TrojPix: New EM Covert-Channel Attack Exfiltrates Data from Air-Gapped Networks at Unprecedented Speeds
Researchers at USENIX Security have unveiled TrojPix, a novel electromagnetic (EM) covert-channel attack that exploits invisible pixel modulation to steal data from air-gapped systems networks physically isolated from external connections. The technique turns standard digital video cables into unintended antennas, enabling malware to leak sensitive files to attackers up to 208 meters away without requiring admin privileges, hardware modifications, or visible traces.
How TrojPix Works
TrojPix leverages Transition-Minimized Differential Signaling (TMDS), the encoding scheme used in HDMI and similar interfaces, which generates EM emissions during pixel transmission. By subtly altering the least significant bits of color channels, the malware shapes these emissions into a controllable signal, effectively repurposing the cable as a software-defined radio.
Key technical features include:
- Pixel-to-Sample Mapping (P2S-Map): Aligns 2D pixel blocks with receiver sampling to maximize data rates.
- Matched-filter correlation & adaptive thresholding: Ensures robust decoding despite noise, jitter, and distance.
- Two stealth modes:
- Fake screen-off: Displays a black screen while secretly transmitting data, halting if user interaction is detected.
- Foreground embedding: Embeds covert data into on-screen content via imperceptible pixel adjustments.
A study of 50 volunteers found no detectable visual differences, with SSIM scores of 0.998–0.999 confirming near-perfect fidelity. Testing across nine monitor brands (Dell, Samsung, LG, etc.) and 15 cable types achieved >99% bit accuracy, with 100% payload integrity for files up to 10 MB.
Performance & Real-World Impact
TrojPix outperforms prior EM exfiltration methods, including:
- Peak throughput: 8.1 Mbps (vs. 300 kbps for BitJabber).
- Max range: 208 meters (vs. 87.5 m for Tempest-LoRa).
- Stealth: Fully imperceptible (unlike visually detectable prior attacks).
The attack penetrated a 30 cm-thick concrete wall with minimal accuracy loss (99.96% → 99.14%) and remained effective against EM shielding, though tinned-copper shielding proved most effective. It also evaded interference from nearby active monitors.
Mitigation Recommendations
USENIX suggests layered defenses, including:
- Faraday-cage-style EM shielding around cables and components.
- RF jamming of target frequency bands.
- Migration to fiber-optic video links to eliminate EM leakage.
- Randomized TMDS sequences and pixel-smoothing algorithms to disrupt exploitable patterns (though these add complexity).
TrojPix exposes a critical vulnerability in air-gapped systems, which are widely used in military, government, financial, and nuclear control environments, challenging the assumption of their invulnerability to remote exfiltration.
Source: https://cyberpress.org/trojpix-attack-air-gapped/
Dell TPRM report: https://www.rankiteo.com/company/delltechnologies
"id": "del1783347979",
"linkid": "delltechnologies",
"type": "Vulnerability",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Defense',
'name': 'Military organizations',
'type': 'Government'},
{'industry': 'Public Sector',
'name': 'Government agencies',
'type': 'Government'},
{'industry': 'Finance',
'name': 'Financial institutions',
'type': 'Private'},
{'industry': 'Energy',
'name': 'Nuclear control facilities',
'type': 'Critical Infrastructure'}],
'attack_vector': 'Electromagnetic (EM) covert-channel via HDMI/TMDS encoding',
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High (military, government, '
'financial, nuclear control data)',
'type_of_data_compromised': 'Sensitive files (e.g., '
'documents, control system data)'},
'description': 'Researchers at USENIX Security unveiled TrojPix, a novel '
'electromagnetic (EM) covert-channel attack that exploits '
'invisible pixel modulation to steal data from air-gapped '
'systems. The technique turns standard digital video cables '
'into unintended antennas, enabling malware to leak sensitive '
'files to attackers up to 208 meters away without requiring '
'admin privileges, hardware modifications, or visible traces.',
'impact': {'data_compromised': 'Sensitive files (up to 10 MB)',
'operational_impact': 'Potential compromise of isolated critical '
'systems (military, government, financial, '
'nuclear control)',
'systems_affected': 'Air-gapped networks with HDMI/DVI interfaces'},
'lessons_learned': 'Air-gapped systems are not invulnerable to remote '
'exfiltration; EM covert-channels pose a significant '
'threat to physically isolated networks. Traditional '
'security assumptions must be re-evaluated.',
'post_incident_analysis': {'corrective_actions': ['EM shielding',
'Fiber-optic migration',
'RF jamming',
'TMDS sequence '
'randomization'],
'root_causes': 'Exploitation of inherent EM '
'emissions from HDMI/TMDS '
'interfaces in air-gapped systems'},
'recommendations': ['Implement Faraday-cage-style EM shielding for critical '
'systems',
'Use fiber-optic video links instead of HDMI/DVI',
'Deploy RF jamming in high-security environments',
'Develop and test randomized TMDS sequences to disrupt '
'exploitable patterns',
'Enhance monitoring for anomalous EM emissions'],
'references': [{'source': 'USENIX Security'}],
'response': {'remediation_measures': ['Faraday-cage-style EM shielding around '
'cables and components',
'RF jamming of target frequency bands',
'Migration to fiber-optic video links',
'Randomized TMDS sequences and '
'pixel-smoothing algorithms']},
'title': 'TrojPix: New EM Covert-Channel Attack Exfiltrates Data from '
'Air-Gapped Networks',
'type': 'Data Exfiltration',
'vulnerability_exploited': 'Transition-Minimized Differential Signaling '
'(TMDS) in HDMI/DVI interfaces'}