TempMail Ninja
//

TrojPix Attack: Exfiltrating Air-Gapped Data via Invisible Pixels

5 min read
TempMail Ninja
TrojPix Attack: Exfiltrating Air-Gapped Data via Invisible Pixels

The Silent Emission: How the TrojPix Attack Turns Video Cables into Spy Transmitters

In the high-stakes arena of elite cybersecurity and global intelligence, the physical “air gap” has long stood as the gold standard of defense. By physically disconnecting high-value assets—such as military databases, nuclear control systems, and classified government networks—from the public internet and local intranets, administrators assumed they had created an impenetrable digital fortress. However, this foundational paradigm has been fundamentally disrupted by the discovery of the TrojPix attack. Developed by a pioneering team of security researchers from Shandong University and the Quan Cheng Laboratory, this novel exploit demonstrates that standard digital video cables can be coerced via user-mode software into broadcasting highly structured, high-speed radio waves over hundreds of meters, successfully bypassing the most stringent physical isolations.

Slated for presentation at the prestigious 35th USENIX Security Symposium (USENIX Security ’26), this breakthrough bridges the gap between classic Cold War espionage lore and cutting-edge software-defined radio (SDR) exploitation. Historically, electromagnetic leakage attacks—often grouped under the classified military umbrella of “TEMPEST”—were highly complex, painfully slow, and required expensive physical modifications. The TrojPix attack shatters these historical constraints. It requires no administrator privileges, no hardware modifications, and operates entirely in user space. By subtly manipulating the pixels displayed on a screen, the malware transforms ordinary, off-the-shelf HDMI and DisplayPort cables into high-powered, unintended radio antennas.

The Legacy of TEMPEST: From Passive Eavesdropping to Active Weaponization

The concept of compromising electromagnetic emanations dates back to the mid-20th century. Under the codename TEMPEST, the U.S. National Security Agency (NSA) and other military intelligence bodies studied how early cryptographic systems, teleprinters, and computers leaked sensitive data through unintentional acoustic, electrical, or radio frequency (RF) signals. In those early espionage operations, attackers used passive, highly sensitive receivers to capture the ambient electromagnetic noise generated by CRT monitors (a process later popularized as “Van Eck phreaking”) to reconstruct what was on a victim’s screen.

In contrast, the modern TrojPix attack represents an active weaponization of these emissions. Rather than passively listening to the random, disorganized noise generated by computer circuitry, the TrojPix malware actively dictates and shapes the electromagnetic output. It uses the physical copper lines inside modern digital video cables as a software-defined transmitter. While previous academic attempts to establish electromagnetic covert channels (such as TEMPEST-LoRa in 2025) achieved extremely low transfer rates of just 21.6 kbps over distances of 87.5 meters, TrojPix introduces an unprecedented efficiency that elevates electromagnetic exfiltration from a theoretical proof-of-concept to a highly viable, devastating tool of modern cyber espionage.

Under the Hood: Exploiting Transition-Minimized Differential Signaling (TMDS)

To appreciate how this exploit achieves such spectacular performance, one must examine the physical layer of modern digital video standards. High-Definition Multimedia Interface (HDMI) and Digital Visual Interface (DVI) rely on a protocol known as Transition-Minimized Differential Signaling (TMDS). DisplayPort uses a conceptually similar high-speed serialized scheme. The core purpose of TMDS is to transmit massive amounts of high-definition video data over copper wires while minimizing electromagnetic interference (EMI) that could degrade the signal or disrupt nearby electronics.

TMDS achieves this minimization through an 8b/10b encoding algorithm that reduces the number of transitions (from 0 to 1, or 1 to 0) in the physical voltage. By reducing transitions, the system keeps electromagnetic radiation to a minimum. The researchers behind TrojPix realized that this optimization could be reverse-engineered and exploited. By introducing micro-adjustments to the color values of the pixels sent to the screen, the malware can systematically control the exact pattern of 1s and 0s processed by the TMDS encoder.

Specifically, by manipulating the least significant bit (LSB) of the blue channel of displayed pixels, the malware changes the data stream in a way that is mathematically designed to maximize or minimize transitions at exact, deterministic intervals. These rapid, controlled transitions translate physically into alternating electric currents running along the copper conductors of the video cable. In accordance with Maxwell’s equations, these alternating currents generate corresponding radio frequency (RF) waves that radiate into the surrounding environment. In essence, the HDMI cable becomes a dipole antenna, and the pixel color adjustments act as the modulator.

Decoding the TrojPix Attack: Transmission Speeds, Range, and Hardware Setup

The physical capabilities demonstrated by the Shandong University researchers are nothing short of revolutionary for the field of side-channel security. Where historical air-gap exfiltration methods—such as manipulating CPU temperatures, forcing motherboard coils to hum, or flashing keyboard LEDs—crawled along at single-digit bits or kilobits per second, TrojPix performs at a speed that changes the security threat landscape.

The researchers evaluated the TrojPix attack under rigorous experimental conditions, yielding the following results:

  • Unprecedented Throughput: The attack achieved a peak transmission speed of 8.1 Mbps. At roughly one megabyte per second, this means a highly confidential 100 MB database or document archive can be exfiltrated in less than two minutes.
  • Extended Range: The signal remains highly robust at distances up to 208 meters (approximately 682 feet) from the target system.
  • Concrete Penetration: The physical barrier of a 30-centimeter (nearly 12-inch) thick reinforced concrete wall was insufficient to block the signal, allowing the exfiltrated data to escape heavily secured building interiors.
  • Broad Compatibility: The attack was successfully tested across 9 distinct major monitor brands and 15 different commodity video cables, proving that the exploit relies on universal protocol designs rather than unique hardware flaws.
  • High Accuracy: The transmission achieved an initial raw bit-correct rate of nearly 99%, which was elevated to 100% error-free data recovery using standard forward error correction (FEC) algorithms.

On the receiving end of the channel, a threat actor does not need exotic, military-grade hardware. The researchers demonstrated that the radiated RF signals could be captured using a commercial USRP X310 software-defined radio (

TN

Written by

TempMail Ninja

Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.