Patent Grant
11743421
This application claims the benefit of priority of Israeli Patent Application No. 265789 filed Apr. 2, 2019, the contents of which are incorporated herein by reference in their entirety.
The present invention relates generally to secured video data streaming in computer systems.
In computer and audio-visual systems, one or more display devices (devices receiving video or audio data, such as display monitors) may receive a video signal from a video source (such as a personal computer). In some cases, the signal may be provided remotely, over extended distances.
A security issue may arise out of this arrangement, because the display monitors can be infected with malicious code planted by a hostile entity, which may then reach the video source by sending data back to the video source through a bidirectional connecting cable. In some cases, enforcing a unidirectional signal transmission may block the transmission back of malicious data. However, enforcing complete unidirectional signal transmission may affect the ability of the video source to correctly learn required information about the capabilities and settings of a display monitor, so as to be able to provide video signal in the correct format.
The foregoing examples of the related art and limitations related therewith are intended to be illustrative and not exclusive. Other limitations of the related art will become apparent to those of skill in the art upon a reading of the specification and a study of the figures.
The following embodiments and aspects thereof are described and illustrated in conjunction with systems, tools and methods which are meant to be exemplary and illustrative, not limiting in scope.
There is provided, in an embodiment, a device comprising at least two interfaces for interconnecting between a video source and a video display, wherein each of said interfaces comprises at least a video data channel and a display settings channel; and unidirectional circuitry; wherein said unidirectional circuitry is configured to allow transmission over said video data channel only from said video source to said video display, and wherein said device is configured to (i) receive, over said display settings channel, display settings data from said video display, and (ii) transmit, over said display settings channel, said display settings data to said video source.
There is also provided, in an embodiment, a method comprising: providing a device comprising at least two interfaces for interconnecting between a video source and a video display, wherein each of said interfaces comprises at least a video data channel and a display settings channel, and unidirectional circuitry configured to allow transmission over said video data channel only from said video source to said video display; receiving, by said device, over said display settings channel, display settings data from said video display; and transmitting, by said device, over said display settings channel, said display settings data to said video source.
In some embodiments, said device further comprises a switching unit configured to (i) connect only to said display settings channel of said video display during said receiving; and (ii) connect only to said display settings channel of said video source during said transmitting. In some embodiments, said method further comprises operating said switching unit to (i) connect only to said display settings channel of said video display during said receiving; and (ii) connect only to said display settings channel of said video source during said transmitting.
In some embodiments, said device further comprises a non-transitory computer-readable storage medium configured to store said display settings data. In some embodiments, said method further comprises storing said display settings data in said storage non-transitory computer-readable medium.
In some embodiments, said storage is write-protected during at least said transmitting. In some embodiments, said interfaces are selected from the group consisting of: ITU-R BT.656, VGA, DVI, HDMI, DisplayPort, and LCD interface.
In some embodiments, said unidirectional circuitry comprises a Transmitter Optical Sub-Assembly (TOSA) and a Receiver Optical Sub-Assembly (ROSA).
In addition to the exemplary aspects and embodiments described above, further aspects and embodiments will become apparent by reference to the figures and by study of the following detailed description.
Exemplary embodiments are illustrated in referenced figures. Dimensions of components and features shown in the figures are generally chosen for convenience and clarity of presentation and are not necessarily shown to scale. The figures are listed below.
Disclosed are a device and a method for secure selective transmission of video data from a video source, such as a display controller, to at least one display device, such as a computer monitor, video projector, or digital television.
In a typical video data connection, a connecting cable (e.g., S-Video, component video, VGA, DVI, HDMI, DisplayPort, etc.) between a video source and display device provides for the bi-directional transmission of data. Thus, video data may be transmitted to the display, while other data, such as settings information, may be transmitted back to the video source from the display. Such an arrangement is shown in
However, allowing bi-directional data transmission between a video source and a display presents a security risk. For example, a malicious code planted in the display can then be transmitted back to the video source and infect it, and potentially other devices in a network to which it is connected.
It is possible to enforce complete unidirectionality of data transmission (i.e., only allowing transmission of video data from video source to display) and/or to disconnect some of the lines transmitting information back to the video source. However, although this may be advantageous from a security perspective, it may cause severe operational problems with modern computers and software. Modern computer operating systems and display card drivers may adjust display resolution to default settings if no display EDID is detected. In some cases, computers may even not generate video signals at all.
