Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions
New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions
NEWS

New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions

Researchers at Shandong University have demonstrated TrojPix, a covert channel attack that exfiltrates data from air-gapped computers by manipulating on-screen pixels to emit decodable radio signals through the video cable — no network required.

Dylan H.

News Desk

July 6, 2026
4 min read

Researchers at Shandong University have published details of TrojPix, a novel covert channel attack capable of exfiltrating data from air-gapped systems — computers deliberately isolated from all networks — by exploiting electromagnetic emissions from video cables.

How TrojPix Works

Air-gapped systems are often considered among the most secure computing environments because they have no network interfaces active. TrojPix sidesteps this protection entirely by operating at the physical layer.

The technique works as follows:

  1. Pixel manipulation — Malware on the target machine tweaks specific on-screen pixels in patterns invisible to the human eye
  2. RF emission — The video cable carrying the display signal radiates faint radio frequency (RF) signals as a byproduct of those pixel changes
  3. Interception — A nearby software-defined radio (SDR) receiver — potentially concealed in the same room — captures the RF emissions
  4. Decoding — The received signal is processed to reconstruct the exfiltrated data

The pixel changes are designed to be imperceptible to users, meaning the attack can operate continuously on an active workstation without triggering visual suspicion.

Why This Matters

Air-gapped networks are used in high-security environments: government classified networks, industrial control systems (ICS/SCADA), nuclear facility management, and financial clearing systems. The fundamental security assumption is that physical isolation prevents remote data theft.

TrojPix is the latest in a line of electromagnetic covert channel research that has progressively lowered the bar for air-gap attacks. Previous techniques have exploited:

  • Fan speed modulation (acoustic)
  • Hard drive LED activity (optical)
  • Power supply noise (electrical)
  • CPU thermal signatures (thermal)
  • USB bus emissions (RF)

TrojPix is notable because video cables are nearly universal — present even on systems that have had all wireless interfaces physically removed or disabled.

Technical Parameters

ParameterValue
ChannelElectromagnetic emissions from video cable (HDMI/DisplayPort/VGA)
TriggerControlled pixel pattern changes on-screen
ReceiverSoftware-defined radio (SDR)
DetectionInvisible to the unaided eye
PrerequisiteMalware execution on the target system

The research team demonstrated data rates sufficient to exfiltrate meaningful payloads — such as encryption keys, passwords, or classified documents — within a practical timeframe, depending on proximity of the receiver.

Threat Model

TrojPix requires that malware already be installed on the air-gapped system. This is not trivial: initial compromise of an air-gapped machine typically requires physical access (USB drop, supply chain attack) or exploitation of an update mechanism.

However, once installed, the attack provides a persistent, hard-to-detect exfiltration channel that survives any network-based security controls.

Who is at risk?

  • Organizations running classified or sensitive workloads on physically isolated systems
  • Industrial facilities with SCADA systems in security zones
  • Any environment where an insider threat or supply chain attack is plausible

Defensive Measures

MeasureEffectiveness
Physical RF shielding (Faraday cage/TEMPEST)High — blocks emissions at the source
Random screen noise / constant pixel activityModerate — degrades SNR of the covert channel
Video cable RF shielding (ferrite cores, shielded cables)Moderate — reduces cable emission amplitude
Endpoint monitoring for unusual GPU/display activityLow-Moderate — may detect anomalous rendering patterns
Physical security (no unauthorized RF receivers in room)High — removes the receiver from the attack chain

TEMPEST-certified equipment (electromagnetic emission shielding per NSA/NATO standards) remains the most reliable countermeasure for high-security environments.

Context: Growing Air-Gap Attack Surface

The TrojPix disclosure follows a sustained body of academic research demonstrating that air-gapped systems can be attacked through a variety of physical side channels. Security teams responsible for high-assurance environments should treat the air gap as one layer of a defence-in-depth strategy, not as a complete security boundary.

For most enterprise environments, TrojPix represents a theoretical rather than practical threat — the attack requires pre-existing malware installation, proximity for the receiver, and a high-value target worth the effort. But for the security posture of classified and critical infrastructure environments, this research reinforces the importance of TEMPEST controls and physical security.

References

  • The Hacker News — New TrojPix Attack Leaks Data From Air-Gapped Systems
  • TEMPEST/EMSEC standards — NSA CSS EPL, NATO SDIP-27

Related Reading

  • Zero-Day Scramble: Attack Surface Reduction
#Air Gap#Covert Channel#Research#Data Exfiltration#Hardware Security

Related Articles

Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input

Microsoft uncovered a fake Perplexity AI Chrome extension that silently captured every search query and address bar keystroke, routing the data to an...

3 min read

Leak Confirms OpenAI Is Testing a ChatGPT for Science Subscription

A leaked interface reveals OpenAI is developing a specialized ChatGPT subscription tier for scientific research, potentially offering tailored tools for...

3 min read

New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration

OpenAI has begun rolling out a new Lockdown Mode to ChatGPT for eligible personal accounts, restricting tool capabilities that could be exploited in prompt…

6 min read
Back to all News