Security researchers disclosed TrojPix, a novel technique for extracting data from physically isolated computers by manipulating how the display renders pixels and then capturing the resulting electromagnetic emissions from the video cable using a nearby radio receiver. The method adds a new covert exfiltration channel to a documented body of air-gap attack research, demonstrating that even the most stringently isolated systems remain vulnerable to physical side-channel techniques that treat the computer’s own hardware as an involuntary transmitter.
How TrojPix Uses Pixel Manipulation to Convert Video Cables Into Unintended Transmitters
Air-gapped computers — systems with no network connectivity, maintained in physical isolation to protect classified or otherwise sensitive data — have no conventional data path an attacker can use for exfiltration. TrojPix sidesteps this constraint by treating the video cable as an antenna. When a computer drives a display signal, the cable carrying that signal emits electromagnetic radiation as a natural byproduct of the current fluctuations involved in transmitting video data. TrojPix exploits this physics by controlling what the malware on the target system writes to the framebuffer, shaping those emissions to carry encoded data.
The technique does not require any modification to the cable or display hardware itself. The computer’s normal video signal processing generates the emissions; TrojPix simply instructs the compromised system to produce pixel patterns that generate distinguishable modulation in those emissions. A receiver positioned near the video cable — within the same room or an adjacent space — can capture and decode those modulated signals to reconstruct the exfiltrated data.
TrojPix’s Two-Stage Attack: Framebuffer Manipulation and Radio Receiver Decoding
The attack proceeds in two stages. In the first, malware already resident on the target air-gapped system writes specific pixel patterns to the framebuffer that encode the data to be stolen. These patterns generate modulated electromagnetic signals in the video cable during normal display operation. The patterns can be rendered in screen regions invisible to the user — areas covered by other windows, minimized content, or edge regions — reducing the chance that the targeted user will notice unusual display behavior.
In the second stage, an adversary with a radio receiver positioned in physical proximity to the target environment captures the emissions from the video cable and applies signal processing to decode the encoded data. The receiver does not need to be in the same room; the range depends on cable length, shielding, and the surrounding environment, but the practical threat model places it within a few meters of the cable.
TrojPix Joins a Documented Catalog of Air-Gap Covert Channels Exploiting Physical Hardware
TrojPix is part of a research category that has demonstrated air-gap exfiltration through a growing range of physical side channels. Prior published techniques have shown that data can be extracted from isolated systems via acoustic signals from PC speakers and cooling fans, thermal signatures from CPU heat fluctuations, power-line fluctuations, magnetic field emissions from RAM activity, and optical signals from status LEDs. Each technique exploits a different physical emission from computer hardware that cannot be disabled without degrading or preventing normal system operation.
Video cable electromagnetic emissions represent a channel that had not previously been demonstrated in published research. The TrojPix disclosure extends the catalog by showing that the display subsystem — specifically the cable between the graphics output and the monitor — can serve as an exfiltration path in addition to the previously documented channels.
Practical Threat Model for TrojPix Deployment in High-Security Air-Gapped Environments
The TrojPix attack requires two preconditions: malware already present on the target air-gapped system, and a radio receiver accessible within physical proximity to the video cable. The first precondition typically requires a prior compromise through a supply chain attack, insider threat, or physical media delivery — all established vectors against air-gapped environments used in documented real-world attacks against government, military, critical infrastructure, and industrial control systems.
The second precondition — receiver proximity — is a meaningful constraint for many deployment scenarios, but not an absolute barrier. High-security environments that allow contractor or visitor access to areas near server rooms, or that have adjacent spaces where a receiver could be placed without direct entry to the secure zone, face a practical threat from this technique. Faraday shielding around video cable and display equipment and strict physical access controls for all spaces adjacent to secure computing environments reduce the risk from TrojPix and from the broader category of electromagnetic side-channel exfiltration methods. For organizations operating air-gapped systems, TrojPix reinforces that physical security perimeters and electromagnetic shielding are integral components of an air-gap defense, not optional additions.
