TrojPix Attack Uses Imperceptible Pixels to Exfiltrate Data From Air-Gapped Networks

Researchers have disclosed TrojPix, a covert channel attack that uses imperceptible pixel modulation over standard video cables to exfiltrate data from air-gapped networks at distances up to 208 metres, without administrator access or hardware tampering.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region4 min read
Air-gapped network security research setup examining electromagnetic emissions from a video cable

Air-gapped network security research setup examining electromagnetic emissions from a video cable

TrojPix, a newly disclosed covert channel attack, shows that air gapped networks, long treated as a gold standard for isolating the most sensitive systems, are not as isolated as assumed.

The research, published via USENIX Security, demonstrates that malware running with only user mode privileges can turn an ordinary digital video cable into an unintended antenna, leaking data to an attacker positioned up to 208 metres away.

How the attack works

TrojPix exploits Transition Minimized Differential Signaling, the encoding scheme used in HDMI and similar digital video interfaces.

  • The Emission: High-speed switching currents from transmitted pixel values inevitably radiate electromagnetic energy along the video cable.
  • The Signal: By making subtle, imperceptible modifications to the least significant bits of colour channels, malware shapes this emission into a controllable signal. This effectively repurposes the cable into a software-defined radio.
  • The Access: The exploit requires zero administrator rights, driver installations, or physical hardware tampering.

To achieve this, the system uses a technique called Pixel-to-Sample Mapping. This precisely aligns two-dimensional pixel blocks with one-dimensional receiver sampling instants, pushing data rates close to the receiver’s maximum sampling capacity.

On the receiving end, data extraction relies on three core components:

  • A matched filter correlation module for precise synchronisation.
  • A boundary-aware detector to locate row boundaries.
  • An adaptive decision threshold to compensate for signal degradation over long distances.

Built to leave no visible trace

TrojPix operates through two delivery methods, both designed to leave zero visible trace on the victim's screen.

  • Fake Screen-Off Mode: Disguises the display as powered down while the cable secretly continues transmitting. It halts instantly if any user interaction is detected.
  • Foreground Embedding Mode: Weaves covert data directly into whatever is already on the screen through minute pixel or colour adjustments, allowing the machine to be used normally.

In a study of 50 volunteers, none could perceive any visual difference between either mode, and image similarity scores confirmed near perfect visual fidelity.

Performance that outpaces prior methods

Tested across nine commercial monitor brands and fifteen video cables from multiple manufacturers, TrojPix achieved an average bit correct rate above 99%, reaching 100% accuracy after error correction in most configurations.

The attack sets a new benchmark for air-gap exploitation:

  • Peak Throughput: 8.1 megabits per second (Mbps).
  • Maximum Range: 208 metres (drastically outperforming the 300 Kbps and 87.5-metre range of previous electromagnetic methods).
  • Wall Penetration: Successfully penetrated a 30-centimetre-thick concrete wall with only a marginal drop in accuracy.
  • Payload Capacity: Entire file payloads up to 10 megabytes (MB) transferred with complete bit and character accuracy.

The signal also remained highly resilient against interference from nearby active monitors and several shielding materials, though tinned copper shielding proved to be the most effective physical barrier.

Why this matters for GCC critical infrastructure

Air gapped systems are the default protection model for the environments GCC governments care most about protecting: military command centres, financial clearing systems, and industrial control environments across energy and utilities, a testing landscape we examined in our penetration testing regulatory guide for GCC vendors.

Many of these same critical infrastructure operators fall under frameworks such as Saudi Arabia's National Cybersecurity Authority controls, which increasingly expect defence in depth beyond network based controls alone. TrojPix is a reminder that air gapping is a physical isolation assumption, not a cryptographic guarantee, and that electromagnetic side channels deserve the same scrutiny as network based ones in any environment where compromise would be catastrophic rather than merely costly.

Recommended defences

The researchers recommend a layered approach to secure vulnerable environments:

  • Physical Shielding: Deploying Faraday cage-style electromagnetic shielding around video cables and critical hardware components.
  • Signal Jamming: Implementing radio frequency (RF) interference equipment to actively jam the target frequency band.
  • Interface Migration: Transitioning long-term to electromagnetic leakage-free interfaces, such as fibre-optic video links.
  • Software Mitigation: Randomising transmission sequences and applying pixel-smoothing algorithms to reduce exploitable bit-flip patterns (though both add implementation cost and complexity).

For security teams managing air-gapped environments, the immediate, practical first step is simple: stop assuming video cabling is safe by default and formally add it to your attack surface risk assessments.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Threat IntelligenceCritical Infrastructure SecurityEmerging Attack Techniques