In some embodiments, the present device enables video processing equipment to be inserted between a video source and a display while still enabling the source to transmit the correct video format. In one embodiment, the video processing equipment is connected between a video source and a display, and reads the entire EDID from the display. The pertinent information from the display's EDID is then presented as the device's EDID, thus emulating the display. In other embodiments, the device allows a signal generating device in one location to be provided with an emulated EDID over a network to make it “think” that it is communicating directly with a display that is located at a remote location, when in fact it is communicating with other hardware that is interposed between the source and the display. This allows the video source to match the requirements of the display.
Accordingly, in some embodiments, the present device provides for enforcing unidirectional data transmission from the video source to the display devices only, while preventing data transmission in the opposite direction, e.g., when the video source reads information from the display. In some embodiments, the present device further provides for the communication of correct capabilities and settings information regarding the display device to the video source, while blocking the passing of other data.
In some embodiments, such unidirectional data communication allows the communication to flow in one direction only, by applying a physical layer which blocks the communication signals from flowing in the opposite direction.
In other implementations of the current invention, the unidirectional flow enforcing circuitry also provides galvanic isolation between the input and the output sections of the device.
In some embodiments, the present device operates first in a read mode in which a storage unit in the device is configured to read and store the EDID from the display, while disconnecting at least some of the lines transmitting information back to the video source. In some embodiments, the present device may then operate in a write mode, in which the EDID information is written to a storage device that is connected to the video source, while disconnecting the DDC line to the display and connecting the source DDC lines to the storage device. Accordingly, at no time are there any bi-directional data connections between the video source and the display.
In some embodiments, the present device is configured to provide pre-stored EDID information for various signal resolutions. In some embodiments, the pre-stored settings are selected automatically and/or based on user selection.
In some embodiments there is only pre-stored EDID information and there is no reading of display EDID in some embodiments the display DDC lines are not connected at all.
In some embodiments, the video source is a computer system and the display devices are one or more display monitors. However, other video sources and display devices may be used in conjunction with the present invention. In some embodiments, the video transmission is conducted over extended distances.
In some embodiments, the capabilities and settings of the display device are passed to the video source using the Display Data Channel (DDC) protocol defined by the Video Electronics Standards Association (VESA). In some embodiments, the capabilities and settings data are in the Extended Display Identification Data (EDID) format defined by VESA. In some embodiments, other data format may be used, such as, but not limited to, E-EDID and Display ID.
EDID contains information about a display's manufacturer, screen size, native resolution, color characteristics, frequency range limits and more. Once the video source receives this information, it can then generate the necessary video characteristics to match the needs of the display. EDID is often used with a computer graphics card as the source device. Additionally, HDTV receivers, DVD and Blu-Ray players, LCD displays and digital TVs can read EDID and output the required video format. EDID information packets may contain information which identifies the display manufacturer and product, EDID version, display parameters and features (e.g., whether the display accepts analog or digital inputs, sync types, maximum horizontal and vertical size of the display, gamma transfer characteristics, power management capabilities, color space, and default video timing), the RGB color space conversion technique to be used by the display, and a VESA-established video resolutions and timings that are supported by the display.
In some embodiments, the present device enables the transmission of video data over extended distances.
In some embodiments, the present device acts as a connection intermediary between one or more video sources and one or more displays.
(i) Provide for transmitting video data from video source 110 to display 120;
(ii) prevent data transmission from display 120 to video source 110; and
(iii) enable proper transmission of EDID information back to the video source.
Storage medium 106 may further have encoded thereon software instructions or components configured to operate a processing unit (also “hardware processor,” “CPU,” or simply “processor”), such as control unit 102. In some embodiments, the software components may include an operating system, including various software components and/or drivers for controlling and managing general system tasks (e.g., memory management, storage device control, power management, etc.), and facilitating communication between various hardware and software components. In some embodiments, the program instructions are segmented into one or more software modules.
In some embodiments, switching unit 104 may be configured to alternately connect only to the display side (e.g., when switched to point A), or only to the video source side (e.g., when switched to point B), while simultaneously disconnecting the opposite side, so as to ensure that no DDC channels are connected between the videos source and the display at any time.
In some embodiments, disconnecting from one of the display side and/or the video source side may comprise disconnecting, e.g., device 100 as a whole. In some embodiments, such disconnecting may comprise only internally disconnecting and/or isolating storage device 106 and/or one or more additional or other internal components and/or modules of device 100.
In some embodiments, unidirectional circuit 108 allows for the data communication to flow in one direction only, by using a physical layer which blocks the communication signals from flowing in the opposite direction.
