Full Report
Orgs can now buy UK cyber agency engineered commercial gadget, but details are slim GCHQ's cyber arm has entered the hardware game with its first device designed to prevent cyberattacks on display devices.…
Analysis Summary
# Tool/Technique: SilentGlass
## Overview
SilentGlass is a hardware security device designed to mitigate cyberattacks targeting display interfaces. Engineered by the UK’s National Cyber Security Centre (NCSC) and produced by Goldilock Labs, it acts as a physical security barrier for HDMI and DisplayPort connections. Its primary purpose is to identify and block malicious traffic transmitted through data channels between a computer and a display, preventing exploits that could manipulate or intercept visual information.
## Technical Details
- **Type:** Hardware Security Tool / Data Diode-lite
- **Platform:** Hardware-agnostic (protects systems using HDMI or DisplayPort 1.2/1.4)
- **Capabilities:** Hardware-level traffic filtering, malicious data channel identification, threat-agnostic signal blocking.
- **First Seen:** Publicly announced April 2026 (Deployed in UK government estates for several years prior).
## MITRE ATT&CK Mapping
- **[TA0009 - Collection]**
- **[T1123 - Audio Capture]** (Related to side-channel concerns via display cables)
- **[T1125 - Video Capture]** (Prevention of unauthorized display interception)
- **[TA0011 - Command and Control]**
- **[T1095 - Non-Application Layer Protocol]** (Abuse of HDMI/CEC for malicious communication)
- **[TA0040 - Impact]**
- **[T1491 - Defacement]** (Manipulation of monitor display output)
## Functionality
### Core Capabilities
- **Traffic Interdiction:** Identifies and blocks malicious traffic specifically within the display data channels.
- **Signal Integrity:** Prevents the transfer of "nastiness" between host and monitor to stop display manipulation.
- **Protocol Filtering:** Inspects and secures protocols such as EDID (Extended Display Identification Data) and CEC (Consumer Electronics Control).
### Advanced Features
- **Side-Channel Mitigation:** Addresses technical risks such as "Deep-TEMPEST," where electromagnetic radiation from cables is used to reconstruct onscreen text.
- **Hardware-Enforced Boundaries:** Shifts security from complex software parsers to a hardened hardware interface.
- **Threat Agnostic:** Designed to block generic malicious patterns without requiring specific malware signatures.
## Indicators of Compromise
*Note: As a hardware protection device, SilentGlass does not have traditional software IoCs (hashes/registry keys). Instead, it monitors for:*
- **Behavioral Indicators:**
- Anomalous data packets in HDMI/DisplayPort auxiliary channels.
- Unexpected EDID/CEC parser requests.
- Attempts to utilize HDMI Ethernet Channels (HEC) for unauthorized network access.
## Associated Threat Actors
The NCSC identifies this tool as necessary against sophisticated adversaries focused on:
- **State-Sponsored Espionage groups** (referenced generally in the context of China, Russia, Iran, and North Korea).
- Actors targeting **Critical National Infrastructure (CNI)**.
## Detection Methods
- **Physical Inspection:** Ensuring the SilentGlass unit is seated between the source and the monitor.
- **Hardware Telemetry:** (Specifics remain slim) Monitoring for signals blocked by the device at the physical layer.
## Mitigation Strategies
- **Physical Boundary Enforcement:** Treating display cables as untrusted boundaries and deploying hardware filters.
- **Hardening Display Interfaces:** Disabling unused HDMI features (like CEC or Ethernet over HDMI) in system BIOS/UEFI where SilentGlass is not present.
- **Cable Shielding:** Using high-quality shielded cables to reduce TEMPEST-related electromagnetic leaks.
## Related Tools/Techniques
- **Deep-TEMPEST:** An evolution of TEMPEST attacks using deep learning to intercept electromagnetic emissions from cables.
- **EDID Exploitation:** Vulnerabilities in how operating systems parse monitor identification data.
- **CEC/CDC/NEC Protocols:** Protocols used for device control that can be subverted for malicious command injection.
- **Data Diodes:** Industrial hardware used to ensure unidirectional data flow, similar in concept to the hardware-level enforcement of SilentGlass.