prevents devices from hacking HDMI equipment, and vice-versaDesigned by CuVoodoo in Germany
Purpose HDMI is mainly used to transfer audio and video, but also offers a number of additional features (e.g. HDCP, CEC, HEC, ARC, MHL). This increases the attack surface, and since the security of …Read More…
HDMI is mainly used to transfer audio and video, but also offers a number of additional features (e.g. HDCP, CEC, HEC, ARC, MHL). This increases the attack surface, and since the security of their implement in embedded devices is far from ideal, an attacker could exploit them and inject malicious code. Now your unsuspicious video equipment is compromised and threatens your IT/network security. And your monitor could then in turn hack back any other device connected to it.
For example, let's imagine you invite an external guest for a presentation inside your company. You offer to connect to a smart TV or video-projector so he can show his slides. This is the perfect opportunity for the guest to hack it. Now your smart TV can act as a spy in your network. Or next time an employee connects to the projector, his laptop is hacked back. And voila, the innocent guest managed to infiltrate your company network, and can exfiltrate confidential information.
The HDMI firewall can block all additional interfaces, and only allow audio and video data transfer. It is based on the research of Pierre-Michel Ricordel and José Lopes Esteves from ANSSI/SDE/ST/LSF presented at the IT security conference SSTIC 2021. Some security research and vulnerabilities around CEC and EDID are listed in slide 4.
First plug the HDMI cable going to the monitor on the HDMI firewall on the port labeled MONITOR. Then plug the HDMI cable going to the device on the HDMI firewall on the port labeled DEVICE. That's it, your equipment (monitor and device) are now protected. But the firewall should be fine tuned as described below.
The HDMI firewall comes with a generic HD profile, but this might not correspond to the capabilities of your monitor. The resulting image could be distorted, or completely missing. Thus, you first have to copy the Extended Display Identification Data (EDID) information of the equipment to protect. This data includes information such as the supported resolutions. The HDMI firewall can copy the EDID from the monitor:
The HDMI firewall allows to select which interfaces are blocked using the switches. The highest security is provided when blocking all lines by setting the switches to the BLOCK position. If you still trust your equipment enough and want to use a feature, you can set the corresponding switch to the ALLOW/ON position:
The HDMI firewall can also be used to provide custom EDID, as it sometimes is faulty in the monitor. For that you need to program the raw binary EDID (with up to 1 extension block) onto the STM8S103 EEPROM using the RST and SWIM lines made available on the back of the board.
The HDMI firewall use impedance controlled lines: 4-layer impedance controlled board, differential pair routing, intra- and inter-pair length matching. This should allow and audio any video signal to be transmitted to the monitor. But I only have 2K equipment I could test it on. I could not test the firewall against 4K, 8K, or 3D capable monitors. CEC remote control has been tested. But I don't have any equipment using HDCP, HEC, ARC, or MHL. Thus I could also not test these interfaces.
The firewall only supports EDID with up to 1 extension block. This is the case for all monitors I've seen. Some high end monitors supporting numerous features might have additional extensions blocks. Thus the firewall might prevent from using the monitor to its full potential. You can still use the original EDID from the monitor by setting the SDA/2 and SCL/3 switches to the ALLOW/ON position. The DDC channel won't be firewalled anymore though.
Feel free to report any success or issues to
No country selected, please select your country to see shipping options.
No rates are available for shipping to .
Enter your email address if you'd like to be notified when HDMI firewall can be shipped to you:
Thanks! We'll let you know when the seller adds shipping rates for your country.
We recognize our top users by making them a Tindarian. Tindarians have access to secret & unreleased features.
We look for the most active & best members of the Tindie community, and invite them to join. There isn't a selection process or form to fill out. The only way to become a Tindarian is by being a nice & active member of the Tindie community!