PIXHELL Makes Monitors Sing Like a Canary
PIXHELL is a side-channel attack that uses a monitor's coil whine to steal data from air-gapped systems by encoding it into pixel patterns.
Traditional computer security measures, like firewalls and antivirus software, are sufficient to keep most people reasonably safe online. But when the information stored on a computer goes beyond pictures of the family or a secret recipe for the world’s best barbecue sauce, and enters the realm of corporate or national secrets, much stronger measures are necessary. In cases like these systems are often air-gapped, which is the strongest computer security practice of all.
An air-gapped computer is not connected to any networks, either wired or wireless. Physical security around such a system is also very strong, as the only way to access an air-gapped machine is by physically sitting at the terminal. Or at least, the intent of air-gapping a machine is to ensure that it cannot be accessed remotely. But in reality, there are ways to compromise even this type of security.
Other forms of output, most notably speakers, can also be used to leak private information. Accordingly, air-gapped machines are often stripped of audio hardware and speakers. But Mordechai Guri, a security researcher at Ben-Gurion University of the Negev, has found a way to make monitors spill secrets in much the same way that a speaker can. This is concerning, as a monitor cannot easily be eliminated from a system that is inaccessible via networks.
Guri’s recently described exploit, called PIXHELL, leverages the coils and capacitors that are essential to the function of modern LCD displays. These components vibrate, causing them to emit acoustic signals — often termed coil whine — during normal operation. And those signals are directly related to the pattern of pixels that are illuminated on the screen, and the intensity of those pixels.
Guri realized that this artifact could be used to exfiltrate arbitrary data from a computer by encoding information into pixel patterns that are briefly displayed on a monitor. By keeping the frequency of the audio emissions under 22,000 Hz, they can be detected audibly by a (somewhat) remote system. Knowing the encoding scheme, that remote machine can decode the data.
As it presently stands, PIXHELL has a pretty high bar to clear before it can be implemented on an air-gapped system. First and foremost, malware must be installed on the target system to locate the data of interest, encode it, and display the associated pixel patterns on the screen. Walking up to an air-gapped system and installing malware is no small task, but even if someone does pull it off, there is still the issue of range. The acoustic signals cannot be detected at distances of more than about ten feet in most cases, so the attacker pretty much needs to sit in the same room as the machine they are trying to exploit.
For these reasons, PIXHELL may not be very practical in most cases, but for those that just cannot take a chance, Guri has suggested some countermeasures. Concerned parties could, for example, employ audio jamming techniques to drown out any exfiltration attempts. And of course, keeping close watch over physical security of an air-gapped system could also defeat PIXHELL.
Side-channel attacks such as this one are quite technically interesting, even if not entirely practical. If you would like to read up on another similar exploit, be sure to check out RAMBO, which steals data by manipulating system RAM.