Project Overview
Attackers are always looking for new ways to disrupt, inconvenience, abuse and otherwise cause significant damage through unconventional attack vectors. The existence of hastily designed protocols and implementations into devices without any regard for security has opened under-researched and previously unexplored attack vectors. This problem is compounded by the need to maintain backwards compatibility with devices, as upgrading legacy protocols with security mechanisms is not realistic in many scenarios due to cost. With almost ten billion HDMI devices in the market, HDMI may present a viable attack vector using the Consumer Electronics Control (CEC) protocol. CEC provides control and communication between HDMI devices through HDMI cabling. This has led many vendors to implement CEC features on their devices under different trade names, including: Anynet+ (Samsung), Aquos Link (Sharp), BRAVIA Link/Sync (Sony), CEC (Hitachi), CE-Link and Regza Link (Toshiba), SimpLink (LG), VIERA Link (Panasonic), EasyLink (Philips), Realink (Mitsubishi). Specifically, as proof-of-concepts, we performed five novel HDMI-Walk attacks involving: (1) malicious topology inference; (2) Denial-of-Service attacks; (3) audio eavesdropping with sensitive data transfer over HDMI; (4) targeted device attacks to disrupt services through HDMI; and (5) finally the facilitation of existing wireless-based attacks with a CEC-enabled HDMI device. We also evaluated the implications of these attacks as part of this work.
To demonstrate the viability of this attack vector we present HDMI-Walk which opens a realm of remote and local CEC attacks against HDMI devices. With HDMI-Walk we prove that it is feasible for an attacker to gain arbitrary control of multiple devices through HDMI and HDMI distributions. Specifically, as proof-of-concepts, we performed five novel HDMI-Walk attacks involving: (1) malicious topology inference; (2) Denial-of-Service attacks; (3) audio eavesdropping with sensitive data transfer over HDMI; (4) targeted device attacks to disrupt services through HDMI; and (5) finally the facilitation of existing wireless-based attacks with a CEC-enabled HDMI device. We also evaluated the implications of these attacks as part of this work. Ultimately, opening discussion on defense mechanisms and security practices specific to CEC while considering CEC protocol limitations.
Project Description
HDMI-Walk is a proof-of-concept demonstration of HDMI-based attacks using the Consumer Electronics Control (CEC) protocol. We introduce five different attacks as demonstrations of what is possible through this attack vector.
Overview
Figure 1: HDMI-Walk Architecture
The architecture of HDMI-Walk is depicted in Figure 1. The first component of HDMI-Walk is the Local Attacker which runs the Client Service in their local machine. This local hardware is temporarily connected to the HDMI distribution. The client service contains any required modules for communication to the listener and facilitates the attacks through HDMI-Walk (1). The second part is the HDMI Distribution, which is the core of our attacks and allows for end-to-end communication between devices through HDMI as a medium. The user may scan the distribution for addressed CEC devices, as well as communicate bidirectionally with other devices (2). The third part of the architecture involves the Attack Listener. The attack listener is the physical attacker device and hosts the Listener Service. The listener service includes all the required modules for HDMI-Walk communication and listener-run attacks. This service also includes a remote access module to enable communication to the remote client if a connection is available (3). Finally, we have the Remote Attacker, which communicates directly through a remote connection to the attack listener if remote access is possible (4).
Threat Model
HDMI-Walk assumes the following five threats as part of the threat model.
Threat 1: Malicious CEC Scanning This threat considers the malicious use of CEC scanning features and exposed HDMI ports to gather information about the connected devices. For instance, an attacker can create a topology of available HDMI devices to control and use this information to perform further attacks.
Threat 2: Eavesdropping In this threat, the attacker is not present but actively eavesdrops on CEC communication through an implanted device.
Threat 3: Facilitation of attacks This threat eliminates time and physical access limitations in wired and wireless attacks. HDMI-Walk facilitates many of these attacks so that they become more viable or more difficult to detect. For example, an attacker installs a device to passively capture WPA handshakes, avoid detection, and control through CEC remotely.
Threat 4: Information Theft This threat considers information theft as a form of data transfer which Mallory may find valuable. For example, information about available HDMI devices or wireless handshake capture which would enable future attacks.
Threat 5: Denial of Service This threat considers Denial-of-Service attacks where Mallory disrupts the availability of a system through an HDMI connection. These attacks may be targeted to a specific device or broadcast to multiple devices. For example, an attacker prevents the use of a television through the repeated broadcast of HDMI control commands.
Attacks
Attack 1 This attack is a demonstration of Threat 1 (Malicious CEC Scanning) possible through CEC in online and offline scenarios. We use the HDMI-Walk architecture to move through the distribution and gather information about every device available with malicious intent. This attack can be executed locally or remotely.
Attack 2 We perform this attack to demonstrate Threat 2 (Eavesdropping) and Threat 4 (Information Theft). In this local attack, an attacker has access only to the HDMI port for communication with the listener device. The attacker walks the HDMI distribution and forwards messages to the listener to activate and record audio using the Microphone. This audio data is stored locally in device, then transferred to the attacker at a later date through a CEC distribution.
Attack 3 This attack was specified in order to demonstrate the concepts of Threat 3 (Facilitation of Attacks) and Threat 4 (Information Theft). In this local attack, the attacker uses HDMI-Walk to facilitate WPA/WPA2 handshake capture and prevent detection by a security system in place. In traditional handshake theft attacks, an attacker has to wait for a handshake to occur, this can take an indefinite amount of time as the WPA handshake is only transferred in specific cases. If there is a time constraint, the attacker must attempt forced de-authentication. This raises the issue that forced de-authentication may be detected through a network scanner such as Wireshark or through more complex IDS. In this attack, we facilitate such a threat through the removal of time constraints.
Attack 4 This attack was developed to demonstrate Threat 5 (Denial of Service) through arbitrary sniffing and control of a device. In this attack, the attacker uses functionality from the Python-based listener service to target a specific device in the HDMI distribution. She also takes advantage of the nature of CEC to sniff and detect when a device has been turned on. This attack can be divided into three main steps.
Attack 5 We developed this attack to demonstrate Threat 5 (Denial of Service) through broadcast functionality. This attack abuses the broadcast function in CEC to cause a DoS condition in any display within a given HDMI distribution. This attack specifically targets displays by producing standard CEC commands for source and input control. We divide this attack into three steps.
Publications:
- L. Puche Rondon, L. Babun, K. Akkaya, A. Selcuk Uluagac: HDMI-WALK: “Attacking HDMI Distribution Networks via Consumer Electronic Control Protocol”. Accepted to Appear in Annual Computer Security Applications Conference (ACSAC), 2019. [PDF] [bibtex]
- L. Puche Rondon, L. Babun, K. Akkaya, A. Selcuk Uluagac: “POSTER (Extended Abstract): Attacking HDMI Distribution Networks”. WiSec 2019 Poster Session: 326-327
