A 3D miniature model of a city in Japan, with pins inserted between buildings. Conveys different locations being identified or selected.

Faraday Bags Can Enhance Mobile Phone Privacy & More

What They Are and What They Do

The word ‘Faraday’ is actually the surname of the 19th century British scientist Michael Faraday. He discovered that an object placed inside a conductor was immune to some external electrical charges. Basically, protecting an object from unwanted external interference. This technology has been applied to protect an airplane’s components and occupants from lightning strikes. USB cables utilize it to minimize interference whilst transferring data. The technology is even found in MRI screening rooms, where it prevents potentially misleading noise from being added to the images of patients.

A Faraday bag is simply a small flexible pouch-like accessory, that stores and shields a digital device from various radio wavelengths. The bag’s material and structure (i.e. porousness) determine the shielding’s effectiveness.

Faraday bags specifically designed for mobile phones will purposefully block: 2G, 3G, 4G, GPS, Bluetooth, Wi-Fi and NFC radio signals. Once a device, such as a smartphone, is placed into a sealed bag, it should not be able to send or receive data. When the device is taken out of the bag, it will re-establish radio communication with the various technologies listed above.

 

Reasons For Using a Faraday Bag

The main reason I use one is to have peace of mind my location isn’t being tracked whilst out and about. I consider location information to be one of the most revealing pieces of personal data, as I shall explain. As such I think it should be strongly protected. Therefore, taking the step of using a Faraday bag is worth the minor hassles entailed.

I have identified three areas in which using a Faraday bag for a mobile phone, tablet or laptop can be beneficial. Naturally, different people have different needs and concerns, so not all of the following areas may be applicable to you.

1. Privacy

The ability to have complete control over my location data was a big factor in exploring Faraday bags. On the typical smartphone, GPS is likely active, as might Wi-Fi and cellular. Perhaps even Bluetooth. All of these sources are capable of identifying your location to varying degrees of accuracy.

GPS is the most accurate and can pin point a location to within approximately 5 meters (16 feet). When combined with other technologies it can be accurate to a few centimeters.

Simply having Wi-Fi enabled when you are traveling, allows your smartphone to collect the SSIDs of nearby access points, regardless if you connect to them or not. Some SSIDs are generic, like “BTWifi-with-FON”. Others can be more identifiable, e.g. “Starbucks-High-Street”. A snapshot of visible SSIDs could be used to determine a smartphone’s approximate location. When gathered over time, these snapshots can essentially be used to track movement. An online tool exists called WiGLE that displays on a map the location at which SSIDs have been detected. (Try type in your home address or SSID, if it is unique, and see if it appears. If so, I recommend changing it to enhance your privacy).

Location can also be determined via your cellular provider (e.g. Vodafone). Their cellular tower infrastructure can be used to triangulate your location. In an area with a higher number of cell towers, such as a city, this often results in a higher degree of accuracy.

Bluetooth can behave similarly to the capturing of Wi-Fi SSIDs to determine a location. However it is limited by its much shorter range.

The examples given above involve your digital device reaching out to an external party and exchanging some information. As the French forensic science pioneer Edmond Locard argued, “every contact leaves a trace”. Once information is transmitted from your device to the hands of another party, there is little you can do to get them to relinquish it. That information may be used for good, it may not be. They may have good security practices, they may not have. In any case, it is likely you want your location kept private for any number of reasons.

Your location is not just a snapshot of where you are at any one moment in time. Location data is typically collected frequently, which reveals movement, direction and speed. This can be used to work out commuting routes, where you work, what shops you visit, people you visit and so on. E.g. if for five days of the week your location is reported as someplace that isn’t your home address, for say a period of eight hours, it could be determined this is your place of work. The speed at which you travel between home and work can determine what mode of transport you take.

When a digital device turns on its Wi-Fi radio, it will probe the various channels in the wireless spectrum to determine which ones are viable. These probes contain the MAC address of the digital device itself. MAC addresses are unique, with one device in the entire planet owning a particular MAC address. With enough geographically dispersed devices collecting probes that contain your MAC address, it is possible to track your location [1]. Furthermore, if the MAC address is linked to your name in any way, this provides a link directly back to you.

Documents leaked by Edward Snowden described how America’s intelligence agency, the NSA, collected and used location data [2]. They were found to be collecting mobile phone location data, belonging to both American and non-American citizens. None of whom consented to having their data swept up in such a way. The NSA achieved this by eavesdropping on the infrastructure of mobile phone service providers. The information gathered allowed them to calculate the distance and speed of their subjects. An algorithm called ‘CO-TRAVELER’ would then capture the time, date and location of mobile phones. It could then analyze that data to detect when people were using ‘burner’ phones. I.e. buying phones and using them once before discarding them. Daily data captures allowed the NSA to look back in time to trace an individual’s movements to see where they went, who they went with and for how long.

You may genuinely trust your government, or you may not. You may be in a country that doesn’t have as stringent (but not perfect) privacy laws such as the United Kingdom or Switzerland. I think it’s important to highlight that the scope of this data collection is by no means limited to just government [3]. Data collection by private companies can be just as, if not more so, intrusive.

Companies like Google and Facebook collect and siphon off location data too (as mentioned in a previous post: How to Quit Google & Alternative Suggestions). E.g. your location data, en-route to Google, will transit your service provider’s network and any other intermediaries. Additionally it could be swept up by governments for analysis, as just described. The biggest difference between government collection and private company collection is that we explicitly consent to the private company’s data collection practices.

In relation to privacy and location tracking, the motivation for wanting to use a Faraday bag may be starting to become clear. Simply popping your digital device into a Faraday bag quickly solves all of the above mentioned problems. At least until you remove the device from the bag, that is. Whilst not a foolproof solution, it is at least a solution that puts you in control of things if only for a while.

2. Security

Security-wise, Faraday bags can be useful in some, granted rather extreme, circumstances. When first starting out researching this blog post, I was sceptical of how a Faraday bag would improve digital security. Podcasts I had listened to were vague with their claims and relevant manufacturer websites provided no real evidence to back up their claims.

After some digging I can see some use cases. However a lot of the use-cases assume knowledge that the general public have no way of verifying. For example, Edward Snowden stated in an interview that the NSA was capable of activating mobile phones remotely, even when they were turned off [4].

It is speculated this could have been achieved by hacking the baseband processor’s (the chip inside a smartphone that actually performs the telephoning function) firmware. When a smartphone is powered off, the operating system processor carries out this instruction. This is a completely separate processor from the baseband processor. It is thought that the baseband processor may lie in a dormant state even when the phone is completely ‘off’, allowing it to be turned on upon receiving a command. The firmware of many computing devices have long been reported as generally insecure [5], so this sounds plausible enough. Assuming what Snowden said was accurate, then yes using a Faraday bag would indeed prevent any eavesdropping from being successful.

Arguably, so too would simply taking out a phone’s battery, if possible. Two best-selling smartphones, the iPhone X and Samsung Galaxy 9 do not have user-removable batteries however. The potential of having malware display fake power-off screens is a possibility. Some phones have small backup batteries to keep time, these could be exploited in some way to turn the main battery on [6]. Regardless if his allegations are currently correct, it is not difficult to imagine these types of hacks becoming ‘mainstream’ in the coming years or decades.

One other use-case I heard related to apps being compromised by a hacker. A Faraday bag would stop the malicious app from being able to collect data about its victim. Whilst this is true, it is hardly seems a serious solution at all. For as soon as the device were to be removed from the bag, then the malicious activity could simply resume.

3. Productivity

One less obvious benefit of using a Faraday bag I have noticed is the peace of mind you get knowing you are completely disconnected from your device(s). Shoving my tablet and phone into Faraday bags before bed has quite a freeing feeling. One, I am not tempted to keep checking them since they are tucked away inside the Velcro enclosure. Two, I know I will not be disturbed by any notifications or need to remember to turn on airplane mode.

Hence it is useful for times when you need to get serious work or study done. Simply place in the bag and know there are no distractions coming your way.

 

Practical Limitations and Workarounds When Using Faraday Bags

Purely from a practical point of view, using a Faraday bag for your mobile whilst outside means you cannot be contacted. For some people this may be acceptable. Callers are still able to text and leave voicemails, all of which you receive shortly after removing your phone from the bag. For others, this defeats the whole promise of having a mobile phone, which is you can be contacted primarily when you are on the move. As is true with much in life though, it is a balance between convenience and necessity. You choose where you fall within that scale.

If using a Faraday bag when at home, again you will not be able to be contacted. A workaround for this is to purchase or use an existing landline phone. Callers will be able to ring you on the landline (good for emergency situations). Depending on how sensitive the nature of the call may be, you can then choose to remove your phone from the bag and return the call using a secure communication platform. For the truly paranoid, a good solution before returning any call may be to leave home first and go to a random location. Or to be efficient, wait until you happen to be in a different location the next day and make all the return phone calls you need to.

 

Technical Limitations of Faraday Bags

A research paper released in early 2018 showed two methods of remotely gathering data from a smartphone enclosed in a Faraday bag [7]. According to the paper, their work was the first of its kind in successfully showing Faraday bags allow information to be leaked.

