than a key logger!
  • 30. Conclusions • As users demand more and more “seamless” functionality in a plug-and- play world there will be a greater need for bi-directional data to be flowing in A/V links between devices • HDMI Ethernet Channel could have a major impact on corporate security, but the technology is still very new and largely unsupported • As well as checking for hardware key loggers you should now also be checking for video loggers connected to your corporate workstations • Before long every laptop will have an HDMI port and they will all support CEC, CDC and HEC!
  • 31. Questions? Andy Davis, Research Director NCC Group andy.davis@nccgroup.com