implementation of mitm attack on hdcp-secured links...
TRANSCRIPT
Dece
mber 29
, 2011
28c3
bunnie
Imple
menta
tion o
f M
ITM
Att
ack
on
HDCP-S
ecu
red L
inks
bunnie
/ 2
8c3
Tw
itte
r yo
ur co
mm
ents
@bunnie
studio
sor #2
8c3
Dece
mber 29
, 2011
28c3
bunnie
What
is H
DCP?
•Hig
h D
efinitio
n C
onte
nt Pro
tect
ion
–Pix
el-le
vel e
ncr
yption o
pera
ting
at the li
nk
laye
r
•Cip
her st
ruct
ure
–St
ream
cip
her ca
pab
le o
f ge
nera
ting
24 b
its of
pse
udora
ndom
dat
a per cl
ock
cyc
le•
Tw
o p
aral
lel 8
4-b
it b
lock
funct
ions per ro
und
•LF
SR-b
ased “ke
y sc
hedule
r”th
at w
hitens blo
ck funct
ions at
the
begi
nnin
g of eac
h h
orizo
nta
l lin
e o
f pix
els
•Blo
ck funct
ions in
itia
lized w
ith p
ublic
ly e
xchan
ged 6
4-b
it in
itia
l ve
ctor (A
n) th
at e
volv
es once
during
eac
h v
ert
ical
bla
nki
ng
inte
rval
Dece
mber 29
, 2011
28c3
bunnie
What
is H
DCP?
•Key
man
agem
ent
–Distr
ibute
d p
riva
te k
eys
with sort
of ke
y re
voca
tion
–Public
key
is a
“ke
y se
lect
ion v
ect
or”
(KSV
)•
40 b
its (2
0 z
ero
s an
d 2
0 o
nes)
–Priva
te k
ey
is a
vect
or of 40 5
6-b
it n
um
bers
–All
priva
te k
eys
derive
d fro
m a
mas
ter ke
y co
nsist
ing
of a
40x4
0 m
atrix
of 56
-bit n
um
bers
•M
aste
r ke
y ca
n b
e d
irect
ly c
om
pute
d fro
m a
co
llect
ion o
f 40 u
niq
ue p
riva
te k
eys
–The m
aste
r ke
y w
as reve
aled in
Septe
mber 20
10
Dece
mber 29
, 2011
28c3
bunnie
Why
HDCP?
•En
cryp
t vi
deo tra
nsm
issions
–Com
ple
ments
AACS,
BD+
to c
reat
e stu
dio
-to-s
creen
cryp
togr
aphic
chai
n
•Chain w
as b
roke
n lo
ng
ago: A
ACS w
as the w
eak
est
lin
k–
HDCP m
aste
r ke
y le
ak is
thus la
rgely
a “nop”fr
om
the
conte
nt ac
cess
sta
ndpoin
t
–St
rippers
bas
ed o
n le
gitim
ate H
DCP k
eys
hav
e lo
ng
been
avai
lable
on the m
arke
t; k
ey
revo
cation is
larg
ely
in
eff
ect
ive
Dece
mber 29
, 2011
28c3
bunnie
So W
hy
Imple
ment HDCP M
ITM
?
•It’s a
bout co
ntr
ol
–Bro
adca
sters
and stu
dio
s co
ntr
ol y
our sc
reen
–DM
CA a
nd o
ther le
gal t
rick
s m
ake it
ille
gal f
or yo
u
to m
odify
conte
nt –
on y
our ow
n scr
een
Dece
mber 29
, 2011
28c3
bunnie
So W
hy
Imple
ment HDCP M
ITM
?