One exploit called ‘ODINI’ concentrates on the CPU of digital devices. The researchers explain that a CPU emits pure magnetic radiation. Whereas cellular, Bluetooth, Wi-Fi radio etc. emit electromagnetic radiation.

Magnetic radiation can easily penetrate a Faraday bag, whilst electromagnetic radiation cannot. They created malware that would infect a target’s smartphone. Once installed, the malware would increase the workload of the CPU so that its magnetic field increased also. This allowed a sensor located relatively close to the smartphone, to detect the amplified magnetic field. The malware would then obtain sensitive data from the smartphone and encode this into the magnetic field as a data stream. A receiver would pick up that data stream and be able to distinguish the sensitive data from the CPU’s magnetic field.

Whilst the researchers successfully demonstrated the exploit, it is not highly practical. Firstly it relies on the premise of a smartphone being infected with their malware, which is unlikely. Secondly, it relies on an attacker being within close proximity of the target (1.5m / 5 feet) to actually obtain any sort of sensitive data with their sensor.

 

Final Thoughts

For those of you who have privacy concerns and value your privacy, Faraday bags are worth investing in. They are light, simple to use and double as a phone case.

I purchased two bags, one for my tablet and one for my phone. You could get away with purchasing one tablet sized bag and place your other devices inside that one too, to save money.

You do not have to purchase the most expensive one available for it to still be functional. A leading company in this market called Silent Pocket offers a Faraday smartphone bag for around £60. However, an unbranded bag for my phone cost about £9 from Amazon and works perfectly.

You should always test to see whatever bag you purchase works properly. Meaning, you should verify that it does in fact block all radio signals. This can be tested by using an app such as ‘MD Faraday Bag Tester‘.

Faraday bags do not have to be limited for just smartphone use. They work with any other digital device that emit all or some of the same signals as smartphones. E.g. smartwatches, fitness trackers, iPods etc.

 

Minimalist Approach for Maximum Value

Finally it’s time for the usual summary section, where I give the main benefits of following the advice in this article in five points or less. This time by answering,

how using Faraday bags can add value to and simplify your life…

  1. Control your own privacy by ensuring you aren’t able to be tracked by Google or advertisers.
  2. Be more productive. No more notifications or fiddling with ‘Airplane Mode’ or ‘Quiet Hours’ to distract you from work.
  3. Remove guesswork and constant tweaking of privacy settings on your device. Simply place in a bag and have peace of mind your data is private.
  4. Potentially overcomes the need to remove a battery to ensure a device is completely off. Even if not completely off, nothing can be communicated to a remote third party.

 


References

[1] Haigh, S. (2015). Tracking People via WiFI (even when not connected). [Online] Available at: https://www.crc.id.au/tracking-people-via-wifi-even-when-not-connected/. [Accessed 29 Oct. 2018].

[2] Gellman, B. & Soltani, A. (2013). NSA Tracking Cellphone Locations Worldwide, Snowden Documents Show. [Online] Washington Post. Available at: https://wapo.st/2qeJGyZ/. [Accessed 29 Oct. 2018].

[3] Beld, B. (2013). Yes You Are Being Spied On, But It’s Not The Government We Should Look At. [Online] State of Digital. Available at: https://www.stateofdigital.com/spying-data/. [Accessed 29 Oct. 2018].

[4] Scharr, J. (2014). Can The NSA Remotely Turn On Mobile Phones? [Online] Tom’s Guide. Available at: https://www.tomsguide.com/us/nsa-remotely-turn-on-phones,news-18854.html. [Accessed 29 Oct. 2018].

[5] Zetter, K. (2015). Why Firmware Is So Vulnerable To Hacking. [Online] Wired. Available at: https://www.wired.com/2015/02/firmware-vulnerable-hacking-can-done/. [Accessed 29 Oct. 2018].

[6] Carroll, J. & Bazzell, M. (2017). Episode 028: Faraday Bags. [Podcast] The Complete Privacy & Security Podcast. Available at: https://operational-security.com/complete-privacy-security-podcast-e028/. [Accessed 29 Oct. 2018].

[7] Guri, M. et al. (2018). ODINI: Escaping Sensitive Data from Faraday-Caged, Air-Gapped Computers via Magnetic Fields. PhD. Ben-Gurion University.

Photo by Thor Alvis on Unsplash

 

Privacy Notice: Before leaving a comment, you must read and agree to the terms of the Privacy Policy. Some personal information is collected during this process.

 

Leave a Comment

Your email address will not be published. Required fields are marked *