Professional Documents
Culture Documents
net/publication/337457563
CITATIONS READS
12 628
4 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Leonardo Babun on 03 August 2020.
6.3 Attacks
In this sub-section, we realize HDMI-Walk attacks and discuss its
Figure 5: Attack 2–File I/O Module transfer of audio data.
implications. We also present individual uses of every module afore-
mentioned for HDMI-Walk attacks in Table 3. audio data is then transferred to the client at a later date through
Attack 1 - Topology Inference Attack (Local and Remote). the use of the File I/O module.
This attack is a demonstration of Threat 1 (Malicious CEC Scanning) Step 1 - Listener: The attacker first places a listener device in the
possible through CEC in online and offline scenarios. We use the CEC distribution as noted by the architecture. The listener device
HDMI-Walk architecture to move through the distribution and awaits attacker commands from another location in the HDMI
gather information about every device available with malicious distribution.
intent. This attack can be executed through the local or remote Step 2 - Listener Activation: The attacker sends the request to
client. performs an HDMI-walk to scan the devices and identifies the
Step 1 - Activation: Upon initial placement within the HDMI listener device in the CEC distribution. We note the logical address
distribution, the listener automatically connects and begins the of the listener device and activate the Microphone module with
information gathering process with remote and local execution of “bb:bb:bb:bb” command received by the listener. The listener device
HDMI-Walk scans. records audio and stores the data locally.
Step 2 - Information Gathering: The listener begins to perform a Step 3 - Client Request: The client requests a file transfer using
“walk” over all of the devices using the CEC scanner module. This the File I/O module and the command “aa:aa:aa:aa” to the listener.
easily yields information about HDMI device type, device, logical The listener receives this command via the CEC distribution and
address, physical address, active source, vendor, CEC version, device serializes the stored audio data as the client awaits the data transfer.
name, and power status from available devices in the distribution. Once the audio file is serialized the File I/O module transmission
Once this has been processed, the listener stores the data locally. begins.
Step 3 - Leakage: For a local client, the data is ready to be retrieved Step 4 - Client processing: The audio data is transmitted from the
through the File I/O module upon local client request. For the re- listener device to the client service through the File I/O module.
mote client, the listener performs a call to POST: /cec/webclient Once this is finished the client saves the audio file locally, making
with all the captured information. The data is submitted to the it available to the attacker.
remote server in the form of a JSON object to be retrieved by a Evaluation: For this attack, we had success at every stage of the
remote attacker. attack. Tests performed in different locations of the HDMI distri-
Evaluation: With this attack, we used the scanning functionality bution proved successful. Script activation began and a recording
to “walk” and gather more information on the controllable devices was saved locally. The listener device successfully received the acti-
available. The attack was entirely successful and allowed us to learn vation command from the client and a recording was successfully
information both locally and remotely about each accessible device. stored locally within the listener device. At a later time, the client
As seen in Table 4, we gather information such as the device logi- requested the audio data from the listener device through the as-
cal/physical address, active source state, Vendor name, CEC Version, signed message. The listener successfully confirmed the receipt of
OSD Name, and power status. With this information, an attacker this message and began the data transfer over the CEC network
may as well infer usage from the power state of the equipment. to the client as seen in Figure 5. The client successfully stored and
For example, an attacker may be able to infer that a room is in use deserialized this data into a valid file format. This further opens
when the power state of the displays is on or perform more vendor the possibility to a listener which could await keywords such as
and device-specific attacks with more research on specific devices. “password” passively or use voice-to-text technology to transfer
Attack 2 - CEC-Based Eavesdropping (Local). We perform days of conversations to an adversary.
this attack to demonstrate Threat 2 (Eavesdropping) and Threat 4 Attack 3 - WPA/WPA2 Handshake Theft (Local). This at-
(Information Theft). In this local attack, an attacker has access only tack was specified in order to demonstrate the concepts of Threat 3
to the HDMI port for communication with the listener device. The (Facilitation of Attacks) and Threat 4 (Information Theft). In this
attacker walks the HDMI distribution and forwards messages to the local attack, the attacker uses HDMI-Walk to facilitate WPA/WPA2
listener to activate and record audio using the Microphone Access handshake capture and prevent detection by a security system in
Module. This audio data is stored locally in the listener device. The place. In traditional handshake theft attacks, an attacker has to wait
Figure 6: Attack 3–Running handshake capture with
Aircrack-ng.
for a handshake to occur, this can take an indefinite amount of time
as the WPA handshake is only transferred in specific cases [16].
