TrojPix Attack Remotely Exfiltrates Data From Air-Gapped Computers
Key Takeaways A new electromagnetic (EM) attack, dubbed TrojPix, can exfiltrate data from air-gapped systems. The attack exploits subtle EM emissions from standard video cables (HDMI, DVI) by...
Key Takeaways
- A new electromagnetic (EM) attack, dubbed TrojPix, can exfiltrate data from air-gapped systems.
- The attack exploits subtle EM emissions from standard video cables (HDMI, DVI) by manipulating screen pixels.
- TrojPix achieves a record data transfer rate of 8.1 Mbps over distances up to 208 meters, even through concrete walls.
- The technique requires pre-existing malware on the target system but operates without elevated privileges and is visually imperceptible.
- Mitigation involves EM shielding, jamming, or adopting fiber-optic video interfaces.
TrojPix: Covert Data Exfiltration via Screen Pixels
A groundbreaking electromagnetic (EM) covert-channel attack, named TrojPix, has been developed that can surreptitiously extract sensitive information from air-gapped computers. This innovative method, which will be presented at the 35th USENIX Security Symposium, leverages only the pixels displayed on a victim’s screen to transmit data over distances of up to 208 meters, penetrating physical barriers like concrete walls.
Table Of Content
Developed by a research team from Shandong University and Quan Cheng Laboratory, TrojPix represents a substantial advancement in EM covert channels. It boasts an impressive peak throughput of 8.1 Mbps, marking a roughly 27-fold improvement over previous state-of-the-art techniques, all while remaining completely undetectable to the human eye.
How TrojPix Exploits Air-Gapped Systems
Air-gapped systems are critical infrastructure in military, government, financial, and nuclear sectors, designed for maximum confidentiality through physical isolation from external networks. TrojPix circumvents this isolation by transforming ordinary digital video cables into unwitting radio antennas.
The core of the attack relies on manipulating the Transition-Minimized Differential Signaling (TMDS) encoding scheme, which is fundamental to HDMI and similar video interfaces. By making minute, visually imperceptible alterations to pixel values—for instance, modifying the least significant bit of the blue color channel—malware can precisely control the EM emissions radiating from the video cable. These subtle emissions encode data that an attacker can capture remotely using readily available commercial radio equipment.
Crucially, the malware responsible for initiating the TrojPix channel does not require administrator privileges or any hardware modifications, operating entirely within user mode. Its function involves scanning the compromised system for confidential files, determining the monitor’s resolution, and then playing a specially crafted, visually camouflaged “attack video” to establish the covert communication link.
It is important to note that TrojPix functions solely as a data exfiltration channel; it is not a method for initial system compromise. The attack necessitates that malware is already present and executing on the air-gapped machine. TrojPix itself does not provide the initial access. Gaining entry to a physically isolated machine remains the most challenging aspect, typically requiring conventional air-gap infection vectors such as infected USB drives, supply-chain attacks, compromised firmware, or malicious insider activity.
Therefore, the reported 208-meter range signifies the distance from which an attacker can passively receive stolen data once the system has been compromised by other means, not the distance for initial intrusion.
What distinguishes TrojPix is its efficiency and stealth in the final data-theft phase: it is fast, long-range, visually invisible, and requires only low-privilege user-mode access. The attacker’s receiving radio equipment remains entirely external to the target, never making physical contact.
TrojPix Operational Modes and Resilience
The researchers demonstrated two distinct operational modes for TrojPix. In “Fake Screen-Off Mode,” the malware simulates a powered-down display while data transmission continues in the background, pausing instantly upon detection of mouse movement. The “Foreground Embedding Mode” integrates covert data directly into the content currently displayed on screen through pixel-level adjustments that are imperceptible to observers.
To ensure robust performance against noise and interference over extended distances, TrojPix employs a combination of techniques: Pixel-to-Sample Mapping (P2S-Map), matched-filter correlation for synchronization, cross-row resilience coding, and an adaptive decision threshold. For reception, the team utilized a USRP X310 software-defined radio paired with a directional antenna and a low-noise amplifier.
Extensive evaluations across nine monitor brands and fifteen video cables revealed that TrojPix achieved a bit-correct rate nearing 99%, which improved to 100% with the application of forward error correction. The system maintained its performance through a 30-cm concrete wall, across various resolutions and antenna angles, and even with other active monitors nearby. A perceptual study involving 50 volunteers confirmed that none could discern any visual changes before or during the attack.
What You Should Do
- Implement EM Shielding: While not a complete block, applying Faraday-cage principles through EM shielding can degrade the covert channel’s effectiveness.
- Consider EM Jamming: Deploying electromagnetic jamming equipment can disrupt the signal, though this is often a costly solution.
- Adopt Fiber-Optic or Wireless Video Interfaces: The most effective mitigation involves transitioning to video interfaces inherently free from EM leakage, such as fiber-optic or secure wireless connections.
- Enhance Software Defenses: Implement software solutions that randomize TMDS transmission order or smooth pixel values to reduce exploitable EM leakage.
- Strengthen Air-Gap Integrity: Reinforce existing air-gap security measures to prevent initial malware infiltration, as TrojPix relies on a pre-compromised system.
The researchers outline several countermeasures, noting that while EM shielding can partially degrade the channel, testing showed success rates remained above 91% even with added shielding, indicating it cannot fully prevent the attack. EM jamming equipment presents another option, albeit an expensive one.
The authors conclude that the most effective mitigation strategy involves adopting EM-leakage-free video interfaces, such as fiber-optic or wireless connections. Additionally, software-based defenses like randomizing TMDS transmission order and smoothing pixel values can help reduce EM leakage. The research team has initiated responsible disclosure with cable manufacturers and has deliberately withheld specific operational attack details to prevent potential misuse.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.