Home Risk & Resilience New TrojPix Technique Uses Video Cable Signals To Extract Data From Air Gapped Systems

New TrojPix Technique Uses Video Cable Signals To Extract Data From Air Gapped Systems

0
New TrojPix Technique Uses Video Cable Signals To Extract Data From Air Gapped Systems

Researchers at Shandong University have introduced a new technique called TrojPix that demonstrates how sensitive data can be extracted from air gapped computers by exploiting electromagnetic emissions generated through video cables. Air gapped systems are designed to remain isolated from external networks and are commonly deployed in environments where highly sensitive information is processed. TrojPix does not provide attackers with an initial method of compromising a system. Instead, it functions as a data exfiltration mechanism after malware has already been installed on the target machine. According to the researchers, the technique subtly modifies on screen pixels in a way that remains invisible to the human eye. These changes cause the connected video cable to emit weak radio frequency signals that can be captured and decoded by a nearby receiver. During testing, TrojPix achieved a peak transmission speed of 8.1 megabits per second and reached a maximum communication distance of 208 meters, although these performance figures were measured separately rather than simultaneously. The researchers said this level of throughput is significantly faster than many previously demonstrated air gap covert channels, making it capable of transferring much larger amounts of data within a relatively short period.

Unlike many traditional attacks targeting isolated systems, TrojPix does not require administrator privileges or hardware modifications. The researchers explained that malware running with ordinary user level permissions is sufficient as long as it can display content on the computer screen. The attack works by using a technique known as imperceptible pixel modulation, where tiny adjustments to displayed images generate radio emissions through the video cable without creating visible changes for the user. The team developed two different operating modes for the attack. One approach simulates a powered off display by keeping the screen completely dark while transmitting information in the background. The second embeds the hidden signal within regular on screen content, allowing normal applications and desktop activity to continue while data is secretly transmitted. Researchers reported that TrojPix functioned successfully across nine different monitor brands and fifteen types of video cables, indicating that the technique is not limited to a single hardware manufacturer or specific display configuration. Although the attack demonstrated impressive performance under controlled laboratory conditions, practical deployment would still depend on environmental factors such as physical distance, shielding, walls, and radio interference that may reduce signal quality.

The concept of using electromagnetic emissions from computer equipment to leak information is not new and has been studied for decades under research associated with TEMPEST. Earlier work has demonstrated that unintended emissions from electronic devices can carry information that may be intercepted under specific conditions. More recently, researchers developed TEMPEST LoRa, which also relied on video cable emissions to transmit information to commercially available long range LoRa radio receivers. That research achieved communication distances of up to 87.5 meters with transfer speeds reaching 21.6 kilobits per second. While TrojPix reports significantly higher peak throughput, researchers noted that the two projects used different receivers and testing environments, making direct performance comparisons difficult. TrojPix also joins a growing list of academic demonstrations exploring unconventional methods of transferring data from isolated systems. Previous research has shown information leakage through monitor generated sound waves, such as the PIXHELL technique disclosed in 2024, while other studies have relied on specialized hardware implants connected to network cables. TrojPix distinguishes itself by avoiding additional hardware modifications and relying solely on software driven manipulation of display output.

Researchers emphasized that TrojPix remains a proof of concept developed under laboratory conditions and is not known to have been observed in real world cyber espionage campaigns. Historical attacks against air gapped environments, including Stuxnet and Agent.BTZ, relied primarily on infected USB storage devices to cross isolated networks rather than radio frequency based data transmission. Even so, the research highlights how attackers continue exploring unconventional methods for extracting sensitive information once malware reaches protected environments. Because the electromagnetic emissions originate from the physical characteristics of copper video cables, software updates cannot eliminate the underlying behavior. Instead, organizations handling highly sensitive information are advised to adopt physical security measures such as using fiber optic display connections that do not emit comparable radio signals, deploying shielded cables and protected facilities similar to TEMPEST certified environments, and maintaining strong malware prevention controls to stop unauthorized software from reaching isolated systems. Since TrojPix requires malware to already be present on the target device before any information can be transmitted, preventing the initial compromise remains the most effective defense against this class of covert data exfiltration techniques.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.