If there is a time constraint, the attacker must attempt forced de-
authentication [8]. This raises the issue that forced de-authentication
may be detected through a network scanner such as Wireshark or
through more complex IDS [4]. In this attack, we facilitate such a
threat through the removal of time constraints. Figure 7: Attack 4–TV Power state change and execution of
Step 1 - Initial Configuration: The attacker must be especially care- targeted attack.
ful about the listener placement. The listener must be able to reach
wireless network connections and must also come equipped with a remote client to activate the targeted attack. Once a command is
wireless adapter capable of “monitor mode” for packet capture. received, the listener activates the attack.
Step 2 - Client Trigger: The client triggers the listener’s service Step 2 - Sniffing: The listener is set within an HDMI distribution
wireless attack module. This activates the wireless adapter in mon- and monitors CEC packets flowing through the distribution. We
itor mode with airmon-ng, then begins the capture with airodump- particularly listen to the data commands “84:00:00:00”, “87:1f:00:08”
ng using the wlan1 interface and BSSID “7C:8B:CA:49:45:D2” in the and “80:00:00:30:00” from any incoming source. These values, usu-
listener device. Airodump-ng process is opened in separate terminal ally signify a device broadcasting to HDMI distribution devices
using Python’s os import command. This places the listener in a that its power state has changed and has been turned on. More
passive state which awaits handshakes to naturally occur without specifically, 84 reports physical address, 87 reports vendor id, and
forced de-authentication. The attacker is not needed for the dura- 80 reports a routing change. In this particular attack, the attacker
tion of this capture. At a later time, an authorized user connects targets a CEC enabled display, the Sharp television.
and the handshake is captured passively. Step 3 - DoS attack: Once the attack is active the listener awaits
Step 3 - Handshake Retrieval: The attacker reconnects with the commands associated with power state change within the HDMI
client and requests the handshake from listener. The listener first distribution. Once the power state change is detected it sends the
cleans the capture .cap file using wpaclean. This greatly reduces CEC shutoff command “20:36” to the display (ID: 0) in the distri-
the file size and the transfer begins. The attacker can finally receive bution. This automatically powers off the display as soon as it is
the cleaned capture through the CEC File I/O module. powered on.
Evaluation: Local CEC client triggers for the activation of this Evaluation: The listener began in an inactive state as expected
attack proved entirely successful. Activation of the wireless module, with passive listening of the CEC commands. Powering the dis-
Airodump-ng, and cleanup functions succeeded as seen in Figure 6. play did not cause any changes in this inactive state. The listener
With the capture size reduced, the handshake was transferred to successfully received the activation command over remote and
the local client successfully. This process would allow the attacker local clients, activating the attack mode. With this mode active,
to retrieve the handshake at a later date and use more computing the display was manually powered on. The module in our service
resources to attempt to crack the handshake and gain unauthorized successfully identified the power state change in the display and
access to the network. This would then allow the attacker to enable provided the shutoff command as seen in Figure 7. The display
remote functionality to their own listener. received the shutoff commands and immediately powered off as
Attack 4 - Targeted Device Attack (Local and Remote). This expected. No matter which method of powering on, the attack could
attack was developed to demonstrate Threat 5 (Denial of Service) not be avoided, successfully executing the DoS attack. We addition-
through arbitrary sniffing and control of a device. In this attack, the ally had another notable finding while performing this attack. That
attacker uses functionality from the Python-based listener service is, during DoS, the user was prevented from disabling CEC control
to target a specific device in the HDMI distribution. She also takes within the system. Additionally, this attack may prove difficult to
advantage of the nature of CEC to sniff and detect when a device detect as it may be mistaken for a malfunctioning display.
