TrojPix Attack: The 208-Meter Electromagnetic Covert Channel That Breaks Air-Gap Security + Video

Listen to this Post

Featured Image

Introduction:

For decades, air-gapped networks have been considered the gold standard for securing the world’s most sensitive data. The assumption is simple: no network connection means no remote access, no data exfiltration, and no compromise. TrojPix, a novel electromagnetic covert-channel attack unveiled by researchers at Shandong University and presented at USENIX Security 2026, shatters this assumption. By exploiting the electromagnetic radiation emitted from a victim’s video cable through imperceptible pixel modulations on the screen, TrojPix enables attackers to steal sensitive data from air-gapped computers over distances of up to 208 meters—even through concrete walls. This attack redefines the threat landscape for physical isolation, proving that even the most secure networks are vulnerable to creative side-channel exploitation.

Learning Objectives:

  • Understand the technical mechanisms behind TrojPix’s imperceptible pixel modulation and electromagnetic covert channel.
  • Analyze the two primary attack modes—fake screen-off and foreground embedding—and their operational implications.
  • Identify and implement effective mitigation strategies, including hardware countermeasures and software-based monitoring.

You Should Know:

  1. The Science Behind TrojPix: How Imperceptible Pixels Become a Radio Transmitter

TrojPix is not a method for gaining initial access; it is a data-exfiltration channel that requires malware to already be running on the target air-gapped computer. The attack leverages the fundamental physics of digital video cables: as video signals travel from the computer’s graphics card to the monitor, they generate unintentional electromagnetic (EM) radiation. TrojPix takes this passive leakage and turns it into an active, controllable transmitter.

The core innovation lies in what the researchers call “imperceptible pixel modulation”. By making microscopic, visually undetectable alterations to the pixels displayed on the screen, the malware induces specific, controllable electromagnetic emissions from the video cable. These emissions can be modulated to carry binary data—essentially turning the video cable into a makeshift antenna. The attack requires no system privileges or hardware modifications; any user-mode malware capable of drawing to the screen can execute it.

Technical Deep Dive:

The communication scheme relies on a pixel-to-sample mapping technique combined with adaptive decoding. This allows TrojPix to achieve robust communication at the sample-rate level over extended ranges. The researchers successfully validated TrojPix across nine commercial off-the-shelf monitor brands and fifteen different digital video cables, demonstrating its broad applicability.

Peak Performance Metrics:

  • Throughput: 8.1 Mbps—roughly 1 megabyte per second, enough to exfiltrate a 100 MB file in under two minutes.
  • Range: 208 meters, though this peak throughput and maximum range were measured separately rather than simultaneously.
  • Stealth: Two operational modes ensure the data transmission remains invisible to the user.

For context, most air-gap covert channels operate at bits or kilobits per second. TrojPix’s throughput is hundreds of times higher than previous techniques like TEMPEST-LoRa (which reached 87.5 meters at 21.6 kbps).

2. Attack Modes: Operating Under the Radar

TrojPix offers two distinct operational modes, each designed to maintain stealth while exfiltrating data.

Fake Screen-Off Mode:

In this mode, the malware forces the monitor into a powered-off state while continuing to transmit data through the video cable. To the user, the screen appears completely dark, as if the computer is turned off or in sleep mode. However, the video cable remains active, radiating the modulated EM signals that carry the stolen data. This mode is particularly dangerous in environments where administrators might not immediately notice a powered-off monitor.

Foreground Embedding Mode:

For situations where a dark screen would raise suspicion, TrojPix can embed the covert signal within the normal on-screen content. The malware modifies specific pixels in a way that is imperceptible to the human eye but generates the necessary EM emissions. This allows the attack to continue while the user is actively working, with no visual indication that anything is amiss.

Detection Evasion:

Both modes exploit the fact that electromagnetic emissions from video cables are a normal byproduct of display operation. Distinguishing between benign EM noise and a TrojPix data stream requires specialized equipment and expertise, making real-time detection exceptionally challenging.

