New side-channel attacks pixel The vulnerability could be exploited to target air-gapped computers by using noise generated by the pixels on an LCD screen to penetrate the “audio gap” and extract sensitive information.
“Malware in air-gapped and audio-gapped computers generates crafted pixel patterns that generate noise in the frequency range of 0-22 kHz,” Dr. Mordechai Guri, director of the Offensive Cyber Research Lab at the School of Software and Information Systems Engineering at Ben-Gurion University of the Negev in Israel, said in the newly published paper.
“Malicious code harnesses the sound generated by the coil and capacitor to control the frequency emitted by the screen. The acoustic signal can then be encoded and transmitted as sensitive information.”
This attack is notable in that it does not require any special audio hardware, speakers or built-in speakers on the compromised computer, but rather utilizes the LCD screen to generate the acoustic signal.
Air-gapping is an important security measure designed to protect mission-critical environments from potential security threats by physically and logically isolating them from external networks (such as the Internet), typically accomplished by disconnecting network cables, disabling wireless interfaces, and disabling USB connections.
However, such defenses can be circumvented by an insider or a compromised hardware or software supply chain. Another scenario could be an unsuspecting employee plugging in an infected USB drive, deploying malware that can launch a covert data exfiltration channel.
“Phishing, malicious insider and other social engineering techniques may be used to trick individuals with access to air-gapped systems into taking actions that compromise security, such as clicking on malicious links or downloading infected files,” Dr. Guri said.
“Attackers may also use software supply chain attacks, targeting software application dependencies and third-party libraries. Compromising these dependencies can introduce vulnerabilities or malicious code that goes unnoticed during development and testing.”
Similar to the recently demonstrated RAMBO attack, PIXHELL utilizes malware deployed on a compromised host to create an acoustic channel to exfiltrate information from audio-gapped systems.
This is possible because LCD screens contain inductors and capacitors as part of their internal components and power supply, which vibrate at audible frequencies and create high-frequency noise as electricity passes through their coils (a phenomenon known as coil whine).
Specifically, changes in power consumption induce mechanical vibrations of capacitors and/or piezoelectric effects, resulting in audible noise.An important factor influencing the consumption pattern is the number of lit pixels and their distribution across the screen, since white pixels require more power to display than dark pixels.
“Also, when an alternating current (AC) is passed through the screen capacitor, it vibrates at a specific frequency,” Dr Guri said. “The acoustic radiation is generated by the internal electrical components of the LCD screen, and its characteristics are affected by the actual bitmap, pattern and intensity of the pixels projected on the screen.”
https://www.youtube.com/watch?v=TtybA7C47SU
“By carefully controlling the pixel patterns that appear on the screen, our technology produces specific sound waves at specific frequencies from the LCD screen.”
Thus, an attacker can use this technique to exfiltrate data in the form of an acoustic signal, modulate it and send it to a nearby Windows or Android device, and then demodulate the packets to extract the information.
That being said, it should be noted that the power and quality of the emitted acoustic signal will depend on factors such as the particular screen construction, internal power supply, and the position of the coil and capacitor.
Another important point to highlight is that the PIXHELL attack displays a bitmap pattern consisting of alternating black and white rows, and is therefore visible by default to users looking at an LCD screen.
“Attackers may use strategies that involve transmissions when users are absent in order to maintain secrecy,” Dr. Guri said. “For example, so-called ‘nighttime attacks’ on covert channels can be maintained during off hours, reducing the risk of exposure.”
However, this attack turns into a stealth attack during working hours by lowering the pixel colors to very low values before transmission (i.e. using RGB levels (1,1,1), (3,3,3), (7,7,7), (15,15,15)), giving the user the impression that the screen is black.
However, doing so has the side effect of “significantly” reducing sound production levels, and the approach is not foolproof, as users may still notice unusual patterns if they look “carefully” at the screen.
This is not the first time that the AudioGap limitation has been overcome with a laboratory setup: previous studies by Dr. Guri and colleagues have used sounds generated by computer fans (Fansmitter), hard disk drives (Diskfiltrate), CD/DVD drives (CD-LEAK), power supply units (POWER-SUPPLaY) and inkjet printers (Inkfiltrate).
Recommended countermeasures include using acoustic jamming devices to neutralize transmissions, monitoring the audio spectrum for anomalous or unusual signals, limiting physical access to authorized personnel only, banning the use of smart phones, and using external cameras to detect unusual modulated screen patterns.