In some embodiments, the video streaming may involve connecting an RGB (e.g., 15 pin D-subminiature), HDMI, DVI, or DisplayPort cable from the video source to device 100, and form device 100 to the display. In some embodiments, device 100 reads the EDID from the display by, e.g., connecting to the I2C/DDC lines on the RGB/HDMI/DVI, DisplayPort cable, and initiating an I2C/DDC read from the EDID in the display.
In some embodiments, the pertinent information from the display's EDID is then written to storage device and presented to the video source. In some embodiments, the EDID is presented as the EDID of device 100, thus emulating the display. In this step, hardware of device 100 can write the data that was read from the display's EDID to the appropriate video input port where the video source's VGA, HDMI, DVI, or DisplayPort cable is connected. Consequently, any future EDID reads by the source over the VGA, HDMI, DVI, or DisplayPort cable will be read by the video source as if device 100 were the display. Thus, the video source or signal-generating device receives an emulated EDID that makes it “think” that it is communicating directly with the display. This allows the video source to continuously match the requirements of the display.
In some embodiments the EDID data is manipulate before written to the storage device.
In some embodiments the emulated EDID is pre-stored to the storage device (default EDID data), and in some embodiments it is permanent and never changes.
In some embodiments, the video data transmission may comprise an HDMI connection designed to transmit the video stream to display 120, wherein the HDMI signals comprise the Transition-Minimized-Differential-Signaling, also known as TMDS.
The functional steps in using device 100 will now be described with reference to the flowchart in
At a step 400, device 100 may be connected to video source 110 and to display 120 using, e.g., HDMI cables.
With reference to
In some embodiments, device 100 may be configured to transmit at least some of the pins of the HDMI connections through unidirectional circuit 108. For example, device 100 may be configured to transmit pins 1-12 and 17-19, which carry video data, through unidirectional circuit 108.
In some embodiments, device 100 may be configured to route EDID pins 15-16 through a switching process which shall be described in more detail below.
At a step 402, switching unit 104 may be set to connect to point A, e.g., to (i) connect to the DDC channel in HDMI connection 320 on the display side, and (ii) disconnect from the DDC channel in connection 310, as shown in
At a following step 404, storage unit 106 may be configured to receive and store the EDID settings table from display 110. The EDID settings table received by device 100 may be a parameter array comprising the parameters required to define the display type and functionalities. In some cases, device 100 may be configured to receive the display parameters of the EDID settings table via the DDC pins of HDMI connection 320, and transmit these parameters to storage unit 106 to be stored. In some other cases, only a narrow portion of the parameters of the EDID settings table may be transmitted and eventually stored in storage unit 106.
In some cases, the EDID settings table may be compliant with the EDID technical standards as defined by VESA. In some other cases, the EDID settings table may be narrowed or different from the EDID technical standards as defined by VESA. For example, the EDID settings table may be narrowed from the 128-byte standard table. In some cases, the EDID settings table may comprise an extension for the basic 128-byte standard table. For example, the EDID settings table may comprise an additional 128-byte blocks of data to describe increased capabilities. In some embodiments of the present invention, the parameters of the EDID settings table may be received via the DDC pins of the HDMI connection 320 which may be connected to the display.
At a step 406, switching unit 104 may be set to connect to point B, e.g., to (i) connect to the DDC channel in connection 310, and (ii) disconnect from the DDC channel in HDMI connection 320 on the display side, as shown in
At a step 408, video source 110 may be configured to connect to storage unit 106 via, e.g., switching unit 104, to read the EDID settings table, as shown in
At a step 410, video source 110 may begin to transmit the video stream accordingly, via unidirectional circuit 108. In some embodiments, unidirectional circuit 108 comprises, e.g., a TOSA-ROSA (Transmitter Optical Sub-Assembly/Receive Optical Sub-Assembly) for converting electrical signals to optical signals conveyed into an optical fiber. Thus, using optical fibers can provide a unidirectional communication at the physical layer level which allows communication signals to pass in one direction and blocks communication from passing in the opposite direction. In other embodiments, other types of unidirectional circuits may be used, e.g., a unidirectional buffer.
In some embodiments, switching unit 104 may be configured to be controlled by a user through, e.g., a manual switch. Such manual control may be used to manually read the EDID settings table from display 120 to storage unit 106. For example, the user may have a manual button or a switch which can be used in order to connect between switching unit 104 and connection 320 to first read the EDID settings table and write the EDID settings table to the storage device, and then to disconnect from connection 320 and connect to connection 310. So that the video source 110 can read the EDID settings table. In some cases, said manual button or the switch may be configured such that upon pressing the button or switch, switching unit 104 may connect to connection 320, and upon releasing the button or switch, the switching unit 104 may disconnect from connection 320 and connect to connection 310. In some embodiments of the present invention an automatic mechanism may be employed in order to operate switching unit 104.