3. Setting Up a Monitoring and Detection Framework

While TrojPix is stealthy, organizations can implement monitoring frameworks to detect anomalous electromagnetic activity. Below is a conceptual guide for setting up an EM emission monitoring system.

Hardware Requirements:

  • Software-Defined Radio (SDR) such as HackRF or USRP
  • Directional antenna tuned to the video cable’s frequency range
  • Spectrum analyzer for baseline measurement

Step-by-Step Monitoring Setup:

  1. Establish a Baseline: Use an SDR to capture and record the normal electromagnetic spectrum of your air-gapped environment over a 24-72 hour period. This establishes a baseline of “normal” emissions.
  2. Implement Continuous Monitoring: Deploy the SDR with automated spectrum capture scripts. The following Python snippet using the `pyrtlsdr` library provides a basic framework:
from rtlsdr import RtlSdr
import numpy as np
import matplotlib.pyplot as plt

sdr = RtlSdr()
sdr.sample_rate = 2.048e6
sdr.center_freq = 100e6  Adjust based on video cable frequency
sdr.gain = 'auto'

samples = sdr.read_samples(2561024)
power_spectrum = 10np.log10(np.abs(np.fft.fft(samples))2)
 Compare against baseline; flag deviations beyond threshold
  1. Define Anomaly Thresholds: Establish statistical thresholds for frequency band activity. Any sustained deviation beyond three standard deviations from the baseline should trigger an alert.

  2. Integrate with SIEM: For enterprise deployments, integrate the monitoring output with a Security Information and Event Management (SIEM) system for centralized alerting and correlation with other security events.

Windows PowerShell Command for Process Monitoring:

To complement EM monitoring, track processes that interact with the graphics subsystem:

Get-Process | Where-Object {$_.Modules.ModuleName -match "d3d|opengl|vulkan"} | 
Select-Object Name, CPU, WorkingSet, StartTime | 
Export-Csv -Path "C:\Logs\gpu_processes.csv" -1oTypeInformation

Linux Command for GPU Activity Monitoring:

while true; do 
nvidia-smi --query-gpu=utilization.gpu,memory.used --format=csv >> /var/log/gpu_activity.log
sleep 5
done

These commands help identify unusual GPU activity that could indicate pixel manipulation for covert channels.

4. Defensive Countermeasures: Securing the Air Gap

TrojPix cannot be patched away with software updates because it exploits a fundamental physical property of electronic devices. Instead, defense requires a combination of physical and architectural countermeasures.

Fiber-Optic Video Links:

The most effective mitigation is to replace copper video cables (HDMI, DisplayPort, DVI, VGA) with fiber-optic alternatives. Fiber optics transmit data using light rather than electrical signals, eliminating the electromagnetic radiation that TrojPix exploits. For organizations handling classified information, this transition is already recommended under TEMPEST guidelines.

Electromagnetic Shielding:

For existing copper installations, electromagnetic shielding provides a robust defense. Faraday cages—enclosures made of conductive materials like copper, aluminum, or steel—can block EM emissions from escaping the protected environment. TEMPEST-rated facilities already employ such shielding, with typical attenuation of 100 dB within the 10 MHz to 1 GHz range.

NATO TEMPEST Standards:

TEMPEST shielding is categorized into three levels of protection:
– Level A: Highest protection for environments with the most sensitive data
– Level B: Intermediate protection for controlled environments
– Level C: Basic protection for less critical applications

Physical Distance and Separation:

Maintaining physical distance between sensitive equipment and potential receiver locations reduces the signal-to-1oise ratio available to an attacker. Combined with proper building shielding, this can effectively neutralize long-range EM attacks.

5. Proactive Defense: Endpoint Hardening and Malware Prevention

Since TrojPix requires an initial malware infection to function, preventing that foothold remains the most practical defense.

