Haven’t seen a new Oona post in a long time and this, as usual, was worth the wait.
I’d wager that the scrambling introduced in DisplayPort and later digital display protocols is more to do with emissions compliance than it is to prevent eavesdropping. Having dealt with HDMI in a compliance labs time or two, anything to get the radiated emissions to meet FCC Part 15 Class B is a huge boon.
I wonder if the scrambling can be defeated. If you know the scrambling pattern, presumably you could apply its inverse to the image being sent over the link.
On this note, there's a fantastic (bit of a curiosity item, but fantastic nonetheless) called Tempest for Eliza (http://www.erikyyy.de/tempest/) which will show the appropriate patterns on your screen to produce, as interference in a nearby AM radio, any music you pass to the program - including MP3s in its recent versions.
I used to think it would only work with a CRT, but it actually makes no mention of such a restriction in its latest README, and since I'm at work I'm not able to test it right away.
I'm not an electrical engineer, so hoping one here may be able to provide some info.
How does this work? Specifically:
> Maybe, if we use the strong pulses for synchronisation and plot the amplitude of that noise as a two-dimensional picture, we could see something?
From surface level knowledge, HDMI uses Transition Minimised Differential Signalling (TMDS). A direct plotting of noise from that transmission line should not provide even the low quality greyscale image repro shown. This may just be a titling issue but I'm assuming that based on the info shown the RF source must be the display electronics rather than HDMI line? What am I missing?
> I'm assuming that based on the info shown the RF source must be the display electronics rather than HDMI line?
The author has taken a purely emprirical approach and not attempted to model the emissions or localize them to a particular point, so we don't know. You would expect differential signalling to be low loss, but perhaps the termination is bad or the shielding around the connector? Or it could even be being radiated from the power (VCC/GND) of one of the chips on either end.
Unless you’re pushing the limits of the supported screen size, there typically is some idle time in the TMDS links in an HDMI cable. What I’d wager she’s seeing is the transition from idle time back to transmitting on the links.
There’s some kind of sync mechanism in HDMI, too, but I don’t recall what it is. Or possibly data islanding?
I assume that it's not the HDMI output from the Pi that produces this kind of interference but rather the monitor itself.
Though it's entirely possible that Pi leaks HDMI into the ether. Someone with a Pi4 and a RTL-SDR could easily verify it: pixel clock frequency of a 1024x768 signal is around 50 MHz.
Have linked this on this site before, but if you find this theme of techniques interesting, you might like some of Mordechai Guri’s work as well: https://cyber.bgu.ac.il/advanced-cyber/airgap
I have vague memories back in 1990 of a superman arcade game in a pub broadcasting the games image to my black and white tv with an antenna in a different room. Not HDMI but the concept is there.
There's a reason the FCC has RF standards otherwise there would be anarchy...anarchy I say!
Is this typical of any hdmi monitor, or might OP have a particularly leaky setup?
It would be nice to see if this setup is FCC compliant. Often devices like this are tested under one set of conditions (eg. Screen resolution), but might be wildly out of compliance when used with a longer cable, with a different screen resolution, near a wooden table (which changes the impedances and can cause something to radiate which otherwise wouldn't)
Hoo boy, this brings back (bad) memories of emissions testing HDMI.
Back in the days when I worked in consumer audio, we were working on a small sound bar that used HDMI for sound transmission via ARC. However, the product folks were worried about compatibility with SPDIF only TVs, so asked us to design a little HDMI to SPDIF dongle to allow this soundbar to work with SPDIF TVs, or HDMI TVs with no ARC support.
Long story short: the compliance test folks were only testing with the SPDIF/ARC dongle. Due to a quirk of this (I think not being able to read an EDID from downstream?), the processor would shut off the HDMI interface. No TMDS, this; little to no emissions.
We all got a nasty surprise when we hooked it up to a monitor and ran it in the test cell again. That was a big scramble to fix.
Funnily enough, it was only at the highest bitrates (which I think was 1080p) that emissions were problematic. All the lower bitrates passed with no difficulty.
I’ve read some related things, which said its the hdmi cable that radiates, but I understand any component might be.
Two questions:
- How many meters do we need to expect our lcd/ips monitors to radiate?
- Do we know about any monitor/cables that prevent the worst radiation and what to buy?
p.s. There are also papers that describe how to pickup keyboard strokes using the same method.
Test grade shielded HDMI connectors would probably mitigate this. They’re generally about $50 for 2 meters.
I’d also expect this attack to only work within a few feet of the target system. The author admits that the quality of transmission is pretty heavily affected by antenna and cable orientation. The bigger concern IMO is proximity - if you’re close enough to pull this off, you’re already at “physical access” levels of threat to a secure system.
Rather old one, where 25m was claimed. (Markus Kuhn).
Some like 200m were claimed by anons in random threads (https://www.mikrocontroller.net/topic/319197, in german), but that might have been related to CRT, not sure. They said they pointed antennas towards an office building.
All in all, the topic seems valid but unfortunately the discussions tend to be trolled.
One takeaway from the original link for me was to prefer displayport cable over hdmi/dvi. Yet, if the shielded connectors you have been referring to are easy to find, sounds good as well.
Absolute security is not possible, they say. Yet I wonder, can we have some sort of it at least outside a horizon of lets say 5 meters? Broadcasting the signals few meters/across the street/100m seem to be quite of a difference.
What about the neighbor above/below your apartment? A ceiling of ferroconcrete is a good blocker (or a good multiplier?)
From my apartment, I can see a telecommunication tower, about 1.2 kilometers away. Wondering what it could pick up with enterprise grade antennas if it wanted to. maybe the other monitors around would disturb the signals?
A telecom tower has orders of magnitude more transmit power than an HDMI cable, by design. It’s also an intentional, rather than unintentional radiator. However, neither of these facts can overcome the fact that radio energy decays with the inverse square of distance, and that the noise local to the receiver on the telecom tower would swamp any fragment of energy radiated by the hdmi cable by the time it got there.
I’d wager that the scrambling introduced in DisplayPort and later digital display protocols is more to do with emissions compliance than it is to prevent eavesdropping. Having dealt with HDMI in a compliance labs time or two, anything to get the radiated emissions to meet FCC Part 15 Class B is a huge boon.