has been turned on. This attack can be divided into three main Attack 5 - Display Broadcast DoS (Local and Remote). We
steps. developed this attack to demonstrate Threat 5 (Denial of Service)
Step 1 - Activation: The listener awaits attack activation. It awaits through broadcast functionality. This attack abuses the broadcast
commands either from the local client (through a walk) or from a function in CEC to cause a DoS condition in any display within a
4, we found that the input change control could become a viable
form of a visual attack. With these functions, display input changes
could be used to trigger seizures (e.g., television epilepsy) with the
rapid flickering of a display switching between inputs [14]. We also
consider volume control to an Amplifier device. A remote attacker
with the control of a distribution can easily adjust the volume of
devices with CEC commands. Extended playback at high volumes
is known to damage sound equipment [12]. An implementation
of Attack 1 would first allow an attacker to infer room occupancy
via power state. Combining this with Attack 4, the attacker could
peak the volume output in a room when nobody is present and
Figure 8: Attack 5–Input-change induced DoS attack. Exe- cause gradual damage to the sound system, which cause a notable
cuted by remote attacker with command DOS1. financial cost to the user. Combination of HDMI-Walk and targeted
device attacks such as Attack 4 could also allow a malicious person
to assume control of menu functions in specific HDMI devices. This
given HDMI distribution. This attack specifically targets displays would allow the attacker to change menu settings, make purchases,
by producing standard CEC commands for source and input control. or update firmware through device-tailored command sequences.
We divide this attack into three steps. With attackers in constant search for new vectors of attack, disrup-
Step 1 - Insertion of Attacker Listener: The listener device is placed tion, data leakage, behavioral leakage, and any type of information
in any location of the HDMI distribution. The device then awaits leakage could present catastrophic outcomes to an organization. A
instructions from a client service to begin the attack. In the case conference room while in confidential use can be a target to eaves-
of an available wireless connection, the listener’s Remote Access dropping and handshake theft, giving attackers a chance to acquire
Module becomes active. passwords, access codes, and confidential information. In normal
Step 2 - Activation Phase: The listener activates in two different usage, inferring devices and disrupting functionality is possible and
methods: (1) the listener receives a direct command from a client may present a threat which many users have not considered or
service to begin the attack. (2) the listener receives through a remote anticipated.
client with the DOS1 command.
Step 3 - DoS attack phase: After activation conditions are reached,
the listener device begins broadcast of various display input change 7 DISCUSSION: DEFENSE MECHANISMS
commands. These are standard CEC commands accepted by en- Although it is not within the scope and the aimed contributions
abled televisions to adjust the active source on the display device. of this work, we briefly discuss possible defense mechanisms for
The CEC distribution is flooded with a broadcast loop: power on HDMI-Walk attacks.
(“20:04”), input 1 (“82:10:00”), input 2 (“82:20:00”), input 3 (“82:30:00”), Challenges of Defense Mechanisms: One of the largest challenges
and input 4 (“82:40:00”). This renders the displays unusable by the with securing CEC revolves around purpose, implementation, and
user, effectively creating a DoS attack. proliferation. CEC, being an established means of communication
Evaluation: In this attack, the listener began in an idle state as for A/V devices, has been widely deployed in its current form in
intended in the distribution. The listener successfully received the billions of devices by different vendors. An endeavor to update the
activation command over remote and local clients. Then, it initiated protocol with security mechanisms, or present a new version of
the DoS broadcast loop over the entire distribution as depicted in the protocol has to consider discontinued devices, vendor-specific
Figure 8. The attack first powered on the display if it was powered implementations, and backwards compatibility or face loss of func-
off. The loop then began rapid input change over all inputs on tionality. Existing devices may not have the hardware, or connectiv-
the display. The display began to flash rendering it unusable. We ity capabilities to upgrade. All of these factors may make traditional
noticed faster switching between inputs than if compared with security mechanisms too expensive, or impractical to deploy [? ].
manual input change. Another effect of this condition is that it Removal of CEC: An assumption of our attacks is that an incoming
made it impossible for the user to alter any settings in the display visitor has access to all CEC features. This can be disabled through
to disable external control after activation. the complete removal of CEC Pin 13 in the connection [10]. CEC-
Summary and findings: During testing of HDMI-Walk attacks, we less adapters/cables that partially or completely prevent the CEC
identified a vendor-specific vulnerability, and are currently coor- propagation within distribution may accomplish this goal.
