PIXHELL’s New Acoustic Attack Reveals Secrets of LCD Screen Noise

A new acoustic attack dubbed ‘PIXHELL’ can leak secrets from air-gap and audio-gap systems, without the need for speakers, through the LCD monitors they are connected to.

In a PIXHELL attack, malware modulates the pixel patterns on LCD screens to create noise in the 0-22 kHz frequency range. The malware transmits encoded signals within those acoustic waves, which can be picked up by nearby devices, such as smartphones.

The researchers’ tests showed that data exfiltration is possible at a maximum distance of 2 meters (6.5 ft), achieving a data rate of 20 bits per second (bps).

While this is too slow to allow large file transfers, real-time keylogging and stealing small text files containing passwords or other information is still possible.

Hidden audio channel

PIXHELL was developed by Dr. Mordechai Guri of Ben-Gurion University of the Negev, known for his extensive research into methods of leaking data from air-gapped environments.

Just last week, the researcher published another paper describing a new side-channel attack called “RAMBO” (Radiation of Air-gapped Memory Bus for Offense). This attack can steal data from an air-gapped environment by generating electronic radiation from a device’s RAM components.

The PIXHELL attack method takes advantage of the unintended acoustic emissions from LCD screens resulting from coil noise, capacitor noise, or intrinsic vibrations that cannot be physically eliminated from the devices.

Using specially crafted malware, an attacker can encode sensitive data, such as encryption keys or keystrokes, into acoustic signals using modulation schemes such as:

• On/Off button (ALSO): Data is encrypted by turning the sound on and off.
• Frequency shift key (FSK): Data is encoded by switching between different frequencies.
• Amplitude shift key (TO ASK): Data is encoded by changing the amplitude (volume) of the sound.

The modulated data is then sent through the LCD screen by changing the pixel patterns on the screen. This also changes the sound emitted by the components of the device.

A microphone near a rogue or compromised device, such as a laptop or smartphone, can pick up the acoustic signals and later send them to the attacker for demodulation.

PIXHELL can be run in an environment with multiple signal sources and a single receiver. This makes it possible to intercept secrets from multiple air-gapped systems simultaneously, if they are infected with malware.

The sound frequencies produced by the PIXHELL malware are typically in the 0-22 kHz frequency range, which is barely audible to humans. For comparison, humans typically detect sounds in a frequency range between 20 Hz and 20 kHz, and the upper limit for an average adult is typically around 15-17 kHz.

At the same time, the pixel patterns used in the attack are low in brightness or invisible to the user, making the attack particularly stealthy.

Possible countermeasures

Several defenses can be implemented against PIXHELL and other types of acoustic side-channel attacks. In highly critical environments, microphone-carrying devices should be completely banned from certain areas as an abundance of caution.

Jamming or noise generation, where background noise is added to disrupt the acoustic signals and increase the signal-to-noise ratio (SNR), making the attack impractical, is also a solution.

Dr. Guri also suggests checking the screen buffer with a camera to detect unusual pixel patterns that do not match normal system operation.

Full technical details of the PIXHELL attack and possible defense strategies are available in the technical paper titled PIXHELL attack: leaking sensitive information
from Air-Gap Computers via ‘Singing Pixels’.