April Fool: Apple iPad and other popular devices vulnerable to data loss through “substrate hack”

[We published this story on 1 April 2011. Of course, the “substrate hack” is nothing more that “reading what’s on someone else’s screen when you’re not supposed to”. So nothing here is entirely untrue: the hack does involve electromagnetic radiation; putting your iPad in a chip packet will foil the attack (ha!); and the attack can be carried out from 100m away using a decent telescope, as suggested in the comments. But, yes, polar foil is an anagram of April Fool. On a serious note, please do watch out for “substrate hackers” – more commonly known as “shoulder surfers” – when you use computing devices in public.]

Recent research by SophosLabs has discovered an alarming vector by which personal and private data can be exfiltrated from modern-day portable computing devices such as smartphones and tablets, including the popular Apple iPad and iPad 2.

This attack is surprisingly easy to pull off, so we’ve made the decision not to release precise details in order to reduce the likelihood of it being exploited by cybercriminals. But it involves data leakage through the physical substrate of the device itself – in other words, through the actual metal/plastic/glass package in which the hardware of the device is contained.

Any reasonably small, uncovered, device is at risk of this sort of attack, which SophosLabs has dubbed a substrate hack.

Ironically, the most effective countermeasure identified so far is extremely low-tech.

Shrouding your iPad or smartphone in any metallised plastic or cardboard reduces the effectiveness of the substrate hack to negligible levels.

Tests carried out at SophosLabs in Sydney – and carefully verified in both Oxford and Vancouver – showed that the most effective smartphone shields include commonplace items of garbage.

Chip packets (crisp packets in UK parlance) and metal-insulated pizza cartons are especially effective. This sort of shield forms a “polar foil” around the device and greatly reduces the risk of data theft.

One caveat has come out of SophosLabs – don’t use Pringles cans.

Opened out, full-size Pringles cans are large enough to shield devices as big as an iPad. (Standard chip/crisp packets are too small for this purpose.) Additionally, Pringles cans have obvious benefits over chip packets and pizza packaging in terms of sturdiness, durability and hygiene.

However, as WiFi hackers know only too well, Pringles cans may act as antennas, boosting rather than attenuating any potential data leakage signal.

It seems certain that smartphone manufacturers will build some sort of polar foil into future models of their devices.

Until they do, your own low-tech solution to this problem is just a snack away!