dinating to report this finding to the product’s respective manu- Disable CEC via Setup: Specific devices do not use CEC functionality
facturer. HDMI-Walk can identify specific device information to due to external control via IP, Serial, IR, etc. It is a good practice to
develop further attacks. We have proven arbitrary control over remove CEC functionality in devices which do not require it. Many
HDMI devices which could be used to an attacker’s advantage. devices come with CEC control enabled by default. Disabling CEC
Also, we enabled control of the TV volume and Amplifier volume control may help mitigate DoS and any attack dependent on device
with devices in our testbed. This control is completely feasible in an control. However, it will not help against topology inference from
HDMI distribution with the concepts of HDMI-Walk. We find these devices which still provide their information after CEC control is
attacks critical as they occur over a medium without any form of se- disabled. We found that some devices will still report address, and
curity mechanisms or existing techniques for mitigation. Via Attack CEC details on request even if CEC control functionality is disabled.
Awareness: Knowing how devices operate, how they propagate, Florida Center for Cybersecurity’s Capacity Building Program. The
and strategic placement of CEC-less adapters/cabling may limit views are those of the authors only.
unauthorized access to CEC and prevent CEC-based attacks. Aware-
ness serves as a middle ground between fully removing CEC and REFERENCES
completely allowing communication. For example, a guest presen- [1] [n.d.]. http://phdapis-env.hzqhv6ugji.us-east-1.elasticbeanstalk.com/.
[2] May, 2019. HDMI-CEC Control Service. https://source.android.com/devices/tv/
ter should not have control to the distribution beyond displaying hdmi-cec
his/her laptop, thus there is no need for the presentation podium [3] Leonardo Babun, Amit Kumar Sikder, Abbas Acar, and A. Selcuk Uluagac. 2018.
to allow CEC communication. IoTDots: A Digital Forensics Framework for Smart Environments. CoRR (2018).
[4] N. Baharudin, F. H. M. Ali, M. Y. Darus, and N. Awang. 2015. Wireless Intruder
HDMI-Enabled IDS: Preventing an unauthorized device from join- Detection System (WIDS) in Detecting De-Authentication and Disassociation
ing an HDMI distribution could be the best step towards complete Attacks in IEEE 802.11. In 2015 5th International Conference on IT Convergence
HDMI-Based attack mitigation. A promising solution in this can be and Security (ICITCS). 1–5. https://doi.org/10.1109/ICITCS.2015.7293037
[5] Z. Berkay Celik, Leonardo Babun, Amit Kumar Sikder, Hidayet Aksu, Gang Tan,
to design an IDS for CEC as a preventive measure for CEC based Patrick McDaniel, and A. Selcuk Uluagac. 2018. Sensitive Information Tracking
attacks, moving from manual device scanning to more automated in Commodity IoT. In 27th USENIX Security Symposium. 1687–1704.
[6] Andy Davis. Aug, 2013. What the HEC? Security implications
approaches. Machine learning-based approaches that consider the of HDMI Ethernet Channel and other related protocols. https:
state of different features in hardware distribution have proven //www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2013/
to be very effective in other research works [3? ]. However, exist- 44con_hdmi_ethernet_channel_andy\_davis_ncc_group_wp.pdf
[7] Andy Davis. Mar, 2012. HDMI : Hacking Displays Made Interesting. https:
ing solutions make use of code instrumentation [5] or behavioral //media.blackhat.com/bh-eu-12/Davis/bh-eu-12-Davis-HDMI-Slides.pdf
analysis [? ] to capture real-time data from systems [5], which [8] Brannon Dorsey. Jul, 2017. Crack WPA/WPA2 Wi-Fi Routers with
may be difficult to implement in close-source environments like Aircrack-ng and Hashcat. https://medium.com/@brannondorsey/
crack-wpa-wpa2-wi-fi-routers-with-aircrack-ng-and-hashcat-a5a5d3ffea46
vendor-specific CEC firmware. [9] Google. 2018. What is CEC? https://support.google.com/chromecast/answer/
7199917?hl=en
[10] HDMI Licensing LLC. 2018. Inside an HDMI Cable.
8 CONCLUSIONS https://www.hdmi.org/installers/ insidehdmicable.aspx.
Today there are close to 10 billion High Definition Multimedia [11] HDMI Licensing LLC. Jun, 2009. HDMI Specification guide V1.4. , pp. 213 pages.
