April Fool: Apple iPad and other popular devices vulnerable to data loss through "substrate hack"

Filed Under: Apple, Data loss, Privacy

[We published this story on 1 April 2011. Of course, the "substrate hack" is nothing more that "reading what's on someone else's screen when you're not supposed to". So nothing here is entirely untrue: the hack does involve electromagnetic radiation; putting your iPad in a chip packet will foil the attack (ha!); and the attack can be carried out from 100m away using a decent telescope, as suggested in the comments. But, yes, polar foil is an anagram of April Fool. On a serious note, please do watch out for "substrate hackers" - more commonly known as "shoulder surfers" - when you use computing devices in public.]

Recent research by SophosLabs has discovered an alarming vector by which personal and private data can be exfiltrated from modern-day portable computing devices such as smartphones and tablets, including the popular Apple iPad and iPad 2.

This attack is surprisingly easy to pull off, so we've made the decision not to release precise details in order to reduce the likelihood of it being exploited by cybercriminals. But it involves data leakage through the physical substrate of the device itself - in other words, through the actual metal/plastic/glass package in which the hardware of the device is contained.

Any reasonably small, uncovered, device is at risk of this sort of attack, which SophosLabs has dubbed a substrate hack.

Ironically, the most effective countermeasure identified so far is extremely low-tech.

Shrouding your iPad or smartphone in any metallised plastic or cardboard reduces the effectiveness of the substrate hack to negligible levels.

Tests carried out at SophosLabs in Sydney - and carefully verified in both Oxford and Vancouver - showed that the most effective smartphone shields include commonplace items of garbage.

Chip packets (crisp packets in UK parlance) and metal-insulated pizza cartons are especially effective. This sort of shield forms a "polar foil" around the device and greatly reduces the risk of data theft.

One caveat has come out of SophosLabs - don't use Pringles cans.

Opened out, full-size Pringles cans are large enough to shield devices as big as an iPad. (Standard chip/crisp packets are too small for this purpose.) Additionally, Pringles cans have obvious benefits over chip packets and pizza packaging in terms of sturdiness, durability and hygiene.

However, as WiFi hackers know only too well, Pringles cans may act as antennas, boosting rather than attenuating any potential data leakage signal.

It seems certain that smartphone manufacturers will build some sort of polar foil into future models of their devices.

Until they do, your own low-tech solution to this problem is just a snack away!

, , , , , , , , , ,

You might like

37 Responses to April Fool: Apple iPad and other popular devices vulnerable to data loss through "substrate hack"

  1. Ron · 1614 days ago

    So it's an RF emanation vulnerability then...

  2. Steven · 1614 days ago

    Without publishing how a compromise could take place, I'd be curious if an attack requires a particular proximity to the unit being compromised.

  3. Chris Van Vorous · 1614 days ago

    is it possible to prevent data leakage permanently by covering my device in foil and sealing it with epoxy to prevent the material from being removed?

  4. Dave · 1614 days ago

    Ho ho! Well done.... had me going for a minute :-)

  5. Mark Wintle · 1614 days ago


  6. Elgee · 1614 days ago

    If I didn't know better, I'd think this was an april fools day prank.

  7. Chase · 1614 days ago

    Relatedly, research shows that fashioning a metallic shroud around one's head can prevent substrate attacks against the cerebral cortex.

  8. sean · 1614 days ago

    Well, Apple is well aware of this vulnerability in the silicon substrate and has already released a patch for the iPad2 with smart covers, though why they can't back port it to the original iPad is unknown...

    • Paul Ducklin · 1614 days ago

      In our tests, the new "smart cover" system on the iPad 2 was not sufficient to thwart a determined attack. We didn't have time to determine whether this was due to the influence of the magnets which hold the "smart cover" in place (in which case you could simply replace them with velco), or due to the substrate of the cover itself.

  9. Craig · 1614 days ago

    My understanding is that you can also use a condom pulled tight over the device. This means the device becomes insular against substrate hack through the barrier provided, but leaves the device fully usable and viewable, through no loss of tactile interface.

    • Paul Ducklin · 1614 days ago

      That won't work - the film must be metallised. If a condom were sufficient, you could just use a layer of cling-film instead - much more suitable for smaller devices such as BlackBerrys and non-tablets.

      (I see from your email address that you are from New Zealand - perhaps there are different regulations for condoms down there? If Kiwi condoms have a visible metallic coating, they'd probably work pretty well.)

      • Also Craig · 1614 days ago

        I think New Zealand condoms need to have metal in them to make the contents appear more sturdy.

  10. Jeff T · 1614 days ago

    Very good Paul!!! I know it's April Fool's Day.
    Thanks for the laugh.

  11. ScottN · 1614 days ago

    Thanks to you guys I'm going to have dreams of glitter-covered prophylactics tonight.

    I was thinking of using a bread tin that I have handy - will that work?

    • Paul Ducklin · 1613 days ago

      I wouldn't recommend a bread tin. They tend to be made of plastic these days, but even if you have an old-school metal one, I suspect that the shielding shape would be suboptimal.

