In this day and age, there’s a feeling that hackers lurk around every corner waiting to take advantage of innocent people -- through the internet, your credit card, even your smart home devices. A team of FIU researchers are studying how to prevent individuals and businesses from an unsuspected vulnerability -- HDMI ports.
“In the past, people didn’t know about or pay attention to the security of these devices,” said FIU Professor Selcuk Uluagac, director of the College of Engineering and Computing’s Cyber-Physical Systems Security Lab (CSL). “Anything is on the table when it comes to hacking.”
The CSL studies the intersection of the cybersecurity and privacy fields. Cyber-physical systems involve any computing device that can interact with the physical world – such as an Amazon Echo, a drone, or an Apple Watch. The goal of CSL is to find ways to make the digital infrastructure we use and interact with every day more secure against malicious activities.
The team at the CSL designed a patented solution, called HDMI-Watch, which can track HDMI hacks in real-time. It utilizes advanced machine learning algorithms, where the system learns about the typical HDMI commands that a device receives and transmits and will be able to detect abnormal ones. If the system detects abnormal commands, it will alert the user. This can make consumers aware of the attacks so that they can be stopped or prevented.
HDMI, or “High-Definition Multimedia Interface,” is a piece of common auxiliary equipment that is used to transmit audio and video. When an HDMI cord connects two or more devices – a laptop to a monitor screen, for example – that signal is thereby connected to all other networks. The monitor screen is then connected to a power outlet and to the laptop, which shares a Wi-Fi network with a smart TV, an Amazon Echo, a smartphone, an Xbox, a smart outlet which is controlled by a smartphone, and so on.
“HDMI is everywhere. What we found is that there are some configurations that are very vulnerable,” said Luis Puche, the lead author on the study who is earning a Ph.D. in the security of the Internet of Things in enterprise settings (E-IoT).
The study was published in a major security conference called the Annual Computer Security Applications Conference (ACSAC), as well as in the Institute of Electrical and Electronics Engineers’ Transactions on Network Science and Engineering Journal. Other authors in the study include Uluagac, Leonardo Babun, Kemal Akkaya. “The alarming part is how far the network spreads. When you connect a laptop to a TV, you expect that to be it. But no in some cases, through a single HDMI connection we could reach every device connected through HDMI.”
With any HDMI connection, there is a list of commands that the HDMI-enabled devices can perform. An older TV may only be able to turn on and off and have a small settings menu, but a newer or smart TV connected with Wi-Fi or so many other networks could have a long list of potential commands it could perform, including connecting to the internet and sharing information with other devices, that could make it more vulnerable to attacks.
If a hacker can access an unsecured HDMI-device, they could inject malicious commands to make the device do things it’s not supposed to do, Puche explained. It could bombard the device with repeated code and shut it down, turn it on and off, and more. With this, there are dangers for individuals and businesses.
A potential cyberstalker wanting to know a person’s schedule or routine could access the network to learn when they usually turn their devices on and off.
“Based on the information, you can tell what devices are turned on, so a hacker could infer when someone is home and attack when they are or are not there,” Puche said.
Even businesses and public spaces, such as airports and sports arenas with HDMI ports, are vulnerable to these attacks, Uluagac said. If a hacker could access the HDMI port, they could broadcast threatening images on a screen, tamper with informational displays such as flight schedules, or flash images that could cause epileptic seizures.
Because HDMI transmits audio and visual signals, a determined hacker could also glean that information and invade the privacy of an individual at home or a confidential meeting or conference.
“Anyone who values their privacy, anyone who uses HDMI should be concerned,” Puche said.
The next steps, Uluagac said, are to spread general awareness about HDMI vulnerabilities and for manufacturers to include a system such as HDMI-Watch in all capable devices.