Recent PIXHELL Exploit Utilizes Screen Interference to Steal Information from Isolated Computers
A fresh covert channel attack called PIXHELL may potentially compromise air-gapped machines by breaking the “audio gap” barrier and extracting confidential data using the visual noise produced by the screen pixels.
In a recently published paper, Dr. Mordechai Guri, the leader of the Offensive Cyber Research Lab within the Department of Software and Information Systems Engineering at Ben Gurion University in Israel, discussed the attack without the need for specialized audio equipment.
The deceptive tool manipulates the noise generated by coils and capacitors to manipulate the sound frequencies emanating from the display and transmit clandestine information using acoustic signals.
An engaging property of this attack is that it doesn’t rely on dedicated sound hardware but instead uses the LCD screen itself to fabricate acoustic signals.
Air-gapping, a crucial security tactic isolating critical systems from external networks by disconnecting connections, is an essential measure to protect against threats. This isolation is achieved by detaching network interfaces and disabling wireless connections and USB ports.
However, these defenses can be evaded by internal threats or a compromise in the hardware or software supply chain. An unsuspecting employee might introduce malware by connecting an infected USB drive, creating a covert data exfiltration pathway.
Dr. Guri remarked, “Attackers could employ phishing or other social engineering tactics to deceive authorized users of the air-gapped system into compromising security unintentionally.”
“Furthermore, attackers can exploit software supply chain weaknesses by targeting application dependencies or third-party libraries, introducing vulnerabilities or malicious code that go unnoticed in development and testing stages.”
Like the recently unveiled RAMBO attack, PIXHELL utilizes malware on the victim’s machine to establish an acoustic path for data leakage from audio-isolated systems.
This technique is viable due to the existence of inductors and capacitors in LCD screens which produce audible noise when electricity flows through them, a phenomenon termed as coil whine.
Notably, adjustments in power consumption can cause mechanical vibrations or piezoelectric effects in capacitors, leading to audible noise. The power consumption is directly influenced by the number and distribution of pixels on the screen.
Dr. Guri explained, “The screen capacitors vibrate at certain frequencies when exposed to alternating current, producing specific acoustic waves. These sounds originate from the LCD screen’s internal electrical components and are influenced by the displayed pixels.”
“By carefully manipulating the pixel layouts on the screen, our methodology generates specific acoustic waves at precise frequencies from LCD screens.”
An attacker can exploit this method to transmit data via acoustic signals that can be modulated and received by a nearby Windows or Android device for data extraction.
The strength and quality of the produced acoustic signals depend on various factors such as the screen’s internal structure, power supply, and locations of coils and capacitors.
Additionally, it’s crucial to note that the PIXHELL attack is observable to individuals viewing the LCD screen since it involves displaying a bitmap pattern composed of alternating black-and-white rows.
“To maintain stealth, attackers might opt to transmit data when the user is absent, implementing an ‘overnight attack’ strategy during off-hours to reduce exposure risks,” noted Dr. Guri.
However, this attack can adopt a sneaky approach during working hours by adjusting pixel colors to minimal values before transmission—employing RGB levels of (1,1,1), (3,3,3), (7,7,7), and (15,15,15)—making the screen appear black to the user.
Reducing the pixel colors significantly diminishes sound production levels, albeit users might still detect irregular patterns if they scrutinize the screen intently.
This incident isn’t the first time that audio-gap defenses have been overridden in experimental settings. Prior research by Dr. Guri explored sounds emanating from computer fans (Fansmitter), hard drives (Diskfiltration), CD/DVD drives (CD-LEAK), power supplies (POWER-SUPPLaY), and printers (Inkfiltration).
As preventive measures, suggestions include using an acoustic jammer to disrupt transmissions, monitoring the audio spectrum for anomalous signals, restricting physical access, disallowing smartphone use, and deploying an external camera to identify abnormal screen patterns.
About Author
