New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Shandong University researchers developed TrojPix, which tweaks on-screen pixels in ways the eye cannot see so the video cable carrying them radiates a faint radio signal a nearby receiver can decode, leaking data from air-gapped machines.
- The method hits a peak throughput of 8.1 Mbps and reaches up to 208 meters (measured separately) — roughly a megabyte per second, enough to move a 100 MB file in under two minutes.
- TrojPix requires no admin rights and no hardware changes — user-level malware that can draw to the screen is enough, and it only works as an exfiltration channel after the machine is already compromised.
- The team tested across nine monitor brands and fifteen video cables, and described two concealment modes: a fake powered-off dark display and signals hidden in normal-looking on-screen content.
- The closest published predecessor, TEMPEST-LoRa (CCS 2025), topped out at 87.5 meters and 21.6 kbps — TrojPix's throughput is hundreds of times higher, though under different receiver conditions.
- Countermeasures can't patch the emission itself; the source points to fiber-optic video links (which carry no such signal), cable and room shielding, and — above all — keeping the initial malware off the box.
- The source notes PIXHELL, a 2024 screen-based channel that leaked data via display-emitted sound, and reminds readers that real-world air-gap attacks like Stuxnet and Agent.BTZ crossed the gap on USB drives, not radio.
Why it matters: Air-gapped systems — government, defense, critical infrastructure — have historically only risked kilobit-per-second password leaks over covert channels. TrojPix's 8.1 Mbps throughput means a 100 MB file can exit in under two minutes, shifting the threat from data trickle to bulk exfiltration that can't be patched out, only physically blocked.



