Researchers Show TrojPix Can Exfiltrate Data from Air-Gapped PCs Through Video Cable Emissions
Security researchers at Shandong University have demonstrated a new covert channel, dubbed TrojPix, that can leak data from air-gapped computers by manipulating how pixels are displayed on the screen....
Security researchers at Shandong University have demonstrated a new covert channel, dubbed TrojPix, that can leak data from air-gapped computers by manipulating how pixels are displayed on the screen. The technique takes advantage of electromagnetic emissions produced by video cables, allowing a nearby radio receiver to capture the signal and reconstruct the hidden information.
The approach does not provide a way to break into a system on its own. Instead, it requires malware already running on the target machine. Once that foothold exists, the malicious code can alter on-screen pixels in a way that is invisible to the human eye but still generates a decodable radio signal.
According to the researchers, TrojPix reached a peak data rate of 8.1 Mbps in testing and was detected at distances of up to 208 meters in separate measurements. While the practical range in real environments would likely be lower because of walls, shielding, and background noise, the throughput is far higher than many other air-gap exfiltration methods, which often transfer data at only bits or kilobits per second.
The team described two modes of operation:
- simulating a powered-off display while still transmitting data
- embedding the signal inside normal-looking screen content
Researchers said the method worked across nine monitor brands and 15 different video cables, suggesting it is not limited to one specific hardware setup. They also noted that TrojPix does not require administrator privileges or hardware modifications, as long as the malware can render to the screen.
The study builds on long-standing research into compromising emanations, commonly associated with TEMPEST-style attacks, and follows other screen-based leakage demonstrations such as PIXHELL. Unlike air-gap breaches seen in the wild, such as Stuxnet and Agent.BTZ, which relied on removable media, TrojPix is presented as a laboratory demonstration of what could be possible once an attacker already has access.
Mitigation remains largely physical and preventive. Recommended defenses include using fiber-optic video links where possible, shielding sensitive cables and rooms, and keeping malware off systems that handle confidential data. Once malicious code is present, even a display cable can become a high-speed exfiltration path.
