PIXHELL Acoustic Attack: A New Threat to Audio-Gapped Systems
A novel acoustic attack named ‘PIXHELL’ can leak secrets from audio-gapped systems, and without requiring speakers, through the LCD monitors they connect to. This attack, developed by Dr. Mordechai Guri of the Ben-Gurion University of the Negev, exploits the unintended acoustic emissions from LCD screens, such as coil whine, capacitor noise, or intrinsic vibrations.
How PIXHELL Acoustic Attack Works
In a PIXHELL attack, malware modulates the pixel patterns on LCD screens to induce noise in the frequency range of 0-22 kHz, carrying encoded signals within those acoustic waves that can be captured by nearby devices such as smartphones.
The researchers’ tests showed that data exfiltration is possible at a maximum distance of 2 meters (6.5 ft), achieving a data rate of 20 bits per second (bps). While this is too slow to make large file transfers practical, real-time keylogging and stealing small text files that might contain passwords or other information are still possible.
The Mechanics of PIXHELL Attack
The PIXHELL attack method takes advantage of the unintended acoustic emissions from LCD screens resulting from coil whine, capacitor noise, or intrinsic vibrations that cannot be physically eliminated from the devices.
Using specially crafted malware, an attacker can encode sensitive data like encryption keys or keystrokes into acoustic signals using modulation schemes such as:
- On-Off Keying (OOK): Data is encoded by switching the sound on and off.
- Frequency Shift Keying (FSK): Data is encoded by switching between different frequencies.
- Amplitude Shift Keying (ASK): Data is encoded by changing the amplitude (volume) of the sound.
Next, the modulated data is transmitted via the LCD screen by changing the pixel patterns on it, which alters the sound emitted from the device’s components. A nearby microphone on a rogue or compromised device such as a laptop or smartphone can pick up the acoustic signals and may later transmit them to the attacker for demodulation.
Stealthy and Effective
Notably, PIXHELL can be executed in a setting involving multiple signal sources and a single recipient, so it’s possible to capture secrets from several offline systems simultaneously, if those were infected by malware.
The sound frequencies produced by the PIXHELL malware are typically in the 0 – 22 kHz frequency range which is hardly audible to humans. For comparison, humans typically detect sounds in a frequency range between 20Hz to 20kHz and an average adult’s upper limit is typically around 15-17kHz.
Spectrogram of acoustic signal received by a nearby microphone
Source: Arxiv.org
At the same time, the pixel patterns used in the attack are low-brightness or invisible to the user, which makes the attack particularly stealthy.
Potential Countermeasures
Several defenses can be implemented against PIXHELL and other types of acoustic side-channel attacks. In highly critical environments, microphone-carrying devices should be banned entirely from certain areas out of an abundance of caution.
Jamming or noise generation, where background noise is introduced to disrupt the acoustic signals and increase the signal-to-noise ratio (SNR) to make the attack impractical, is also a solution.
Dr. Guri also suggests monitoring the screen buffer with a camera to detect unusual pixel patterns that do not match the system’s normal operations.