•HDCP rest
rict
s th
e im
ple
menta
tion o
f
legi
tim
ate c
onte
nt m
anip
ula
tion
–Pic
ture
in p
ictu
re
–Conte
nt ove
rlay
s
–3r
dpar
ty filt
ering
& im
age m
odific
atio
n
•As a
resu
lt, t
here
are
few
HDM
I vi
deo m
ixin
g
solu
tions th
at c
an o
pera
te o
n
bro
adca
st/m
ovi
e c
onte
nt
Dece
mber 29
, 2011
28c3
bunnie
Goal
•Consu
mer-side c
onte
nt re
mix
ing
–Add w
eb c
onte
nt to
exi
stin
g TV
–Li
ve c
om
ment & c
hat
•“O
ver th
e top”ad
vert
isin
g–
Elim
inat
e a
ds
–O
r re
pla
ce a
ds w
ith tar
gete
d a
ds
•In
tera
ctiv
e T
V–
Add in
tera
ctiv
e e
lem
ents
to b
road
cast
TV
•Com
pat
ibili
ty w
ith a
ny
TV
Dece
mber 29
, 2011
28c3
bunnie
How
Do W
e D
o It?
Dece
mber 29
, 2011
28c3
bunnie
Dece
mber 29
, 2011
28c3
bunnie
A’: In
terc
ept an
d o
verr
ide E
DID
•HDM
I use
s an
I2C
bus (refe
rred to a
s DDC) to
com
munic
ate b
etw
een v
ideo sourc
e &
sin
k
•Bus sh
ared b
etw
een tw
o funct
ions:
–M
onitor ca
pab
ility
identifica
tion
–HDCP k
ey
exc
han
ge
Dece
mber 29
, 2011
28c3
bunnie
Snoop &
squas
h
•Snoopin
g: in
terc
ept ke
y exc
han
ge
•Squas
hin
g: forc
e T
V c
har
acte
rist
ics
–The im
ple
menta
tion c
an’t d
o a
ll HDM
I st
andar
ds
–Rew
rite
the E
DID
reco
rd o
n the fly
to reflect
only
the sta
ndar
ds N
eTV
support
s, e
.g. n
o 3
D, e
tc.
Dece
mber 29
, 2011
28c3
bunnie
I2C snoop &
ove
rrid
e
Dece
mber 29
, 2011
28c3
bunnie
I2C snoop &
ove
rrid
e
Dece
mber 29
, 2011
28c3
bunnie
I2C snoop &
ove
rrid
e
•O
vers
ample
dsq
uas
h c
an m
odify
dat
a on the
fly –Snoop a
ddre
ss, a
nd c
han
ge o
nly
bits th
at n
eed
chan
ging
Dece
mber 29
, 2011
28c3
bunnie
Hot Plu
g O
verr
ide
•Hot plu
g bus has
a FET
on it
to sim
ula
te a
plu
g/unplu
g eve
nt
–Hot plu
g is a
n o
pen-d
rain
bus, so this is
a saf
e a
nd
eas
y th
ing
to d
o
–Use
d to resy
nch
ronize sta
te w
hen n
ece
ssar
y
–Use
d to m
anip
ula
te E
DID
sta
te
Dece
mber 29
, 2011
28c3
bunnie
Dece
mber 29
, 2011
28c3
bunnie
B’, C’, D’: In
terc
ept ke
ys &
syn
c ci
pher
•G
ett
ing
An, A
KSV, B
KSV a
ccom
plis
hed w
ith
I2C snooper lis
tenin
g fo
r sp
eci
fic
addre
sses
•O
nce
key
exc
han
ge is
cap
ture
d, p
riva
te k
ey
vect
or an
d shar
ed secr
et m
ust
be d
erive
d–
Final
byt
e w
rite
of AKSV is
“tr
igge
r”to
sta
rt
auth
entica
tion
–FP
GA fires in
terr
upt to
host
linux
syst
em
–udev
eve
nt st
arts
a h
elp
er pro
gram
that
does th
e
mat
h
Dece
mber 29
, 2011
28c3
bunnie
Com
puting
Priva
te K
eys
•M
odula
r in
ner pro
duct
of m
aste
r ke
y an
d p
ublic
key
vect
ors
–HDCP m
aste
r ke
y K
is 4
0x4
0 m
atrix
of 56
