In HDMI, there are not only TMDS protocol that transmits video and audio data but CEC, DDC and ARC protocols that provide different functions. We would like to introduce in TROOPERS the 1) HDMI protocol, 2) why these protocols can be regarded as attack vectors, 3) the fuzzer we made, 4) finally the vulnerability found in Xiaomi mibox3.
HDMI is used by many display devices as an interface for transmitting high- definition video and audio. As many global IT companies such as Samsung, Google, and Apple are joining the HDMI Forum, the usage rate is expected to increase further.
The HDMI started with Ver1.0 and now upgraded via 1.4 to 2.1, and now has not only simple video transmission, but also device control, audio upstream to sound bars, and Ethernet communications. To implement these features, HDMI has added various protocols, and devices that support HDMI have codes inserted to handle the protocol.
- Previous HDMI Research Case / Differentiation
There was a presentation on hdmi in BLACK HAT EUROPE 2012, 44con 2012, and DEF CON23. However, the above announcements presented only the possibility of an attack vector for one of several HDMI protocols.
But we want to present another protocol as an attack vector with the protocols they were dealing with. In addition, we will introduce the design and implementation method of the fuzzer that we made to improve the performance. We will also introduce vulnerabilities found in Xiaomi mibox3 through our fuzzer.
- HDMI functions and protocols (CEC, DDC, ARC)
HDMI has TMDS, CEC, DDC, ARC, and HEC protocols, and we are interested in protocols that provide more functionality than TMDS, which transmits video and audio data. Among them, CEC, DDC, and ARC were used as attack vectors except for HEC, which has few supporting devices. Therefore, in this chapter, we introduce three protocols that we use as attack vectors.
Simply put, CEC is used to control devices connected to HDMI. The DDC is used by the source device to obtain information about the status and function of the sink device. The ARC is a protocol added by HDMI 1.4 and is used to directly upstream the audio data transmitted through the TMDS.
The TROOPERS talk will include details of the protocol, such as the addressing scheme for sending CEC messages, the actual message format, and the sink device information that can be obtained through DDC messages. We hypothesized that there would be a vulnerability in the implementation that handles these protocols. So we implemented the CEC and DDC fuzzers.
- CEC fuzzer design method
We will introduce Pulse-8 and libcec, which are environments for making fuzzer, and how to send messages using them. The details of the fuzzer will be explained in the TROOPERS talk.
- DDC fuzzer design method
We describe how to implement environment to make fuzzer using Arduino, how to transmit data and determine the crash, and explain how to implement driver fuzzer to overcome disadvantages of Arduino fuzzer. The details of the fuzzer will be explained in the TROOPERS talk.
- eARC and possibility of attack vector
It introduces the difference between ARC and eARC and explains what possibilities exist for attack vectors.
- fuzzing results and vulnerability analysis
As a result of fuzzing, we found three vulnerabilities in Xiaomi mibox3. We will show a demo video of the fuzzing results at TROOPERS and explain the analysis of the vulnerabilities we have found.