New PIXHELL Attack Exploits LCD Screen Noise to Exfiltrate Data from Air-Gapped Computers

A novel side-channel attack termed PIXHELL might be exploited to target air-gapped systems by breaking the "audio gap" and exfiltrating sensitive information by taking advantage of the noise caused by pixels on an LCD panel.

"Malware in the air-gap and audio-gap computers generates crafted pixel patterns that produce noise in the frequency range of 0 - 22 kHz," Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel, said in a newly published paper.

"The malicious code leverages the sound emitted by coils and capacitors to alter the frequencies coming from the screen. Acoustic emissions may encode and communicate sensitive information."

The attack is remarkable in that it doesn't need any specialist audio gear, loudspeaker, or internal speaker on the hacked computer, instead relying on the LCD screen to produce auditory signals.

Air-gapping is a significant security solution that's aimed to secure mission-critical settings from possibly security risks by physically and logically separating them from external networks (i.e., internet). This is commonly achieved by unplugging network cables, deactivating wireless interfaces, and disabling USB connections.

That stated, such measures might be overcome by means of rogue insider or a hack of the hardware or software supply chain. Another possibility may entail an unwary employee bringing in an infected USB device to implant malware capable of initiating a covert data exfiltration route.

"Phishing, malicious insiders, or other social engineering techniques may be employed to trick individuals with access to the air-gapped system into taking actions that compromise security, such as clicking on malicious links or downloading infected files," Dr. Guri added.

"Attackers may also utilize software supply chain assaults by targeting software application dependencies or third-party libraries. By compromising these dependencies, hackers may add vulnerabilities or malicious code that may go unreported throughout development and testing."

Like the previously disclosed RAMBO attack, PIXHELL takes advantage of the malware placed on the attacked host to establish an acoustic channel for leaking information from audio-gapped devices.

This is made possible by the fact that LCD displays have inductors and capacitors as part of its internal components and power supply, causing them to vibrate at an audible frequency that generates a high-pitched noise when electricity is transmitted through the coils, a phenomena called coil whine.

Specifically, fluctuations in power usage may produce mechanical vibrations or piezoelectric effects in capacitors, causing audible noise. A major component that impacts the consumption pattern is the amount of pixels that are lighted and their distribution over the screen, since white pixels demand more power to show than dark pixels.

"Also, when alternating current (AC) passes through the screen capacitors, they vibrate at specific frequencies," Dr. Guri explained. "The acoustic emissions are created by the internal electric component of the LCD panel. Its features are influenced by the actual bitmap, pattern, and intensity of pixels displayed on the screen."

"By carefully controlling the pixel patterns shown on our screen, our technique generates certain acoustic waves at specific frequencies from LCD screens."

An attacker might consequently exploit the technology to exfiltrate the data in the form of acoustic waves that are then modulated and transferred to a nearby Windows or Android device, which can then demodulate the packets and extract the information.

That being said, it bears emphasizing that the strength and quality of the generated acoustic signal relies on the individual screen construction, its internal power supply, and coil and capacitor positions, among other considerations.

Another essential item to notice is that the PIXHELL attack, by default, is apparent to people gazing at the LCD panel, given that it entails displaying a bitmap pattern consisting alternating black-and-white rows.

"To remain covert, attackers may use a strategy that transmits while the user is absent," Dr. Guri stated. "For example, a so-called 'overnight attack' on the covert channels is maintained during the off-hours, reducing the risk of being revealed and exposed."

The assault, however, might be changed into a stealthy one during working hours by lowering the pixel colors to extremely low values prior to transmission -- i.e., utilizing RGB levels of (1,1,1), (3,3,3), (7,7,7), and (15,15,15) -- therefore providing the appearance to the user that the screen is dark.

But doing so has the negative effect of "significantly" pulling down the sound output levels. Nor is the technique infallible, since a person may still find out aberrant patterns if they look "carefully" at the screen.

This is not the first time audio-gap constraints have been bypassed in an experimental configuration. Prior research done by Dr. Guri and others have exploited noises created by computer fans (Fansmitter), hard disk drives (Diskfiltration), CD/DVD drives (CD-LEAK), power supply units (POWER-SUPPLaY), and inkjet printers (Inkfiltration).

As countermeasures, it's recommended to use an acoustic jammer to neutralize the transmission, monitor the audio spectrum for unusual or uncommon signals, limit physical access to authorized personnel, prohibit the use of smartphones, and use an external camera for detecting unusual modulated screen patterns.