-bit n
um
bers
–AKSV, B
KSV a
re 4
0-b
it n
um
bers
consist
ing
of 20
ones an
d 2
0 zero
s
–APK, B
PK a
re 4
0-e
lem
ent ve
ctors
of 56
-bit n
um
bers
Dece
mber 29
, 2011
28c3
bunnie
Com
puting
Shar
ed S
ecr
et
•M
ultip
ly K
SVsby
priva
te k
eys
to g
et 56
-bit shar
ed
secr
et K
mBKSV ·APK = Km
0APK00
1APK01
. . Km
. 1APK38
0APK39
AKSV ·BPK = Km
1BPK00
0BPK01
. . Km
. 1BPK38
1BPK39
Dece
mber 29
, 2011
28c3
bunnie
Syn
chro
nize C
iphers
•Plu
g An, K
m in
to c
ipher
har
dw
are
•In
it k
ey
schedule
s
•Ev
olv
e c
ipher st
ate
bas
ed o
n:
–Pix
clock
–HSYN
C
–VSYN
C
–Dat
a gu
ardban
dtim
ings
–All
in p
lain
text
Dece
mber 29
, 2011
28c3
bunnie
Pix
el-by-
pix
el s
ynch
ronizat
ion
Swap encrypted pixels for
alternate encrypted pixels
Encrypted video
cipher stream
Decrypted video
XOR
Video cable
Video source
TV
XOR
NeTV UI
video
Tx-synchronized
cipher stream
Video cable
NeTV
Dece
mber 29
, 2011
28c3
bunnie
Syn
chro
nize Fra
me B
uff
ers
•O
verlay
pix
els m
ust
be e
xact
ly tim
ed to v
ideo
pix
els
•O
verlay
com
es fr
om
/dev/
fb0 o
f at
tach
ed li
nux
com
pute
r
•Chal
lenge
s–
linux
inte
rrupt jit
ter is too h
igh (10
’s to 100’s o
f us, i.e.
thousa
nds of pix
els)
–Lo
cal c
ryst
al o
scill
ators
drift
ove
r tim
e (10
0’s o
f pix
els p
er
fram
e)
–Ultim
ately
, ove
rlay
“jit
ters
”an
d “drift
s”w
ithout tigh
t sy
nch
ronizat
ion
Dece
mber 29
, 2011
28c3
bunnie
Syn
chro
nize Fra
me B
uff
ers
•Tech
niq
ue #1: sourc
e g
raphic
s engi
ne p
ixcl
ock
from
video, n
ot lo
cally
Dece
mber 29
, 2011
28c3
bunnie
Syn
chro
nize Fra
me B
uff
ers
•Tech
niq
ue #1: sourc
e g
raphic
s engi
ne p
ixcl
ock
from
video, n
ot lo
cally
•Tech
niq
ue #2:
derive
tim
ing
dyn
amic
ally
fro
m v
ideo
stre
am a
nd set /dev/
fb0 p
ropert
ies to
mat
ch
Dece
mber 29
, 2011
28c3
bunnie
Syn
chro
nize Fra
me B
uff
ers
•Tech
niq
ue #1: sourc
e g
raphic
s engi
ne p
ixcl
ock
from
video, n
ot lo
cally
•Tech
niq
ue #2:
derive
tim
ing
dyn
amic
ally
fro
m v
ideo
stre
am a
nd set /dev/
fb0 p
ropert
ies to
mat
ch
•Tech
niq
ue #3: sta
rt L
CD D
MA b
ased o
n V
SYN
C
star
t fr
om
vid
eo str
eam
Dece
mber 29
, 2011
28c3
bunnie
Syn
chro
nize Fra
me B
uff
ers
•Tech
niq
ue #1: sourc
e g
raphic
s engi
ne p
ixcl
ock
from
video, n
ot lo
cally
•Tech
niq
ue #2:
derive
tim
ing
dyn
amic
ally
fro
m v
ideo
stre
am a
nd set /dev/
fb0 p
ropert
ies to
mat
ch
•Tech
niq
ue #3: sta
rt L
CD D
MA b
ased o
n V
SYN
C
star
t fr
om
vid
eo str
eam
•Tech
niq
ue #4: a
dd a
few
vid
eo li
nes’
ela
stic
FIF
O
buff
ering
to a
bso
rb V
SYN
C in
terrupt jit
ter
Dece
mber 29
, 2011
28c3
bunnie
Chro
ma
Key
•Chro
ma
key
rese
rves a
speci
fic
colo
r an
d
subst
itute
s its va
lue for “t
ransp
arent”
•In
this im
ple
menta
tion, F
0,0
0,F0 (a
shad
e o
f pin
k) is
th
e m
agic
colo
r–
A c
om
par
ator w
ithin
the FPG
A in
spect
s eve
ry p
ixel a
nd
switch
es a
mux
+=
Image c
opyright
©2008,
Ble
nder
Foundation / w
ww
.big
buckbunny.o
rgC
C-B
Y-3
.0
Dece
mber 29
, 2011
28c3
bunnie
TMDS to RGB
Deserialize
RGB to TMDS
Serialize
HDMI Connector
HDMI Connector
Dece
mber 29
, 2011
28c3
bunnie
Optim
izat
ions
•Key
cach
ing
–Ev
ery
vid
eo sourc
e/sink
pai
r has
a c
onst
ant sh
ared secr
et
–K
mis c
ached a
fter firs
t co
mputa
tion to im
pro
ve sys
tem
ro
bust
ness
•ED
ID c
achin
g–
More
import
ant beca
use
without ED
ID c
achin
g, u
sers
will
se
e a
double
-blin
k of th
e scr
een
•Firs
t blin
k is to m
eas
ure
the T
V’s c
apab
ilities
•Then w
e c
om
pute
the in
ters
ect
ion o
f th
e T
V c
apab
ilities an
d
NeTV
capab
ilities
•Seco
nd b
link
is to o
verr
ide the c
apab
ilities w
e d
on’t support
Dece
mber 29
, 2011
28c3
bunnie
The B
igge
r Sys
tem
Pic
ture
HDMI Connector
HDMI Connector
Dece
mber 29
, 2011
28c3
bunnie
A C
om
ple
te O
pen S
tack
PC
B
Pla
stics
FP
GA
(verilo
g)
U-b
oot
Lin
ux
An
gstr
om
dis
tro
(ap
ps/t
ools
)
Webkit
HT
ML/javascrip
tw
idge
ts (
gith
ub)
OpenEmbedded/
buildbotP
rovis
ionin
g &
up
da
te s
erv
er
(EC
2)
Dece
mber 29
, 2011
28c3
bunnie
Applic
atio
n E
nvi
ronm
ent
•TV o
verlay
apps ar
e w
eb p
ages
–CSS c
onfigu
red to p
ut “m
agic
pin
k”as
bac
kgro
und
–Apps ar
e ja
vasc
ript/
HTM
L pro
gram
s
–But yo
u c
an e
xtend to a
ny in
fras
truct
ure
that
can
write
to
/dev/
fb0 (SDL, Fla
sh, e
tc.)
•O
ur dem
o a
pps ar
e o
pen sourc
e a
nd sto
red in
a g
ithub
repo
–Updat
ing
apps co
nsist
s of doin
g a
gitpull
on the c
lient
–Configu
red to p
ull
eve
ry reboot
•Firm
war
e u
pdat
es se
rved fro
m E
C2
infr
astr
uct
ure
–Public
AM
I pro
vided so y
ou c
an m
ake y
our ow
n
–M
ore
on this la
ter
Dece
mber 29
, 2011
28c3
bunnie
HTTP A
PI
•Zero
confso
lution for netw
ork
ed in
tera
ctio
n w
ith T
V–
API pro
vides m
eth
od to send e
vents
to N
eTV
•So, a
sm
artp
hone
can:
–Disco
ver N
eTV
with B
onjo
ur
–Send e
vents
(su
ch a
s SM
S) to
the N
eTV
using
HTTP G
ET
–N
eTV
renders
these
eve
nts
on y
our TV
•Also p
rovi
des a
meth
od for file
uplo
ad to e
nab
le p
hoto
shar
ing
to the T
V
–Fa
st, e
asy
inte
grat
ion in
to “sm
arth
om
e”envi
ronm
ent
–Ex
ample
cal
l: htt
p:/
/10
.0.8
8.1/
bridge
?cm
d=t
icke
reve
nt&
mess
age=H
ello
%W
orld&
title=H
ello
%20
World
–Ea
ch A
PI ca
ll ca
n b
e rest
rict
ed to ju
st lo
calh
ost
for se
curity
Dece
mber 29
, 2011
28c3
bunnie
Turn
key
Build
Sys
tem
•Public
Am
azon E
C2
inst
ance
with p
re-b
uilt
Angs
trom
distr
ibution
–Sav
es hours
of eff
ort
dow
nlo
adin
g & b
uild
ing
sourc
es
–In
stan
ce c
om
es co
nfigu
red w
ith lo
cal g
itre
po
and
build
botto
man
age b
uild
s
–Built
imag
es co
nfigu
red to fetc
h u
pdat
es fr
om
your ow
n in
stan
ce
Dece
mber 29
, 2011
28c3
bunnie
Launch
ing
an E
C2
AM
I
Dece
mber 29
, 2011
28c3
bunnie
Loca
l cgi
tre
po
Dece
mber 29
, 2011
28c3
bunnie
Auto
-build
trigg
ers
bas
ed o
n c
om
mits
Dece
mber 29
, 2011
28c3
bunnie
Distr
ibute
Fin
ished B
uild
s
•Im
age o
nce
, auto
-updat
e fore
ver
Dece
mber 29
, 2011
28c3
bunnie
Har
dw
are is
Open
Dece
mber 29
, 2011
28c3
bunnie
Pla
stic
s ar
e O
pen
Dece
mber 29
, 2011
28c3
bunnie
Pr0
n
Dece
mber 29
, 2011
28c3
bunnie
Sch
em
atic
s
Dece
mber 29
, 2011
28c3
bunnie
And P
CB L
ayout
Dece
mber 29
, 2011
28c3
bunnie
A C
om
ple
te O
pen S
olu
tion to H
DCP M
ITM
•Har
dw
are
–Sch
em
atic
s, P
CB, indust
rial
design
, FPG
A
•Soft
war
e–
Com
ple
te, t
urn
-key
cloud-b
ased b
uild
envi
ronm
ent
•Hal
f an
hour fr
om
sta
rt to p
roduct
ion-g
rade
deplo
yment
•Ava
ilable
at ad
afru
it.com
(htt
p:/
/w
ww
.adaf
ruit.com
/pro
duct
s/609)
Dece
mber 29
, 2011
28c3
bunnie
Reca
p: H
DCP M
ITM
Im
ple
menta
tion
•Com
ple
te H
DCP M
ITM
solu
tion d
em
onst
rate
d–
Inte
rcept ke
y exc
han
ge o
n the fly
–Derive
shar
ed secr
ets
& syn
chro
nize T
xci
phers
–M
ultip
lex
ove
rlay
vid
eo u
sing
chro
ma
key
–Avo
ids decr
ypting
dat
a, there
fore
DM
CA-s
afe
–M
odifie
s ED
ID reco
rds to
forc
e c
om
pat
ibili
ty
•En
able
s vi
deo c
om
positing
funct
ional
ity
–En
able
s unco
nnect
ed le
gacy
TVs to
now
hav
e c
onnect
ed T
V
capab
ilities
–En
able
s you to m
odify y
our vi
deo c
onte
nt (sto
p/m
odify a
ds,
show
live
inte
rnet co
mm
enta
ry, e
tc.)
•A c
om
ple
tely
open h
ardw
are/so
ftw
are sta
ck
Dece
mber 29
, 2011
28c3
bunnie
Non-Infr
ingi
ng
Use
of HDCP M
aste
r Key!
•Em
bodim
ent of a
bona-
fide, n
on-infr
ingi
ng
and
com
merc
ially
use
ful a
pplic
atio
n o
f th
e H
DCP
mas
ter ke
y
•Blu
rs the a
ssoci
atio
n o
f th
e H
DCP m
aste
r ke
y w
ith
pirac
y–
Prior to
this e
xplo
it, t
he o
nly
applic
atio
n o
f th
e H
DCP
mas
ter ke
y w
as to c
ircu
mve
nt th
e e
ncr
yption o
n
copyr
ighte
d d
ata
–N
ow
, there
is a
non-c
ircu
mve
nting
applic
atio
n for th
e
HDCP m
aste
r ke
y
Dece
mber 29
, 2011
28c3
bunnie
Q&A