In some embodiments, switching unit 104 may be user-controlled and/or operated, such that the switching from point A to B in
In some embodiments, control unit 102 can manipulate and configure the EDID settings table according to some predefined rules. For example, control unit 102 may remove specific EDID variables from the original EDID settings table in order to meet the security requirements defined by a user.
In some embodiments, after the EDID settings table has been received by the video source, switching unit 104 may be configured to remain disconnected from the display, e.g., the DDC channels in connection 320.
In some other cases, a user may be required to manually initialize the connection/disconnection of the DDC channels. In some embodiments, the disconnecting of the DDC channels creates a physical block which prevents the DDC channel from transmitting any data between the display side 120 and the video source side 110.
In some embodiments, the hardware associated with the embodiments outlined above can be physically arranged in many different ways. For example, device 100 can be physically located in the location as the video source, or it can be separated some distance. Likewise, the display can be located in the same location, or they can be separated.
In some embodiments, more than one devices 100 may be interconnected through a computer network, for example, in remote video conference systems, where the video source is a camera, associated with a first video conference room, and the display is associated with a second video conference room and displays the images taken by the camera. An inverse system can also be provided with a camera in the second video conference room that acts as a source for a display in the first video conference room. This allows participants in each room to see and hear each other in real time. It is to be appreciated that the first and second video conference rooms can be relatively near to each other or very far away.
Additional embodiments of device 100 can be configured to allow user control or input of EDID information. For example, a user interface can be associated with device 100. The user interface can include a data entry device (e.g. a keyboard) and a feedback device (e.g. a display screen) to assist the user in entering data. Such a user interface can allow direct input of data that affects the operation of device 100. This configuration allows a user to manually create an EDID and store it in the video processor, or to edit or manipulate EDID information that resides in the video processor. This new EDID can then be presented to the video source so that the video source will output video according to this new EDID. This can be useful for adjusting an EDID or for video testing.
In some embodiments, EDID information may be accumulated and stored in device 100. For example, all previous EDIDs could be stored in device 100 (e.g., on storage unit 106) and then be selected to be presented as the device 100 EDID to the video source. This way the video processing hardware does not have to currently be connected to an EDID (directly or over the network) in order to present that EDID to the video source. This can allow for greater flexibility in hardware configurations.
While the disclosure has been described with reference to exemplary embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted for elements thereof without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings without departing from the essential scope thereof. Therefore, it is intended that the disclosed subject matter not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but only by the claims that follow.
| Number | Date | Country | Kind |
|---|---|---|---|
| 265789 | Apr 2019 | IL | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 5161021 | Tsai | Nov 1992 | A |
| 6388658 | Ahern et al. | May 2002 | B1 |
| 6397269 | Petty et al. | May 2002 | B1 |
