TrojPix Steals Data From Air Gapped Computers Through the Screen

Ethical Hacking Complete Course Zero to Expert
Hack like black hat hackers. Penetration testing, Kali Linux, WiFi and web hacking, and the hacker mindset behind it.
→ Take the full courseTrojPix pulled a file off a computer that connects to nothing. 8.1 megabits a second. 208 meters away. Straight through a 30 cm concrete wall. It went out over the pixels on the screen, and the screen looked normal.
This came from a research team at Shandong University and Quan Cheng Laboratory. The target is an air-gapped machine, a computer kept off the network on purpose because of the sensitive work it does. You find these in defense, government, banking and nuclear plants.
The leak came out of the monitor cable.
A video cable carries electricity, and that gives off a faint radio signal. Normally it is just noise. TrojPix uses it to carry data.
When your computer sends a picture to the monitor, it does not send the pixels down the cable as they are. It packs them in a fixed pattern first, so the image arrives clean. That packing has a name, TMDS, and HDMI and DVI cables use it.
The malware changes the very last bit of the color in each pixel. Far too small for your eye to catch. But it changes the radio coming off the cable, and the attacker controls that change. The cable becomes a radio transmitter.

There is one more trick. The malware lines up the pixel changes with the exact rate at which the attacker’s radio samples the signal, so each change lands as one clean reading on the other end. That, plus error correction at the receiver, is what holds the speed up and keeps the data intact over distance. They call it Pixel-to-Sample Mapping.
Now the numbers. TrojPix hit 8.1 megabits per second, about a megabyte every second. The top speed and the longest distance came from two separate tests, not the same run, so read them as two limits, not one number.
Older attacks in this family managed only bits or kilobits per second, enough to leak a password slowly. The previous best topped out around 300 kilobits a second. TrojPix is about 27 times faster. At that speed a 100 MB file would go out in under two minutes. In the tests, the biggest files they moved were 10 MB, every bit and character intact.
It also came through a 30 cm concrete wall, and the accuracy barely moved, from 99.96% down to 99.14%. Nine monitor brands, fifteen cables. Not one lucky screen in one lab.

The attack runs two ways. One disguises the screen as switched off while the data streams out, and it stops the second the mouse moves, so it only leaks while the desk is empty. The other hides the signal inside a picture sitting on screen in plain sight. Either way, the malware runs as an ordinary program. It needs no admin rights, and it leaves the hardware alone.

They showed it to 50 people and asked them to spot the difference between a clean screen and a leaking one. Not one of them could.
You cannot patch this away. Copper carries current, current gives off radio, and that is physics. The fixes that work are physical, and I list them at the end.
None of this is new. In 1985 a Dutch scientist, Wim van Eck, read a computer monitor from hundreds of meters away with about fifteen dollars of gear and a TV set. People had thought only governments could do that. He proved them wrong, and the trick still carries his name, Van Eck phreaking.
Researchers kept building on it for decades. In 2024, a method called PIXHELL made the pixels on a screen leak data as sound. TrojPix takes the same idea and turns the pixels into radio instead. This time it came out of a lab in China.
The receiver was not fifteen dollars this time. It was a professional software-defined radio, a USRP X310, with a directional antenna and a low-noise amplifier. A few thousand euros of kit. Still, you can buy it in the open. It is not classified government hardware.
Air-gapped does not mean safe. Stuxnet proved that in 2010, crossing into Iran’s nuclear plants on a USB stick and wrecking around a thousand centrifuges while the screens read normal. Getting into an isolated network is one problem. Getting the stolen data back out is another. That second part is what TrojPix does.
So how do you stop it? The emission is physics, so no software update removes it. What works is physical, and it comes in layers.
- โ Run video over fiber-optic links instead of copper. Fiber carries light, not current, so there is no radio to leak. This closes the channel.
- โ Shield the cables and the room, the way
TEMPEST-rated sites already do. In the tests the signal still got through most shielding, with tinned-copper holding up best, so shielding on its own is not enough. - โ Jam the frequency band with RF equipment. It works, but it costs.
- โ In software, randomizing the
TMDSorder and smoothing the pixel values cuts the leak. It does not close it, and it adds complexity.
And the layer that matters most, because TrojPix cannot run without it:
- โ Keep the malware off the machine. Lock down USB ports. Control what software is allowed to run. Watch removable media.
Without that first foothold, TrojPix has nothing to send.
This is research, accepted to USENIX Security 2026 and due to be presented in August. The team held back the operational details and began disclosure with cable manufacturers. Not something criminals are known to be using yet. That does not make it harmless. It shows that keeping a machine offline is not enough by itself.
I teach how attackers find exposed systems, how data moves across a network, and how malware hides and slips data out, in my ethical hacking course: โ Join my complete ethical hacking course
Hacking is not a hobby but a way of life.
Sources: TrojPix: Electromagnetic Covert Channels via Imperceptible Pixel Modulation (USENIX Security 2026)
Stay updated
Get the latest posts in your inbox every week. Ethical hacking, security news, tutorials, and everything that catches my attention. If that sounds useful, drop your email below.