[12] Cliff Heyne. Jan, 2013. AV Tip: How to Avoid Blowing Out Your Speakers. https:
Interface (HDMI) devices in the world and HDMI has become //www.audioholics.com/home-theater-connection/avoid-blowing-speakers
the de-facto standard for the distribution of A/V signals in smart [13] Kasey Holman. Dec, 2005. HDMI Licensing LLC Announces Availability of
HDMI 1.2a Specification. https://www.hdmi.org/press/pr/pr_20051227.aspx
homes, office spaces, sports events, etc. A component of this widely- [14] MD Joseph I. Sirven. Nov, 2013. Photosensitivity and Seizures. https://www.
deployed interface is the CEC protocol, which is used for HDMI epilepsy.com/learn/triggers-seizures/photosensitivity-and-seizures
control interactions. With no currently known security solutions [15] Kwikway. [n.d.]. The HDMI-CEC Bus. http://wiki.kwikwai.com/index.php?
title=The_HDMI-CEC_bus
in place or security implementations in the CEC protocol design, [16] Arash Habibi Lashkari, Mir Mohammad Seyed Danesh, and B. Samadi. 2009. A
CEC opens a realm of possibilities to attackers. In this work, we survey on wireless security protocols (WEP, WPA and WPA2/802.11i). In 2009 2nd
introduced a novel attack surface for HDMI distribution networks IEEE International Conference on Computer Science and Information Technology.
48–52. https://doi.org/10.1109/ICCSIT.2009.5234856
called HDMI-Walk and its proof-of-concept attacks on deployed [17] M. Niemietz, J. Somorovsky, C. Mainka, and J. Schwenk. 2015. Not so Smart: On
HDMI systems. To the best of our knowledge, this is the first work Smart TV Apps. In 2015 International Workshop on Secure Internet of Things (SIoT).
72–81. https://doi.org/10.1109/SIOT.2015.13
that solely investigated the security of HDMI-Walk based attacks [18] Yossef Oren and Angelos D. Keromytis. 2014. From the Aether to the Ether-
in HDMI distribution networks. Using HDMI-Walk, we analyzed net—Attacking the Internet using Broadcast Digital Television. In 23rd USENIX
the CEC propagation and implemented a series of local and re- Security Symposium (USENIX Security 14). 353–368.
[19] Pulse-Eight. 2018. USB-CEC Adapter communication Library. https://github.
mote CEC based attacks as a proof-of-concept design. Specifically, com/Pulse-Eight/libcec/
we implemented malicious device analysis, eavesdropping, Denial [20] Joshua Smith. Nov, 2015. High-Def Fuzzing : Exploring Vulnerabilities in HDMI-
of Service, targeted device attacks, and facilitation of existing at- CEC. https://media.defcon.org/
[21] Akihiro Tsutsui. 2008. Latest trends in home networking technologies. IEICE
tacks using CEC. HDMI-Walk presents a critical threat as these transactions on communications 91, 8 (2008), 2470–2476.
attacks cannot be detected or mitigated through traditional means [22] Doug Wright. Jan, 2018. Shipments of Products with HDMI Interface Nears 900
Million Devices in 2017; Total Installed Base Approaches Seven Billion.
of network protection. We further evaluated these novel attacks [23] Nan Zhang, Soteris Demetriou, Xianghang Mi, Wenrui Diao, Kan Yuan, Peiyuan
and highlighted their implications, including arbitrary control over Zong, Feng Qian, XiaoFeng Wang, Kai Chen, Yuan Tian, Carl A. Gunter, Kehuan
CEC-enabled devices through a distribution. This work, aims to Zhang, Patrick Tague, and Yue-Hsun Lin. 2017. Understanding IoT Security
Through the Data Crystal Ball: Where We Are Now and Where We Are Going to
shed light on vulnerabilities in the largely deployed HDMI distribu- Be. CoRR abs/1703.09809 (2017).
tion. Consequences of these vulnerabilities can largely impact all
users of HDMI and the security of any dependent system. Further,
we discussed defense mechanisms to provide impactful and com-
prehensive security suggestions specific to the CEC protocol. As
future work, we aim to develop a specific security mechanism for
HDMI-Walk attacks, such as the design of an Intrusion Detection
System.
ACKNOWLEDGMENTS
This work is partially supported by the US National Science Foun-
dation (Awards: NSF-CAREER-CNS-1453647, NSF-1663051) and