World-first NCSC-engineered device secures vulnerable display links
The UK's National Cyber Security Centre (NCSC) has developed SilentGlass, a commercially available plug-and-play hardware device designed to secure HDMI and DisplayPort connections against malicious exploitation. Manufactured by Goldilock Labs, the device treats physical display interfaces as security boundaries to prevent unauthorized network access and espionage.
Source:
NCSC
Key Takeaways
- The NCSC has engineered 'SilentGlass', a plug-and-play hardware device to secure HDMI and DisplayPort connections.
- The device actively blocks unexpected or malicious connections between monitors and laptops.
- Monitors are identified as highly attractive targets for threat actors to gain network access for espionage, disruption, or financial gain.
- SilentGlass is manufactured by Goldilock Labs in partnership with Sony UK and is now commercially available globally.
- The product represents a shift toward treating physical hardware interfaces as security boundaries.
Affected Systems
- HDMI connections
- DisplayPort connections
- Monitors
- Display screens
Attack Chain
Threat actors can potentially exploit vulnerable hardware interfaces, specifically HDMI and DisplayPort connections on monitors, to gain unauthorized access to networks. Once physical or logical access is achieved through these display links, attackers may conduct espionage, cause disruption, or pursue financial gain. The SilentGlass device disrupts this chain by enforcing security boundaries at the hardware interface level before malicious signals reach complex software.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: None — Standard EDR solutions lack visibility into raw hardware-level signals on HDMI or DisplayPort interfaces before they interact with the operating system. Network Visibility: None — This threat involves local physical hardware interface exploitation rather than standard network traffic. Detection Difficulty: Very Hard — Malicious activity over display cables is extremely difficult to detect using standard software-based monitoring tools, requiring specialized hardware intervention.
Required Log Sources
- Hardware/Device events
- Plug and Play (PnP) logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unexpected device enumeration or driver installation events associated with display ports that may indicate a malicious hardware addition. | Windows System Event Logs (Plug and Play events) | Initial Access | High |
Control Gaps
- Hardware interface monitoring
- Physical port security for displays
Recommendations
Immediate Mitigation
- Evaluate the risk of physical access to display interfaces in high-security and high-threat environments.
Infrastructure Hardening
- Deploy hardware security devices like SilentGlass to protect vulnerable HDMI and DisplayPort connections.
- Treat physical connectivity ports as untrusted security boundaries rather than assumed trust zones.
User Protection
- Restrict unauthorized physical access to monitors and display cables in sensitive areas.
Security Awareness
- Educate staff on the risks of plugging untrusted devices or cables into corporate hardware, including display links.
MITRE ATT&CK Mapping
- T1200 - Hardware Additions
- T1091 - Replication Through Removable Media