TrojPix: Covert Air-Gap Exfiltration Reaches 8.1 Mbps via Imperceptible Pixel Modulation
Researchers at **Shandong University** have unveiled **TrojPix**, a novel and high-speed method for exfiltrating data from air-gapped systems. This technique leverages imperceptible pixel modulation on a display, turning its video cable into a covert radio transmitter capable of reaching speeds up to 8.1 Mbps.
A new frontier in cyber espionage has been revealed, demonstrating how data can be siphoned from even the most isolated systems. **TrojPix**, developed by researchers at **Shandong University**, offers a surprisingly fast and stealthy way to bypass air-gap security measures.

### How TrojPix Works
The **TrojPix** technique operates by subtly altering on-screen pixels in ways undetectable to the human eye. These minute changes cause the connected video cable to radiate a faint but decodable radio signal. A nearby receiver can then pick up and reconstruct the exfiltrated data.
It's crucial to understand that **TrojPix** is an exfiltration method, not an initial compromise vector. It requires malware to already be present on the target machine to manipulate the display output.
### Unprecedented Speed and Range
In testing, **TrojPix** achieved a remarkable peak throughput of 8.1 Mbps. To put this into perspective, most air-gap covert channels operate at mere bits or kilobits per second. At 8.1 Mbps, a 100 MB file could be transferred in less than two minutes, transforming the threat from leaking a password to moving substantial datasets. The researchers also separately demonstrated a range of up to 208 meters.
### Imperceptible Pixel Modulation
The core of the method, termed **imperceptible pixel modulation**, requires no administrative privileges or hardware modifications. User-level malware capable of drawing to the screen is sufficient. The researchers identified two primary modes of operation:
* **Faked Power-Off:** The display appears off, but the screen is actively transmitting data.
* **In-Content Embedding:** The signal is subtly embedded within existing on-screen content, making the transmission completely hidden within normal computer usage.
The technique has been validated across nine monitor brands and fifteen different video cables, indicating its broad applicability.

### A New Era of Compromising Emanations
The concept of turning video cables into covert transmitters is not new, tracing its roots back to **TEMPEST** research. More recent work, like **TEMPEST-LoRa** (CCS 2025), used similar principles to reach off-the-shelf LoRa radios, achieving 21.6 kbps at 87.5 meters. **TrojPix** significantly surpasses these speeds, though direct comparisons are challenging due to differing experimental setups.
While these emission channels remain primarily lab demonstrations, they highlight evolving capabilities. Real-world air-gap attacks, such as **Stuxnet** and **Agent.BTZ**, have historically relied on physical vectors like USB drives.
Other screen-based channels, like **PIXHELL** (covered by The Hacker News in 2024), have explored using the display itself to emit sound for data leakage. In contrast to methods requiring hardware implants on Ethernet cables, **TrojPix** avoids any physical modifications.
### Countermeasures and Prevention
Unlike software vulnerabilities, compromising emanations cannot be patched away. Effective countermeasures are physical and preventative:
* **Fiber-Optic Links:** Replace copper video cables with fiber-optic alternatives, which do not emit such signals.
* **Shielding:** Implement physical shielding for cables and rooms, similar to **TEMPEST**-rated facilities.
* **Malware Prevention:** The most critical defense remains preventing malware from gaining a foothold on the target machine in the first place. Without malware, **TrojPix** has no data to transmit.
Once an attacker has established a presence, a channel as fast as **TrojPix** could exfiltrate sensitive data in the brief period a monitor appears inactive, posing a significant threat to highly secure environments.