New TrojPix Attack Lets Attackers Access Air-gapped Computers From 208 Meters
A novel electromagnetic (EM) covert-channel attack, dubbed TrojPix, can steal sensitive data from already-compromised air-gapped computers over distances of up to 208 meters, even through concrete walls, by exploiting only the pixels displayed on a victim’s screen.
The technique was developed by a team from Shandong University and Quan Cheng Laboratory and is slated for presentation at the 35th USENIX Security Symposium.
It marks a significant leap over prior EM covert channels, achieving a peak throughput of 8.1 Mbps, roughly a 27-fold improvement over the previous state of the art, while remaining completely invisible to the human eye.
TrojPix Attack
Air-gapped systems are physically isolated from external networks and are widely deployed in military, government, financial, and nuclear facilities where confidentiality is paramount. TrojPix defeats this isolation by turning ordinary digital video cables into unintended radio antennas.
The attack hinges on Transition-Minimized Differential Signaling (TMDS), the encoding scheme used by HDMI and similar interfaces. By making tiny, imperceptible modifications to pixel values, for example, altering the least significant bit of the blue channel, malware can deterministically change the EM emissions radiating from the video cable. Those subtle emissions encode data an attacker can capture remotely with commercial radio equipment.
Critically, the malware requires neither administrator privileges nor hardware modifications and runs entirely in user mode. It scans the target for confidential files, reads the monitor’s resolution, and plays a visually camouflaged “attack video” to establish the covert channel.
TrojPix is a data-exfiltration channel, not a break-in method. The attack only works if malware is already running on the isolated computer, and TrojPix does nothing to achieve that initial foothold.
Reaching a physically isolated machine remains the genuinely hard part, and it would still require a traditional air-gap infection route such as an infected USB drive, a supply-chain attack, compromised firmware, or a malicious insider.
In other words, the 208-meter figure is not the range from which an attacker breaks in; it is the distance from which they can quietly receive stolen data once a system has been compromised by other means.

What makes TrojPix notable is how efficient and undetectable it makes that final data-theft hop fast, long-range, invisible on screen, and requiring only low-privilege user-mode access. The attacker’s radio equipment sits entirely outside the target and never physically touches it.
TrojPix Attack Modes
The researchers demonstrated two operating modes. In Fake Screen-Off Mode, the malware disguises the display as powered down while transmission continues in the background, halting instantly if mouse movement is detected.
In Foreground Embedding Mode, covert data is woven into whatever content is currently on screen using pixel-level tweaks that observers could not perceive.
To survive noise and interference over long distances, TrojPix combines Pixel-to-Sample Mapping (P2S-Map), matched-filter correlation for synchronization, cross-row resilience coding, and an adaptive decision threshold. On the receiving end, the team used a USRP X310 software-defined radio paired with a directional antenna and a low-noise amplifier.
Evaluated across nine monitor brands and fifteen video cables, TrojPix delivered a bit-correct rate near 99%, rising to 100% once forward error correction was applied.
Performance held up through a 30-cm concrete wall, across different resolutions and antenna angles, and even with nearby active monitors running. A perceptual study with 50 volunteers found that none could detect any visual difference before and after the attack ran.

The researchers outline several countermeasures. EM shielding based on the Faraday-cage principle can partially degrade the channel, but testing showed success rates staying above 91% even with added shielding materials, meaning it cannot fully block the attack. Deploying EM jamming equipment is another option, though a costly one.
The most effective mitigation, the authors conclude, is to adopt EM-leakage-free video interfaces, such as fiber-optic or wireless connections. Software defenses like randomizing TMDS transmission order and smoothing pixel values can also reduce leakage.
The team has begun responsible disclosure with cable manufacturers and deliberately withheld operational attack details to limit misuse.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post New TrojPix Attack Lets Attackers Access Air-gapped Computers From 208 Meters appeared first on Cyber Security News.
Guru Baran
Go to cyber-security-news