Air-Gap Integrity Checklist:

  1. Strict Media Control: Implement a rigorous process for introducing any external media (USB drives, DVDs, etc.) into the air-gapped environment. All media should be scanned on a dedicated, non-1etworked scanning station before use.

  2. Application Whitelisting: Use tools like Windows AppLocker or Linux `auditd` to restrict execution to approved applications only.

  3. Behavioral Monitoring: Deploy endpoint detection and response (EDR) solutions capable of detecting unusual graphics subsystem activity, even in air-gapped environments.

Windows Command for Application Whitelist Audit:

Get-AppLockerPolicy -Effective | Export-Clixml -Path C:\Security\AppLockerPolicy.xml

Linux Command for Monitoring Unauthorized Execution:

auditctl -w /usr/bin -p x -k app_execution
ausearch -k app_execution --start today

Regular Security Audits:

Conduct periodic physical and logical audits of air-gapped systems. This includes reviewing running processes, checking for unauthorized hardware, and verifying the integrity of system files.

  1. The Broader Context: Air-Gap Covert Channels Are a Family of Threats

TrojPix is not an isolated phenomenon. It belongs to a growing family of air-gap covert channels that exploit various physical phenomena:

  • Acoustic Channels: PIXHELL (2024) used screen-generated sound to leak data
  • Thermal Channels: BitWhisper (2015) manipulated thermal emissions
  • Power Line Channels: PowerHammer used AC power lines for exfiltration
  • USB Channels: USBee turned USB connectors into RF transmitters
  • Optical Channels: BRIGHTNESS used screen brightness manipulation

This trend underscores a critical reality: air gaps, while valuable, are not absolute. A comprehensive security strategy must account for physical-layer threats alongside traditional cyber defenses.

What Undercode Say:

  • Key Takeaway 1: Air-gapped networks are not impenetrable. TrojPix demonstrates that electromagnetic side channels can defeat physical isolation at speeds and ranges previously considered impossible. Organizations must treat air-gap security as a layered defense rather than a binary “secure/insecure” state.

  • Key Takeaway 2: The future of data exfiltration will increasingly target the physical layer. As network defenses improve, attackers will continue to innovate using acoustic, thermal, optical, and electromagnetic channels. Defensive strategies must evolve to include physical monitoring, shielding, and architectural changes like fiber-optic video links.

Analysis:

TrojPix represents a paradigm shift in air-gap security, not because it introduces a fundamentally new concept—TEMPEST research dates back decades—but because it achieves a combination of speed, range, and stealth that makes the attack practical for real-world espionage. The ability to exfiltrate a megabyte per second over 208 meters with no hardware modifications and no system privileges moves this from theoretical research to an actionable threat. For defenders, the challenge is immense: software patches cannot fix physics. The only viable long-term solutions involve hardware changes (fiber-optic video, EM shielding) and rigorous malware prevention. However, the widespread adoption of such measures is costly and slow, leaving many organizations exposed.

Prediction:

  • +1 The disclosure of TrojPix will accelerate investment in fiber-optic video infrastructure and TEMPEST-certified facilities, driving innovation in secure hardware design and creating new markets for electromagnetic shielding solutions.

  • -1 TrojPix-like attacks will be weaponized by sophisticated state actors within 12-24 months, targeting government, military, and corporate research facilities that rely on air-gapped networks but have not yet implemented physical-layer defenses.

  • -1 The speed and range of TrojPix make it particularly dangerous for insider threats, where an employee with authorized access could introduce the malware, and an external accomplice with a receiver could exfiltrate data from outside the building.

  • +1 The cybersecurity community will develop new detection tools leveraging machine learning to identify anomalous EM emissions, creating a new category of “physical-layer intrusion detection systems.”

  • -1 Organizations that delay mitigation will face significant data breach risks, as air-gapped networks become prime targets for attackers seeking high-value intellectual property and classified information.

▶️ Related Video (86% Match):

https://www.youtube.com/watch?v=0rv2996e3S0

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky