Electromagnetic (EM) covert channels pose a severe threat to air-gapped networks; however, conventional approaches require attackers to deploy dedicated receivers in close proximity, limiting practicality. This paper proposes TEMPEST-LoRa—the first cross-technology covert channel (CTCC) leveraging EM emanations from video cables to modulate sensitive data into RF signals compliant with the LoRa physical layer, enabling stealthy long-range transmission to off-the-shelf LoRa gateways. Unlike prior work, TEMPEST-LoRa operates even when the display is powered off, circumventing hardware and protocol isolation barriers. Experimental evaluation demonstrates stable communication up to 87.5 meters with a peak throughput of 21.6 kbps. To our knowledge, this is the first demonstration of exploiting wide-area IoT infrastructure—specifically LoRaWAN—as a covert receiver, thereby substantially extending the geographical reach and real-world feasibility of air-gap attacks.

Electromagnetic (EM) covert channels pose significant threats to computer and communications security in air-gapped networks. Previous works exploit EM radiation from various components (e.g., video cables, memory buses, CPUs) to secretly send sensitive information. These approaches typically require the attacker to deploy highly specialized receivers near the victim, which limits their real-world impact. This paper reports a new EM covert channel, TEMPEST-LoRa, that builds on Cross-Technology Covert Communication (CTCC), which could allow attackers to covertly transmit EM-modulated secret data from air-gapped networks to widely deployed operational LoRa receivers from afar. We reveal the potential risk and demonstrate the feasibility of CTCC by tackling practical challenges involved in manipulating video cables to precisely generate the EM leakage that could readily be received by third-party commercial LoRa nodes/gateways. Experiment results show that attackers can reliably decode secret data modulated by the EM leakage from a video cable at a maximum distance of 87.5m or a rate of 21.6 kbps. We note that the secret data transmission can be performed with monitors turned off (therefore covertly).