Mastodon Mastodon Mastodon Mastodon

TrojPix reveals fast RF exfiltration from air-gapped PCs

Photo of author

CyberSecureFox Editorial Team

Published:

Researchers from Shandong University have presented TrojPix, a data exfiltration technique for physically isolated (air-gapped) computers that uses imperceptible pixel modulation on the screen to generate a radio-frequency signal via the video cable. According to the researchers, the channel’s peak throughput reaches 8.1 Mbit/s with a range of up to 208 meters, which is orders of magnitude higher than previously known covert channels of this class. The method requires the target machine to be pre-infected with malware and is not a means of initial access — it is purely a channel for exfiltrating stolen data. The work has been accepted for publication at the USENIX Security 2026 conference.

How imperceptible pixel modulation works

The method, which the authors call imperceptible pixel modulation, is based on the fact that any copper video cable (HDMI, VGA, DisplayPort) produces unintentional electromagnetic emissions when transmitting a signal. TrojPix deliberately generates pixel patterns that are invisible to the human eye but produce a predictable radio-frequency signal that can be decoded by a receiver at a distance.

As reported, TrojPix does not require administrator privileges or any hardware modifications — user-level malware capable of drawing images to the screen is sufficient. The researchers describe two camouflage modes:

  • Simulating a turned-off display — the screen remains dark while the covert transmission continues. To an observer, the monitor appears to be switched off.
  • Embedding into regular content — the signal is encoded within the normal image on the screen, and visually the content is indistinguishable from ordinary output.

According to the researchers, the technique was tested on nine monitor brands and fifteen types of video cables, indicating the generality of the approach. However, it should be noted that the 8.1 Mbit/s throughput and 208-meter range were achieved in laboratory conditions and were measured separately, not simultaneously. In real-world environments, walls, shielding, and electromagnetic interference will significantly reduce both parameters.

Context: from TEMPEST to modern covert channels

Using unintentional electromagnetic emissions to intercept data is not a new idea. The TEMPEST program, which studies compromising emissions of electronic equipment, has existed for decades. However, TrojPix stands out from its predecessors in terms of transmission speed. Most known covert channels for isolated systems operate at speeds from a few bits to kilobits per second.

For comparison, the TEMPEST-LoRa method, which uses a similar principle with LoRa-standard receivers, reportedly reached 21.6 kbit/s at a distance of 87.5 meters. The claimed throughput of TrojPix exceeds this by hundreds of times, although a direct comparison is inaccurate due to differences in receivers and testing conditions.

At a speed of 8.1 Mbit/s, a 100 MB file could theoretically be transmitted in under two minutes. This fundamentally changes the threat model: instead of slow leakage of passwords or encryption keys, we are talking about potential exfiltration of entire databases or document archives.

At the same time, it is important to emphasize that all such channels based on electromagnetic emissions remain laboratory research. Real-world attacks on isolated systems — Stuxnet, Agent.BTZ — crossed the air gap via USB drives, not radio channels.

Who is at risk

TrojPix poses a potential threat to organizations that rely on physical isolation as the primary line of defense for critical data:

  • Military and intelligence facilities with classified networks
  • Industrial control systems (ICS/SCADA) in critical infrastructure
  • Financial institutions with isolated segments for transaction processing
  • Research laboratories handling confidential intellectual property

The key limitation is the need to pre-infect the target machine. Without malware on the isolated computer, TrojPix is useless. This significantly narrows its practical applicability but does not eliminate the threat: history shows that introducing malicious code into isolated networks is possible via supply chains, insiders, or infected removable media.

Mitigation recommendations

It is impossible to eliminate the unintentional electromagnetic emissions of a copper cable by software means — this is an inherent physical property of the conductor. Defense measures are built on several levels:

  • Fiber-optic video connections — replacing copper video cables with fiber-optic ones completely eliminates radio-frequency emissions as a leakage channel.
  • Shielding of rooms and cables — facilities certified to TEMPEST standards already implement such measures. Others should assess the need for shielding based on the classification of the data they process.
  • Integrity control of the software environment — preventing infection of isolated systems remains the primary measure. Strict control of removable media, verification of software supply chains, and monitoring of anomalous activity at the user level are essential.
  • Monitoring the radio-frequency spectrum — for high-risk facilities, it is advisable to monitor the electromagnetic environment near isolated systems.

TrojPix demonstrates that physical network isolation does not equal absolute data security. Organizations protecting critical information in isolated segments should audit their video connections for the use of copper cables and assess whether a migration to fiber-optic connections is warranted, as well as ensure that measures to prevent infection of isolated machines match the sensitivity level of the protected data.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.