TrojPix Attack Leaks Data From Air-Gapped Systems Through Video Cable Emissions
What happened
Researchers at Shandong University demonstrated a new air-gap data exfiltration technique called TrojPix that leaks information from isolated computers through video cable emissions. The method works by subtly modifying on-screen pixels in ways that are not visible to the human eye, causing the video cable carrying the display signal to emit faint radio signals that a nearby receiver can decode.
TrojPix is not an initial access method. Malware must already be present on the target machine, meaning the technique is a covert exfiltration channel rather than a way to compromise an air-gapped system from scratch. In testing, the researchers reported peak throughput of 8.1 Mbps and a maximum range of 208 meters, measured separately rather than at the same time. At that speed, the method could theoretically move a 100 MB file in under two minutes.
The technique does not require administrator privileges or hardware modifications. User-level malware that can draw to the screen is enough. Researchers described two concealment methods: one that makes the display appear powered off while transmitting, and another that hides the signal inside ordinary on-screen content. The method reportedly worked across nine monitor brands and fifteen video cables.
The Hacker News noted that this remains lab-stage research, not a technique observed in real-world attacks. Known air-gap intrusions such as Stuxnet and Agent.BTZ crossed isolation boundaries through USB drives rather than radio emissions. Still, TrojPix shows how fast covert channels could become once an attacker has already infected a supposedly isolated machine.
Who is affected
Organizations operating air-gapped or highly isolated systems are most affected, especially in defense, government, industrial control, research, energy, and critical infrastructure environments.
The technique is relevant to systems that use copper video cables and handle highly sensitive data, particularly where attackers could place or conceal a radio receiver within range.
The risk is highest if an attacker can first get malware onto the air-gapped machine. Without that foothold, TrojPix has no data to transmit.
Why CISOs should care
TrojPix highlights that air gaps reduce network exposure but do not eliminate every exfiltration path. Once malware reaches an isolated machine, physical emissions from ordinary peripherals can become covert communication channels.
For CISOs, the throughput is the key concern. Many air-gap covert channels are slow enough to leak only small secrets, but TrojPix’s reported peak speed could enable faster movement of larger files under test conditions.
The method also reinforces the importance of physical security. Range depends on walls, shielding, noise, cable type, and receiver placement, which means secure facilities need to consider both endpoint controls and the surrounding electromagnetic environment.
The practical lesson is that air-gapped security still starts with malware prevention. If the attacker cannot introduce code onto the isolated system, the covert channel cannot operate.
3 practical actions
Prevent malware from reaching air-gapped systems: TrojPix requires malware already installed on the target. CISOs should strengthen removable media controls, software allowlisting, secure update procedures, and strict transfer workflows for isolated environments.
Review video cable and facility exposure: The technique relies on emissions from video cables. High-security environments should consider fiber-optic display links, shielded cables, controlled zones, and TEMPEST-style protections where the data sensitivity justifies them.
Monitor for suspicious display and process behavior: User-level malware can trigger the channel by manipulating pixels. Security teams should watch for unauthorized processes drawing to the screen, abnormal graphics activity, unexpected screen blanking behavior, and unusual software on air-gapped workstations.
More cybersecurity news:


