How TrojPix Works
Researchers at Shandong University have unveiled a new covert channel attack, named TrojPix, that can extract data from air-gapped computers using electromagnetic emissions from video cables. The method manipulates on-screen pixels in ways imperceptible to the human eye, causing the video cable to radiate a faint radio signal that a nearby receiver can decode. Crucially, TrojPix requires malware already present on the target machine; it is an exfiltration tool, not an initial access vector.
The attack employs imperceptible pixel modulation and does not require administrator rights or hardware modifications. User-level malware that can draw to the screen is sufficient. Researchers describe two hiding strategies: one simulates a powered-off display to keep the screen dark during transmission, while the other embeds the signal within ordinary on-screen content. Tests across nine monitor brands and fifteen video cables showed the technique was not limited to specific hardware.
Impact and Scope
In laboratory tests, TrojPix achieved a peak throughput of 8.1 Mbps at a distance of 208 meters, though these metrics were measured separately. At this speed, roughly one megabyte per second, the attack could exfiltrate a 100 MB file in under two minutes. This marks a significant improvement over most air-gap covert channels, which typically operate at bits or kilobits per second. However, real-world performance may be reduced by walls, shielding, and ambient noise.
This technique builds on decades of research into compromising emanations, known as TEMPEST, and recent work like TEMPEST-LoRa (CCS 2025). While TEMPEST-LoRa reached 87.5 meters at 21.6 kbps, TrojPix offers hundreds of times higher throughput. Defenses against such attacks are physical and preventive: using fiber-optic video links instead of copper cables, shielding cables and rooms for high-security environments, and, most importantly, preventing malware from gaining a foothold on the system. Once an attacker is inside, TrojPix can move data out quickly while the screen appears off.
Source: The Hacker News
