HDMI-Walk is a proof-of-concept demonstration of HDMI-based attacks using the Consumer Electronics Control (CEC) protocol. We introduce five different attacks as demonstrations of what is possible through this attack vector.
Project Description – Overview:
The architecture of HDMI-Walk is depicted in Figure 1. The first component of HDMI-Walk is the Local Attacker which runs the Client Service in their local machine. This local hardware is temporarily connected to the HDMI distribution. The client service contains any required modules for communication to the listener and facilitates the attacks through HDMI-Walk (1). The second part is the HDMI Distribution, which is the core of our attacks and allows for end-to-end communication between devices through HDMI as a medium. The user may scan the distribution for addressed CEC devices, as well as communicate bidirectionally with other devices (2). The third part of the architecture involves the Attack Listener. The attack listener is the physical attacker device and hosts the Listener Service. The listener service includes all the required modules for HDMI-Walk communication and listener-run attacks. This service also includes a remote access module to enable communication to the remote client if a connection is available (3). Finally, we have the Remote Attacker, which communicates directly through a remote connection to the attack listener if remote access is possible (4).
Project Description – Threat Model:
HDMI-Walk assumes the following five threats as part of the threat model.
Threat 1: Malicious CEC Scanning: This threat considers the malicious use of CEC scanning features and exposed HDMI ports to gather information about the connected devices. For instance, an attacker can create a topology of available HDMI devices to control and use this information to perform further attacks.
Threat 2: Eavesdropping: In this threat, the attacker is not present but actively eavesdrops on CEC communication through an implanted device.
Threat 3: Facilitation of attacks: This threat eliminates time and physical access limitations in wired and wireless attacks. HDMI-Walk facilitates many of these attacks so that they become more viable or more difficult to detect. For example, an attacker installs a device to passively capture WPA handshakes, avoid detection, and control through CEC remotely.
Threat 4: Information Theft: This threat considers information theft as a form of data transfer which Mallory may find valuable. For example, information about available HDMI devices or wireless handshake capture which would enable future attacks.
Threat 5: Denial of Service: This threat considers Denial-of-Service attacks where Mallory disrupts the availability of a system through an HDMI connection. These attacks may be targeted to a specific device or broadcast to multiple devices. For example, an attacker prevents the use of a television through the repeated broadcast of HDMI control commands.
Project Description – Attack 1
This attack is a demonstration of Threat 1 (Malicious CEC Scanning) possible through CEC in online and offline scenarios. We use the HDMI-Walk architecture to move through the distribution and gather information about every device available with malicious intent. This attack can be executed locally or remotely.
Project Description – Attack 2
We perform this attack to demonstrate Threat 2 (Eavesdropping) and Threat 4 (Information Theft). In this local attack, an attacker has access only to the HDMI port for communication with the listener device. The attacker walks the HDMI distribution and forwards messages to the listener to activate and record audio using the Microphone. This audio data is stored locally in device, then transferred to the attacker at a later date through a CEC distribution.
Project Description – Attack 3
This attack was specified in order to demonstrate the concepts of Threat 3 (Facilitation of Attacks) and Threat 4 (Information Theft). In this local attack, the attacker uses HDMI-Walk to facilitate WPA/WPA2 handshake capture and prevent detection by a security system in place. In traditional handshake theft attacks, an attacker has to wait for a handshake to occur, this can take an indefinite amount of time as the WPA handshake is only transferred in specific cases. If there is a time constraint, the attacker must attempt forced de-authentication. This raises the issue that forced de-authentication may be detected through a network scanner such as Wireshark or through more complex IDS. In this attack, we facilitate such a threat through the removal of time constraints.
Project Description – Attack 4
This attack was developed to demonstrate Threat 5 (Denial of Service) through arbitrary sniffing and control of a device. In this attack, the attacker uses functionality from the Python-based listener service to target a specific device in the HDMI distribution. She also takes advantage of the nature of CEC to sniff and detect when a device has been turned on. This attack can be divided into three main steps.
Project Description – Attack 5
We developed this attack to demonstrate Threat 5 (Denial of Service) through broadcast functionality. This attack abuses the broadcast function in CEC to cause a DoS condition in any display within a given HDMI distribution. This attack specifically targets displays by producing standard CEC commands for source and input control. We divide this attack into three steps.