Air-Gapped Networks Vulnerable to Acoustic Attack via LCD Screens

In the PixHell attack, sound waves generated by pixels on a screen can transmit information across seemingly impenetrable air gaps.

A newly devised covert channel attack method could undermine diligently devised air gaps at highly sensitive organizations.
In industrial control systems security, the term air gap is contested. It typically describes a total physical separation between networks — a literal gap through which no Wi-Fi signals, wires, etc., can pass. The most critical military, government, and industrial sites use air gaps to prevent Internet-based cyber threats from penetrating the kinds of networks that protect state secrets and human lives.
But any medium capable of transmitting information can, in theory, be weaponized to transmit the bad kind. Mordechai Guri of Israels Ben-Gurion University has long researched ways of crossing air gaps with sound waves: via computer fans, hard disk drives, CD/DVD drives, and more. His latest attack scenario, Pixhell, enables data theft using sounds produced by specially generated, rapidly shifting bitmap patterns on an LCD screen.
Its midnight, and everyone working at the top secret intelligence facility has long gone home for the night, when all of a sudden a computer screen flashes with what appears to be random noise, as if its missing a signal. It isnt missing a signal — the apparent noise
is
the signal.
Pixhell only works if an attacker can infect or control at least one device on each side of an air gap.
Air gaps typically connect critical networks with less critical networks, so the latter half of that job might be achieved by an Internet-based attack, while the former will require
more stringent measures
. Still, a machine behind an air gap can be infected in any number of ways: via supply chain compromise,
a removable drive
in the hands of a malicious or unwitting insider, or assorted other options.
Then, with no other obvious means of communicating — not Wi-Fi, Bluetooth, a speaker, or anything else — a computer can be made to transmit information over an air gap via the sounds generated by its screen.
Simplified, LCD screens have capacitors — which store and release electrical charge — and inductors — which help manage the voltage to those capacitors. While theyre working, these components generate the faintest of high-pitched frequencies, inaudible to the human ear.
However, Speakers and microphones generally have a frequency range that is broader than human hearing, explains Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. The high end of the frequency range is where you can encode the greatest amount of information — the largest number of bits per second — and its ultrasound. Dogs might freak out in the room, but humans cant hear it.
In experiments, the Pixhell malware manipulated pixels on a screen in such a way as to cause its inductors and capacitors to vibrate at specific frequencies. In so doing, they generated sound waves translating stolen, encoded data to the machine on the other side of an air gap, with varying fidelity at distances of up to two and a half meters. As Ginter puts it, An attacker can send information from either computer to the others microphone, and you can be sitting in the room and not realize information is being communicated.
Besides acoustics, there are any number of other, equally creative means to carry out covert channel attacks in theory.
Its been reported that with sufficient effort, you can use Ethernet wiring as software-defined radio transmitters and receivers, Ginter notes. Some 20 years ago, 56-kilobit-per-second modems had an LED on the front so users could see if their data was moving. Ginter says you could turn the LED on when there was a one bit being transmitted, or off when it was a zero bit. And it turned out that the LED was extremely responsive — so responsive that if you had a fast enough camera or detector, you could actually detect every bit that was being sent through the modem by watching the LED, he adds.
Countless other fun examples can be found in the annals of computer research archives. Some computers have the ability to do detailed measurements on the voltage thats coming into the battery. And what that means is that if you have two computers plugged into the same circuit, even if theyre using different outlets, one computer can consume more power briefly and less power a fraction of a second later, and the other one can detect these very tiny changes in voltage, so they can signal to each other that way. Even though theyre electrically connected to different networks, theyre both connected to the same power, he explains.
For the overwhelming majority of organizations, a physical air gap is sufficient to protect against even high-level adversaries, who arent likely to pull off Pixhell-style attacks.
Those few most sensitive sites on the planet that have to worry about covert channel attacks — spy agencies, military headquarters, power plants — have already dedicated significant time and resources to building not just air gaps, but air gaps that make these scenarios impractical.
At some extremely sensitive OT sites, they will have all of the OT equipment in one server room, and theyll have the IT equipment in another server room down the hall. And the only connection between the server rooms is a single fiber-optic connection that is a unidirectional gateway from OT to IT, Ginter explains.
Past that, he adds, the greater the distance between communicating computers, the more difficult it is to exploit covert channels. If its an electrical [channel youre worried about], youve got electrical noise between rooms. If its audible, there are closed doors in the way. If its temperature, you can heat up the room in a region very slightly [at intervals], so theres so much thermal noise that it becomes impractical to send any information out. The operative idea is signal-to-noise ratio (SNR): How much noise does one have to generate to make a covert channel attack impractical?
Whether such science-fiction-level defenses are warranted will depend on the organization at risk. Some of the countermeasures were given for scientific discussion, but they are less practical to deploy in real life, Guri says. As an example, he points out that acoustic jammers would stop Pixhall right in its tracks: Such a noise jammer may work in countering the attack, but it will make the environment too noisy for people to work.
Dont miss the latest
Dark Reading Confidential podcast
,
where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail — just for doing their pen-testing jobs.
Listen now!

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Air-Gapped Networks Vulnerable to Acoustic Attack via LCD Screens