PIXHELL Attack: Leaking Sensitive Information from Air-Gap Computers via `Singing Pixels'

Abstract: Air-gapped systems are disconnected from the Internet and other networks because they contain or process sensitive data. However, it is known that attackers can use computer speakers to leak data via sound to circumvent the air-gap defense. To cope with this threat, when highly sensitive data is involved, the prohibition of loudspeakers or audio hardware might be enforced. This measure is known as an `audio gap'. In this paper, we present PIXHELL, a new type of covert channel attack allowing hackers to leak information via noise generated by the pixels on the screen. No audio hardware or loudspeakers is required. Malware in the air-gap and audio-gap computers generates crafted pixel patterns that produce noise in the frequency range of 0 - 22 kHz. The malicious code exploits the sound generated by coils and capacitors to control the frequencies emanating from the screen. Acoustic signals can encode and transmit sensitive information. We present the adversarial attack model, cover related work, and provide technical background. We discuss bitmap generation and correlated acoustic signals and provide implementation details on the modulation and demodulation process. We evaluated the covert channel on various screens and tested it with different types of information. We also discuss \textit{evasion and stealth} using low-brightness patterns that appear like black, turned-off screens. Finally, we propose a set of countermeasures. Our test shows that with a PIXHELL attack, textual and binary data can be exfiltrated from air-gapped, audio-gapped computers at a distance of 2m via sound modulated from LCD screens.

• The paper reveals a novel technique that exploits 'singing pixels' to leak sensitive data from air-gapped computers even without traditional audio hardware.
• The paper employs modulation methods such as OOK, FSK, ASK, and OFDM to convert pixel patterns into acoustic signals for transmission up to 2 meters.
• The paper highlights stealth techniques, using low-brightness patterns to evade detection, and recommends countermeasures like anomaly monitoring and ambient noise jamming.

PIXHELL Attack: Leaking Sensitive Information from Air-Gap Computers via 'Singing Pixels'

The paper "PIXHELL Attack: Leaking Sensitive Information from Air-Gap Computers via 'Singing Pixels'" introduces a novel method for data exfiltration from air-gapped and audio-gapped systems. At its core, PIXHELL leverages the idea that carefully crafted pixel patterns on an LCD screen can generate sound, thereby creating an acoustic covert channel capable of transmitting sensitive information, even in environments secured against traditional audio-based attacks.

Background and Objectives

Air-gapped systems, characterized by their physical isolation from external networks, are traditionally employed to safeguard highly sensitive data. Despite this isolation, historical precedents like the Stuxnet worm and various sophisticated malware attacks demonstrate that these systems are not impervious to breaches. Once breached, further actions, including the exfiltration of sensitive data, pose significant challenges due to the restricted communication channels implemented in these environments.

PIXHELL specifically addresses scenarios where audio hardware, typically used in acoustic covert channels, is disabled or absent, a measure known as an 'audio-gap.' The paper's primary contribution lies in exploiting the acoustic emissions generated by the internal components of LCD screens to modulate and transmit sensitive data.

Technical Contributions

1. Acoustic Covert Channel Without Audio Hardware: The foundational innovation of PIXHELL is its ability to generate acoustic signals using the inherent noise produced by the vibrations of coils and capacitors within LCD screens. This approach bypasses the necessity for traditional audio peripherals entirely.
2. Modulation and Signal Generation: Malware within the compromised air-gapped system generates pixel patterns that control the frequencies of the sound emanated by the screen components. By using techniques such as On-Off Keying (OOK), Frequency Shift Keying (FSK), and Amplitude Shift Keying (ASK), the malware can modulate binary data into an acoustic signal. Additionally, advanced modulation techniques such as Orthogonal Frequency-Division Multiplexing (OFDM) are employed to enhance transmission efficiency and data rates.
3. Transmission and Reception Implementation: The study details the design and implementation of both the transmitter and receiver systems. The transmitter side, controlled by malware, generates the modulated pixel patterns, while the receiver, implemented on common devices such as smartphones or laptops, captures and decodes the acoustic signals.
4. Evasion and Stealth Techniques: To minimize detection, PIXHELL incorporates low-brightness pixel patterns that appear nearly black to the untrained eye. These patterns maintain the acoustic signal's integrity while reducing visibility, thus evading casual observation by users.
5. Evaluation and Multiple Transmitters: The efficacy of PIXHELL was validated through extensive testing on various LCD screens, demonstrating successful data transmission at a distance of up to 2 meters. Furthermore, the research explores using multiple screens as simultaneous transmitters, thereby enhancing bandwidth and robustness of the covert channel.

Implications and Countermeasures

The practical implications of PIXHELL are profound, as it underscores a previously underappreciated vector for data exfiltration in highly secured environments. The results suggest that even with stringent audio-gap measures, sensitive information is vulnerable to leakage through unconventional channels.

To mitigate such threats, the paper suggests several countermeasures:

• Jamming and Noise Generation:

Introducing ambient noise in the environment can disrupt the acoustic signals intended for data exfiltration.

• Spectrum Monitoring:

Continuous monitoring of the audio spectrum for irregular signals can help detect the presence of covert channels.

• Access Control and Physical Security:

Restricting access to sensitive areas and ensuring that potentially compromised devices are not brought into secure environments can reduce the risk.

• Anomaly Detection Systems:

Implementing software-based anomaly detection to monitor and identify unusual screen buffer activities can thwart attempts to initiate the PIXHELL attack.

• External Camera Monitoring:

Utilizing external cameras to monitor and analyze screen activities for indicative patterns of covert channels can provide an additional layer of security.

Future Directions

The research opens several avenues for further exploration. Future studies might investigate the limits of the attack, such as the maximum feasible distance for reception or the impact of environmental conditions on signal integrity. Additionally, advancements in detection techniques and countermeasures will be crucial in evolving security protocols to safeguard against such innovative threats.

In conclusion, the PIXHELL attack exemplifies the continual evolution of cyber threats and the necessity for adaptive and anticipatory security measures. The findings illuminate the need for a profound understanding of the potential vulnerabilities in even the most secure environments, urging ongoing research and development in both offensive and defensive cybersecurity strategies.