The Safety of HDMI/VGA Adapters: Debunking Security Concerns
This question seems to come up about once a month, and the answer still has not changed.
The bidirectional protocol in VGA and DVI is very very limited, and basically is only used to identify the monitor and exchange video resolution and timing information. It’s too primitive to be used as an exploitable channel unless your video card has very specific hardware bugs. A quick survey of the several dozen CVEs for VGA all list either host side device driver bugs or bugs in virtual VGA devices for VMs. This just isn’t a real world issue for vga hardware.
HDMI actually has fewer CVE’s listed. However, some of these do include device side exploits, including two where corrupt EDID data could cause a buffer overflow in linux (on android). Also, HDMI includes specs for ethernet and usb, although I am not aware of any video cards that implement that. Also, the HDMI CEC protocol allows transmission of remote buttons, which some hosts that support CEC translate to keystrokes. However, CEC generally does not show up as a keyboard device, an application has to explicitly support CEC to use it that way.
USB C is actually a bigger danger, as this inherently can include arbitrary devices like keyboards, mice, and disks.
In short, it seems extremely unlikely that an HDMI adapter could be a security issue, as long as your video card doesn’t show up as a usb hub with a network interface. (Most do show up as a sound card.)