      Also,smartphones are supposed to be portable. A bread tin would be very inconvenient. For example, I can't see the authorities letting you board a plane with an electronic device concealed in a bread tin! (And in Australia you'd probably anyway fall foul of quarantine rules on any interstate flight - no matter how hard you try, you can never get all the old breadcrumbs out of a bread tin.)

  12. Michael Kohli · 1614 days ago

    Paul we have been aware of this issue for some time.
    However we have a slightly different approach to this here.
    A can of spray on chrome can be used to treat multiple iPhones and give added bling, without you looking strange.
    You spray it over the screen area too, but with brightness set to hi it does not really stop you from using the device.
    You can go for a gold or silver look, but avoid the antique brass look as this blocks the screen.

  13. Steven · 1613 days ago

    How close a proximity does an attacker need to be to compromise a device?

    • Paul Ducklin · 1613 days ago

      Closer is better; the attack works trivially with no special equipment to about 1m and works satisfactorily with no special equipment to about 6m.

      With a suitable handheld intensifier/deattenuator for the needed electromagnetic radiation, you can easily push that to 15m.

      With a non-handheld intensifier (the sort of size and weight which would need two people to carry and set up), probably up to 100m. But then you'd be 100m away and so would have a good chance of hiding the substrate-scanning equipment.

      Line-of-sight makes the attack much more robust, but is not a necessity. Scattered radiation still contains a lot of recoverable data...

  14. Bjørn Froberg · 1613 days ago

    Thank you so much Sophos.

    I will immediately start phoning up my customers and inform them of this latest security threat, make an announcement to the press and notify our website subscribers!

    You've saved the day, looking forward to the next conference!

  15. Aris Stathakis · 1613 days ago

    Nice one Paul :-)

  16. Richard Wall · 1613 days ago

    Simple solution.. Don't buy one

  17. Roberto · 1613 days ago

    Is there a preference as to manufacturer of said chip/crisp packet? I have avoided Pringles cans as per your advice, but would like some guidance on which manufacturer/flavour combination would provide the greatest levels of protection. Equally, would using 2 different chip/crisp packets from different manufacturers give me enhanced protection?

    • Paul Ducklin · 1613 days ago

      The "two vendor" strategy isn't necessary - that's the sort of advice you get if you ask a committee.

      Just pick any convenient brand and a flavour you enjoy, since you have to eat the chips/crisps first. I chose my test rig - "Red Rock Deli Chips", as shown above - on the simple grounds that it was the only brand available in the minibar of the hotel.

      I went for the plainest flavour option - "Sea Salt" - on the twin grounds that [a] I hoped the salt coating on the inside of the foil might improve electromagnetic interference, and [b] it's my favourite.

      • How many people noticed the date this alert was released
        and how many people really looked a fool with their phone in a crisp packet
        this Absolutely has to be an April Fool

  18. Steve · 1613 days ago

    What day is it today? Nice one hehe

  19. Fool on the Hill · 1613 days ago

    Whiskey Tango Foxtrot ? April First in full swing already?

    "Don't use flattened Pringles cans because they work as antennae" ???

    Loved the "can of spray on chrome" almost as much as New Zealand's metallized glitter condoms!

    THANKS for getting the day off to a good start!

  20. Tom Harris · 1613 days ago

    I'm imagining new "mobile secure" snack package marketing. ;)

    BTW, I wouldn't recommend Lay's "Sun Chips" bags. Even though I enjoy them and they have the added environmental benefit of being 100% compostable, they are decidedly loud and most likely will annoy anyone in your vicinity.

    Hmm.. Although that may actually be a benefit if it wards off a potential attacker.

  21. Quae Captio · 1613 days ago

    Could it be that the package's dimensions aid the formation of standing waves? And if so - would scraping off the metallic back at least reduce the risk if no cover is at hand?

  22. nontrad · 1613 days ago

    April Fools ???????

  23. ksal · 1613 days ago

    april fool's a little early, fellas?

  24. erroneousgiant · 1613 days ago

    Paul, you're being mean. Everyone knows you need to use a cheese and onion based chip flavour because of the anti-oxidants in the onion interfere with signals.

  25. Pete · 1613 days ago

    Is this for real?... or is an April's fool Joke!....

  26. April Fools · 1613 days ago

    Happy April 1st :)

  27. EdPhil · 1609 days ago

    I'm officially DONE with Sophos. Evidently they have some idea that idiocy like this is appropriate in the security arena. Instead this stunt is a clear indication of how little Sophos is concerned over security and PREVENTING misinformation. I've spent the past three days explaining this extremely bad (and frank moronic) prank to people. It's not funny and it's cost my IT support organization hours.

    Sophos might as well get into the black hat business since thier goal is the same as this unacceptable fraud, waste and abuse.

    Not funny. If I want funny, I'll watch a comedy. I EXPECT complete 24/7 professional performance from my security. April 1st is not a reason to become part of the problem and Sophos as evidently dedicated itself to being. Take this misinformation down, and if you want to make me laugh? Send Paul Ducklin to stand in an unemployment line since he cant take secuity seriously.

  28. MotorCitySarge · 1603 days ago

    Michigan Innovations now offers a new solar foil product called The Tablet Condom. In testing, it protects your tablet from substrate hacks 100%.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog