Dell: TrojPix Attack Uses Imperceptible Pixels to Steal Data From Air-Gapped Networks

Dell: TrojPix Attack Uses Imperceptible Pixels to Steal Data From Air-Gapped Networks

TrojPix: New EM Covert-Channel Attack Exfiltrates Data from Air-Gapped Networks at Unprecedented Speeds

Researchers at USENIX Security have unveiled TrojPix, a novel electromagnetic (EM) covert-channel attack that exploits invisible pixel modulation to steal data from air-gapped systems networks physically isolated from external connections. The technique turns standard digital video cables into unintended antennas, enabling malware to leak sensitive files to attackers up to 208 meters away without requiring admin privileges, hardware modifications, or visible traces.

How TrojPix Works

TrojPix leverages Transition-Minimized Differential Signaling (TMDS), the encoding scheme used in HDMI and similar interfaces, which generates EM emissions during pixel transmission. By subtly altering the least significant bits of color channels, the malware shapes these emissions into a controllable signal, effectively repurposing the cable as a software-defined radio.

Key technical features include:

  • Pixel-to-Sample Mapping (P2S-Map): Aligns 2D pixel blocks with receiver sampling to maximize data rates.
  • Matched-filter correlation & adaptive thresholding: Ensures robust decoding despite noise, jitter, and distance.
  • Two stealth modes:
    • Fake screen-off: Displays a black screen while secretly transmitting data, halting if user interaction is detected.
    • Foreground embedding: Embeds covert data into on-screen content via imperceptible pixel adjustments.

A study of 50 volunteers found no detectable visual differences, with SSIM scores of 0.998–0.999 confirming near-perfect fidelity. Testing across nine monitor brands (Dell, Samsung, LG, etc.) and 15 cable types achieved >99% bit accuracy, with 100% payload integrity for files up to 10 MB.

Performance & Real-World Impact

TrojPix outperforms prior EM exfiltration methods, including:

  • Peak throughput: 8.1 Mbps (vs. 300 kbps for BitJabber).
  • Max range: 208 meters (vs. 87.5 m for Tempest-LoRa).
  • Stealth: Fully imperceptible (unlike visually detectable prior attacks).

The attack penetrated a 30 cm-thick concrete wall with minimal accuracy loss (99.96% → 99.14%) and remained effective against EM shielding, though tinned-copper shielding proved most effective. It also evaded interference from nearby active monitors.

Mitigation Recommendations

USENIX suggests layered defenses, including:

  • Faraday-cage-style EM shielding around cables and components.
  • RF jamming of target frequency bands.
  • Migration to fiber-optic video links to eliminate EM leakage.
  • Randomized TMDS sequences and pixel-smoothing algorithms to disrupt exploitable patterns (though these add complexity).

TrojPix exposes a critical vulnerability in air-gapped systems, which are widely used in military, government, financial, and nuclear control environments, challenging the assumption of their invulnerability to remote exfiltration.

Source: https://cyberpress.org/trojpix-attack-air-gapped/

Dell TPRM report: https://www.rankiteo.com/company/delltechnologies

"id": "del1783347979",
"linkid": "delltechnologies",
"type": "Vulnerability",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Defense',
                        'name': 'Military organizations',
                        'type': 'Government'},
                       {'industry': 'Public Sector',
                        'name': 'Government agencies',
                        'type': 'Government'},
                       {'industry': 'Finance',
                        'name': 'Financial institutions',
                        'type': 'Private'},
                       {'industry': 'Energy',
                        'name': 'Nuclear control facilities',
                        'type': 'Critical Infrastructure'}],
 'attack_vector': 'Electromagnetic (EM) covert-channel via HDMI/TMDS encoding',
 'data_breach': {'data_exfiltration': True,
                 'sensitivity_of_data': 'High (military, government, '
                                        'financial, nuclear control data)',
                 'type_of_data_compromised': 'Sensitive files (e.g., '
                                             'documents, control system data)'},
 'description': 'Researchers at USENIX Security unveiled TrojPix, a novel '
                'electromagnetic (EM) covert-channel attack that exploits '
                'invisible pixel modulation to steal data from air-gapped '
                'systems. The technique turns standard digital video cables '
                'into unintended antennas, enabling malware to leak sensitive '
                'files to attackers up to 208 meters away without requiring '
                'admin privileges, hardware modifications, or visible traces.',
 'impact': {'data_compromised': 'Sensitive files (up to 10 MB)',
            'operational_impact': 'Potential compromise of isolated critical '
                                  'systems (military, government, financial, '
                                  'nuclear control)',
            'systems_affected': 'Air-gapped networks with HDMI/DVI interfaces'},
 'lessons_learned': 'Air-gapped systems are not invulnerable to remote '
                    'exfiltration; EM covert-channels pose a significant '
                    'threat to physically isolated networks. Traditional '
                    'security assumptions must be re-evaluated.',
 'post_incident_analysis': {'corrective_actions': ['EM shielding',
                                                   'Fiber-optic migration',
                                                   'RF jamming',
                                                   'TMDS sequence '
                                                   'randomization'],
                            'root_causes': 'Exploitation of inherent EM '
                                           'emissions from HDMI/TMDS '
                                           'interfaces in air-gapped systems'},
 'recommendations': ['Implement Faraday-cage-style EM shielding for critical '
                     'systems',
                     'Use fiber-optic video links instead of HDMI/DVI',
                     'Deploy RF jamming in high-security environments',
                     'Develop and test randomized TMDS sequences to disrupt '
                     'exploitable patterns',
                     'Enhance monitoring for anomalous EM emissions'],
 'references': [{'source': 'USENIX Security'}],
 'response': {'remediation_measures': ['Faraday-cage-style EM shielding around '
                                       'cables and components',
                                       'RF jamming of target frequency bands',
                                       'Migration to fiber-optic video links',
                                       'Randomized TMDS sequences and '
                                       'pixel-smoothing algorithms']},
 'title': 'TrojPix: New EM Covert-Channel Attack Exfiltrates Data from '
          'Air-Gapped Networks',
 'type': 'Data Exfiltration',
 'vulnerability_exploited': 'Transition-Minimized Differential Signaling '
                            '(TMDS) in HDMI/DVI interfaces'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.