New PIXHELL Attack Exploits LCD Screen Noise to Exfiltrate Data from Air-Gapped Computers

A groundbreaking side-channel attack named PIXHELL has been unveiled, demonstrating how malicious actors can exploit the noise generated by pixels on an LCD screen to exfiltrate sensitive data from air-gapped computers. This technique breaches the “audio gap” and poses a significant threat to highly secure environments that rely on physical isolation.

Discovery and Research

The PIXHELL attack was developed by Dr. Mordechai Guri, head of the Offensive Cyber Research Lab at the Department of Software and Information Systems Engineering, Ben Gurion University of the Negev in Israel. In his newly published paper, Dr. Guri explains:

“Malware in the air-gap and audio-gap computers generates crafted pixel patterns that produce noise in the frequency range of 0 – 22 kHz. The malicious code exploits the sound generated by coils and capacitors to control the frequencies emanating from the screen. Acoustic signals can encode and transmit sensitive information.”

Mechanism of the Attack

Unlike traditional methods that require specialized audio hardware or internal speakers, PIXHELL relies solely on the LCD screen to generate acoustic signals. This is made possible because LCD screens contain inductors and capacitors that can vibrate at audible frequencies due to electrical currents—a phenomenon known as coil whine.

By manipulating pixel patterns and colors displayed on the screen, the malware induces changes in power consumption, causing the screen’s components to emit specific acoustic waves. An attacker can then capture these sounds using a nearby device, such as a smartphone or a dedicated receiver, and decode the transmitted data.

Exploiting Air-Gapped Systems

Air-gapped networks are isolated from external networks to protect sensitive information. However, as Dr. Guri points out, these defenses can be circumvented through methods like:

• Insider Threats: Rogue employees introducing malware directly.
• Infected USB Devices: Unsuspecting users plugging in compromised drives.
• Supply Chain Attacks: Malware introduced during software development or updates.

Once the malware is in place, PIXHELL enables data exfiltration without the need for conventional communication channels.

Technical Details

The attack involves:

• Acoustic Signal Generation: Crafting pixel patterns that produce noise within the 0 – 22 kHz frequency range.
• Data Encoding: Utilizing techniques like Manchester encoding to modulate the data.
• Transmission: Sending the encoded data via the acoustic signals generated by the screen.
• Reception and Decoding: A nearby device captures the sounds, demodulates the signals, and extracts the original information.

Challenges and Limitations

While effective, the PIXHELL attack has certain limitations:

• Visibility: The pixel patterns used can be visible to users, potentially raising suspicion.
• Signal Strength: The quality of the acoustic signal depends on the screen’s hardware and environmental factors.
• Detection: Careful observation or monitoring could reveal unusual screen activity or acoustic emissions.

To mitigate visibility, attackers might:

• Time the Attack: Execute during off-hours when the system is unattended.
• Stealth Techniques: Use near-black pixel values to minimize noticeable changes on the screen, though this reduces sound production.

Previous Related Research

Dr. Guri has a history of innovative side-channel attack research, including:

• RAMBO Attack: Utilizing radio signals from RAM to exfiltrate data.
• Fansmitter and Diskfiltration: Exploiting sounds from fans and hard drives.
• POWER-SUPPLaY and Inkfiltration: Using power supply units and printers as covert channels.

Countermeasures

To defend against the PIXHELL attack and similar threats:

• Acoustic Jamming: Deploy devices that emit noise to disrupt potential acoustic channels.
• Monitoring: Implement systems to detect unusual audio frequencies or screen activities.
• Physical Security: Restrict access to sensitive areas and enforce strict device usage policies.
• Smartphone Restrictions: Prohibit the use of personal devices near secure systems.
• Faraday Cages: Enclose critical hardware to block electromagnetic and acoustic emissions.

Conclusion

The PIXHELL attack highlights the evolving landscape of cybersecurity threats, especially concerning air-gapped systems once considered secure. Organizations must adopt comprehensive security measures that address both conventional and unconventional attack vectors to protect sensitive information.

By understanding and proactively addressing these advanced side-channel attacks, cybersecurity professionals can better safeguard critical infrastructure against emerging threats.