Full Report
Researchers at Shandong University have shown a fast new way to pull data off computers that are cut off from every network. The technique, called TrojPix, tweaks on-screen pixels in ways the eye cannot see, so that the video cable carrying them radiates a faint radio signal a nearby receiver can decode. But TrojPix works only once malware is already on the target machine, so it
Analysis Summary
# Research: TrojPix: Stealing Data from Air-Gapped Computers via Video Cable Emissions
## Metadata
- **Authors:** Guoming Zhang, et al.
- **Institution:** Shandong University
- **Publication:** USENIX Security Symposium
- **Date:** July 2026 (Reported)
## Abstract
TrojPix is a high-speed exfiltration technique designed to leak data from air-gapped systems by exploiting electromagnetic emanations from video cables. By utilizing "imperceptible pixel modulation," malware on a target system manipulates on-screen pixels to generate radio frequency (RF) signals that can be intercepted and decoded by a nearby receiver. Unlike previous air-gap channels that operate at kilobit speeds, TrojPix achieves megabit-per-second throughput, making the theft of large files feasible in minutes.
## Research Objective
The research addresses the challenge of high-speed data exfiltration from air-gapped systems—computers physically isolated from the internet. The primary question is whether standard display hardware can be turned into a high-bandwidth transmitter without specialized hardware modifications or administrator privileges.
## Methodology
### Approach
The researchers developed a software-based "pixel modulation" technique. By subtly changing the color and intensity values of pixels sent to a monitor, they manipulate the frequency and patterns of the electromagnetic interference (EMI) radiated by the copper video cable. This transforms the cable into a makeshift antenna.
### Dataset/Environment
- **Hardware Diversity:** Tested across 9 different monitor brands and 15 different video cables to ensure generalizability.
- **Scenarios:** The team tested the attack in two modes:
1. **"Dark" Mode:** Transmitting while pretending the screen is powered off.
2. **"Camouflage" Mode:** Embedding signals within legitimate on-screen content (steganography).
### Tools & Technologies
- **Malware:** User-level software (requires no root/admin access).
- **Receiver:** A dedicated radio receiver capable of decoding the specific RF emanations from the video cables.
## Key Findings
### Primary Results
1. **High Throughput:** Achieved a peak data transfer rate of **8.1 Mbps**, significantly faster than existing covert channels.
2. **Extended Range:** Demonstrated a maximum transmission distance of **208 meters** (measured independently of peak speed).
3. **Low Privilege Requirement:** The attack can be executed by standard user-level malware with permission to draw to the screen.
### Supporting Evidence
- A 100 MB file could be exfiltrated in under two minutes at peak speeds.
- The technique proved successful across a wide variety of commercial-off-the-shelf (COTS) hardware, indicating a systemic vulnerability in copper-based video transmission.
### Novel Contributions
- **Imperceptible Pixel Modulation:** A method that achieves high-bandwidth RF signaling without alerting a human observer looking at the screen.
- **Speed Benchmark:** Moving from "bits per second" to "megabits per second" transforms the threat model from simple credential theft to full-scale document exfiltration.
## Technical Details
The attack exploits the physical properties of video signals. As a GPU sends pixel data to a monitor via a copper cable, the transition of electrical signals creates electromagnetic emanations. By precisely controlling the timing and values of these pixel transitions through software, the malware "tunes" these emanations into a modulated radio signal. This signal carries binary data that a receiver can capture and reconstruct into the original files.
## Practical Implications
### For Security Practitioners
- **Expanded Threat Model:** Air-gapped systems are no longer safe from large-scale data theft if an attacker achieves a software foothold.
- **Stealth:** The ability to transmit while the screen appears "off" means the attack can occur during non-business hours or when the machine is unattended.
### For Defenders
- **Physical Isolation:** Use fiber-optic video links instead of copper, as fiber does not emit RF signals.
- **Hardware Shielding:** Implement TEMPEST-rated shielding for high-security environments to contain electromagnetic leakage.
- **Zero-Trust Software:** Focus on preventing initial malware infection (e.g., via USB or supply chain), as the physical emanation itself cannot be "patched" in software.
### For Researchers
- Opens opportunities to investigate other COTS components (like power supplies or LEDs) for high-speed electromagnetic side channels.
## Limitations
- **Pre-requisite Infection:** The attack is an exfiltration vector and requires the system to be pre-compromised (e.g., via an "infected" USB drive).
- **Environmental Noise:** Real-world performance may be degraded by walls, electronic interference, or shielding in commercial buildings.
- **Speed vs. Distance:** The peak speed (8.1 Mbps) and peak distance (208m) were likely achieved under different, optimized conditions and may not be achievable simultaneously.
## Comparison to Prior Work
- **vs. TEMPEST-LoRa:** While earlier work used similar principles to hit 21.6 kbps at 87.5 meters, TrojPix is hundreds of times faster.
- **vs. PIXHELL:** PIXHELL used display components to generate *acoustic* signals, which are much slower and limited by the speed of sound and audible noise floors.
- **vs. Hardware Implants:** Unlike Ethernet-based "Etherled" attacks, TrojPix requires no physical modification to the hardware.
## Real-world Applications
- **Cyber Espionage:** Targeted theft of proprietary blueprints, sensitive documents, or encryption keys from air-gapped government or research facilities.
- **Implementation:** Could be delivered via a malicious "USB rubber ducky" or a supply chain attack on display drivers.
## Future Work
- Improving the robustness of the signal against environmental interference.
- Developing real-time detection mechanisms that monitor for unusual RF patterns in the frequency bands used by video cables.
## References
- *Zhang, G., et al. "TrojPix: Imperceptible Pixel Modulation for High-Speed Covert Channels." USENIX Security 2026.*
- *Related:* TEMPEST-LoRa (CCS 2025); PIXHELL (2024).