| 6763522 | Kondo | Jul 2004 | B1 |
| 20020143996 | Odryna et al. | Oct 2002 | A1 |
| 20030110328 | Seki et al. | Jun 2003 | A1 |
| 20030184960 | Ferguson | Oct 2003 | A1 |
| 20030217123 | Anderson et al. | Nov 2003 | A1 |
| 20030218578 | Ahern et al. | Nov 2003 | A1 |
| 20040062305 | Dambrackas | Apr 2004 | A1 |
| 20040068737 | Itoh | Apr 2004 | A1 |
| 20040177264 | Anson et al. | Sep 2004 | A1 |
| 20050044184 | Thomas et al. | Feb 2005 | A1 |
| 20050044266 | O'Neil | Feb 2005 | A1 |
| 20050055582 | Bazakos et al. | Mar 2005 | A1 |
| 20050080939 | Onuma et al. | Apr 2005 | A1 |
| 20050286784 | Gilgen | Dec 2005 | A1 |
| 20050289633 | Dow | Dec 2005 | A1 |
| 20060067690 | Tatum | Mar 2006 | A1 |
| 20060107061 | Holovacs | May 2006 | A1 |
| 20060147214 | Ruiz et al. | Jul 2006 | A1 |
| 20060230110 | Vanharlingen et al. | Oct 2006 | A1 |
| 20060259612 | De Oliveira et al. | Nov 2006 | A1 |
| 20070058657 | Holt et al. | Mar 2007 | A1 |
| 20070085825 | Geffin et al. | Apr 2007 | A1 |
| 20070124474 | Margulis | May 2007 | A1 |
| 20070136610 | Lambinet | Jun 2007 | A1 |
| 20070174526 | Blackwell et al. | Jul 2007 | A1 |
| 20070239900 | Beasley et al. | Oct 2007 | A1 |
| 20070261097 | Siegman et al. | Nov 2007 | A1 |
| 20070296714 | Kim | Dec 2007 | A1 |
| 20080126629 | Huang | May 2008 | A1 |
| 20080253085 | Soffer | Oct 2008 | A1 |
| 20080288677 | Kirshtein | Nov 2008 | A1 |
| 20080313319 | Geffin | Dec 2008 | A1 |
| 20090058868 | Kang et al. | Mar 2009 | A1 |
| 20090091665 | Kang et al. | Apr 2009 | A1 |
| 20090109345 | Nori | Apr 2009 | A1 |
| 20090125969 | Hill | May 2009 | A1 |
| 20100235551 | Batish et al. | Sep 2010 | A1 |
| 20100327059 | Dean et al. | Dec 2010 | A1 |
| 20110026605 | Costa | Feb 2011 | A1 |
| 20110029699 | Siegman et al. | Feb 2011 | A1 |
| 20110032982 | Costa et al. | Feb 2011 | A1 |
| 20110072064 | Wei et al. | Mar 2011 | A1 |
| 20110145451 | Softer | Jun 2011 | A1 |
| 20110208963 | Soffer | Aug 2011 | A1 |
| 20120159651 | Beacham | Jun 2012 | A1 |
| 20120243160 | Nguyen et al. | Sep 2012 | A1 |
| 20120284736 | Friedman | Nov 2012 | A1 |
| 20130050084 | Soffer | Feb 2013 | A1 |
| 20130067534 | Soffer | Mar 2013 | A1 |
| 20130254439 | Sundaravel | Sep 2013 | A1 |
| 20140019652 | Soffer | Jan 2014 | A1 |
| 20140075535 | Soffer et al. | Mar 2014 | A1 |
| 20140172422 | Hefetz | Jun 2014 | A1 |
| 20140244856 | Kambhatla | Aug 2014 | A1 |
| 20140244880 | Soffer | Aug 2014 | A1 |
| 20150082460 | Amiga | Mar 2015 | A1 |
| 20150135264 | Amiga | May 2015 | A1 |
| 20150356045 | Soffer | Dec 2015 | A1 |
| 20160066016 | Yeh et al. | Mar 2016 | A1 |
| 20160110303 | Wei et al. | Apr 2016 | A1 |
| 20160227149 | Dickens et al. | Aug 2016 | A1 |
| 20160371511 | Balducci | Dec 2016 | A1 |
| 20170116147 | Hsueh | Apr 2017 | A1 |
| 20170192745 | Sunstrum | Jul 2017 | A1 |
| 20170195374 | Vu | Jul 2017 | A1 |
| 20170229093 | Sivertsen et al. | Aug 2017 | A1 |
| 20170300371 | Soffer | Oct 2017 | A1 |
| 20180101496 | Chang et al. | Apr 2018 | A1 |
| 20180239719 | Soffer | Aug 2018 | A1 |
| 20180316946 | Todd | Nov 2018 | A1 |
| 20200057508 | Menachem et al. | Feb 2020 | A1 |
| Number | Date | Country |
|---|---|---|
| 202205133 | Apr 2012 | CN |
| 202472359 | Oct 2012 | CN |
| 202771332 | Mar 2013 | CN |
| 202854720 | Apr 2013 | CN |
| 203930617 | Nov 2014 | CN |
| 20160015829 | Feb 2016 | KR |
| 2018172111 | Sep 2018 | WO |
| Entry |
|---|
| High Sec Labs, “What is Secure KVMA Isolator?”, 2015, https://highseclabs.com/wp-content/uploads/2020/10/HKS100I_HVS100I_DS_Rev1.1.pdf. |
| High Sec Labs, “HSA210 Secure Headphone Diode Datasheet”, Feb. 4, 2015, https://highseclabs.com/wp-content/uploads/2020/10/HSA210_DS.pdf. |
| Guri, Mordechai & Solewicz, Yosef & Daidakulov, Andrey & Elovici, Yuval. (2016). Speake(a)R: Turn Speakers to Microphones for Fun and Profit. |
| http://highseclabs.com/data/HKS1001_HVS1001_DS_Rev1.1.pdf. |
| Number | Date | Country | |
|---|---|---|---|
| 20200322568 A1 | Oct 2020 | US |
