PIXHELL Attack: Extracting Data from Air-Gapped Systems Using Screen Emissions

The PIXHELL attack, a new covert channel technique, demonstrates how attackers can exfiltrate sensitive data from air-gapped systems by leveraging the acoustic noise generated by pixels on LCD screens. Developed by Mordechai Guri at Ben-Gurion University’s Air-Gap Research Lab, PIXHELL presents a novel way to bypass traditional security defenses by converting screen emissions into a form of data transmission—without the need for audio hardware. This innovative approach represents a significant evolution in air-gap hacking, targeting systems previously thought to be nearly impenetrable.

Air-Gapped Networks: A High-Security Defense

Air-gapped systems are a common security measure used in industries that handle highly sensitive data, such as defense, finance, healthcare, and critical infrastructure. By physically isolating these networks from the internet and external connections, they are shielded from common cyber threats, including malware infections, phishing, and remote exploits. This makes them an effective defense for critical systems, where breaches could lead to severe consequences. For example, stock exchange networks or nuclear facilities often rely on air-gapping to ensure their data remains secure​.

Despite the robust security provided by air-gapping, these systems are not immune to sophisticated attacks. High-profile breaches like Stuxnet, which targeted Iran’s nuclear facilities, and Agent.btz, which infiltrated U.S. military networks, show that determined attackers can exploit physical media or covert channels to bypass these defenses​​. The PIXHELL attack adds to this growing list by introducing a method that doesn’t require conventional transmission mediums, like USB drives, to steal information from these highly secure environments.

The PIXHELL Attack: Exploiting Acoustic Emissions from LCD Screens

PIXHELL leverages the physical properties of LCD screens, specifically the acoustic signals generated by the internal components such as inductors and capacitors. These components emit acoustic noise when electric current flows through them—a phenomenon known as coil noise or coil whine. By carefully controlling the pixel patterns displayed on the screen, attackers can manipulate these acoustic emissions to encode and transmit sensitive data through sound waves at frequencies between 0 and 22 kHz​.

The attack works by displaying crafted pixel patterns that induce specific vibrations in the screen’s capacitors and inductors. These vibrations generate acoustic waves that can be picked up by nearby recording devices. Even in audio-gapped systems, where speakers and audio hardware are intentionally disabled to prevent sound-based attacks, PIXHELL circumvents this protection by using the screen itself as the medium for data transmission​.

How PIXHELL Operates

The core of the PIXHELL attack lies in its ability to modulate pixel patterns on the screen to produce frequencies that encode binary data. By generating specific bitmap images and controlling the intensity and arrangement of pixels, attackers can control the sound emitted by the screen. These acoustic signals are then captured by a nearby microphone, which demodulates the sound to recover the transmitted information.

This method is particularly stealthy, as the pixel patterns used can be displayed at low brightness levels, making the screen appear off or inactive. This reduces the likelihood of detection during the attack. Furthermore, the acoustic signals can carry both textual and binary data, making the PIXHELL attack a versatile method for exfiltrating a range of sensitive information​.

Real-World Testing and Effectiveness

In tests conducted by the Air-Gap Research Lab, the PIXHELL attack successfully transmitted data from an air-gapped, audio-gapped computer to a nearby receiver located up to 2 meters away. This distance is significant in environments where physical access is limited but a recording device can still be discreetly placed within range of the target system.

The researchers demonstrated that various types of data, including text files and binary information, could be exfiltrated using the acoustic covert channel. The speed of transmission is relatively slow compared to other methods, but the trade-off is that the attack is nearly impossible to detect using traditional security tools​.

Bypassing Conventional Security Measures

The PIXHELL attack poses a new challenge for organizations relying on air-gap and audio-gap defenses to protect their sensitive data. Typical security measures for air-gapped systems include prohibiting network connections, disabling USB ports, and implementing strict physical security controls. For audio-gapped environments, disabling speakers and audio hardware has been an effective way to prevent sound-based data leaks​​.

However, PIXHELL renders these defenses ineffective by turning the screen itself into a sound transmitter. This bypasses the need for speakers, which have traditionally been the focus of acoustic-based attacks. Previous research on acoustic covert channels relied on using the computer’s speakers to emit sound waves, but PIXHELL demonstrates that even without audio hardware, air-gapped systems are still vulnerable to sound-based exfiltration​.

Countermeasures and Mitigation Strategies

While the PIXHELL attack represents a sophisticated and hard-to-detect threat, there are several countermeasures that organizations can implement to mitigate the risk:

  1. Acoustic Shielding: Installing acoustic dampening materials around air-gapped systems can help absorb and block the sound waves emitted by LCD screens.
  2. Pixel Pattern Detection: Security software could be developed to detect unusual pixel patterns or high-frequency vibrations generated by the screen.
  3. Increased Physical Security: Placing air-gapped systems in isolated rooms and limiting access to recording devices can help reduce the chances of an attacker positioning a receiver within range.
  4. Screen Monitoring: Software that monitors and flags suspicious screen activity, especially during periods of inactivity, could serve as an early warning system for PIXHELL-like attacks​.

Conclusion

The PIXHELL attack marks a new frontier in air-gap hacking by demonstrating how seemingly innocuous screen components can be weaponized to leak sensitive data through acoustic emissions. As organizations continue to rely on air-gapped systems for their most sensitive operations, the need for advanced defensive strategies becomes even more critical. By staying ahead of such covert channel techniques and implementing the proposed countermeasures, organizations can safeguard their data against this emerging threat.