[We published this story on 1 April 2011. Of course, the “substrate hack” is nothing more that “reading what’s on someone else’s screen when you’re not supposed to”. So nothing here is entirely untrue: the hack does involve electromagnetic radiation; putting your iPad in a chip packet will foil the attack (ha!); and the attack can be carried out from 100m away using a decent telescope, as suggested in the comments. But, yes, polar foil is an anagram of April Fool. On a serious note, please do watch out for “substrate hackers” – more commonly known as “shoulder surfers” – when you use computing devices in public.]
Recent research by SophosLabs has discovered an alarming vector by which personal and private data can be exfiltrated from modern-day portable computing devices such as smartphones and tablets, including the popular Apple iPad and iPad 2.
This attack is surprisingly easy to pull off, so we’ve made the decision not to release precise details in order to reduce the likelihood of it being exploited by cybercriminals. But it involves data leakage through the physical substrate of the device itself – in other words, through the actual metal/plastic/glass package in which the hardware of the device is contained.
Any reasonably small, uncovered, device is at risk of this sort of attack, which SophosLabs has dubbed a substrate hack.
Ironically, the most effective countermeasure identified so far is extremely low-tech.
Shrouding your iPad or smartphone in any metallised plastic or cardboard reduces the effectiveness of the substrate hack to negligible levels.
Tests carried out at SophosLabs in Sydney – and carefully verified in both Oxford and Vancouver – showed that the most effective smartphone shields include commonplace items of garbage.
Chip packets (crisp packets in UK parlance) and metal-insulated pizza cartons are especially effective. This sort of shield forms a “polar foil” around the device and greatly reduces the risk of data theft.
One caveat has come out of SophosLabs – don’t use Pringles cans.
Opened out, full-size Pringles cans are large enough to shield devices as big as an iPad. (Standard chip/crisp packets are too small for this purpose.) Additionally, Pringles cans have obvious benefits over chip packets and pizza packaging in terms of sturdiness, durability and hygiene.
However, as WiFi hackers know only too well, Pringles cans may act as antennas, boosting rather than attenuating any potential data leakage signal.
It seems certain that smartphone manufacturers will build some sort of polar foil into future models of their devices.
Until they do, your own low-tech solution to this problem is just a snack away!
37 comments on “April Fool: Apple iPad and other popular devices vulnerable to data loss through “substrate hack””
So it's an RF emanation vulnerability then…
So it's April 1st then..
Or just an April fool joke…
Without publishing how a compromise could take place, I'd be curious if an attack requires a particular proximity to the unit being compromised.
is it possible to prevent data leakage permanently by covering my device in foil and sealing it with epoxy to prevent the material from being removed?
Ho ho! Well done…. had me going for a minute 🙂
If I didn't know better, I'd think this was an april fools day prank.
Relatedly, research shows that fashioning a metallic shroud around one's head can prevent substrate attacks against the cerebral cortex.
Well, Apple is well aware of this vulnerability in the silicon substrate and has already released a patch for the iPad2 with smart covers, though why they can't back port it to the original iPad is unknown…
In our tests, the new "smart cover" system on the iPad 2 was not sufficient to thwart a determined attack. We didn't have time to determine whether this was due to the influence of the magnets which hold the "smart cover" in place (in which case you could simply replace them with velco), or due to the substrate of the cover itself.
My understanding is that you can also use a condom pulled tight over the device. This means the device becomes insular against substrate hack through the barrier provided, but leaves the device fully usable and viewable, through no loss of tactile interface.
That won't work – the film must be metallised. If a condom were sufficient, you could just use a layer of cling-film instead – much more suitable for smaller devices such as BlackBerrys and non-tablets.
(I see from your email address that you are from New Zealand – perhaps there are different regulations for condoms down there? If Kiwi condoms have a visible metallic coating, they'd probably work pretty well.)
I think New Zealand condoms need to have metal in them to make the contents appear more sturdy.
Very good Paul!!! I know it's April Fool's Day.
Thanks for the laugh.
Thanks to you guys I’m going to have dreams of glitter-covered prophylactics tonight.
I was thinking of using a bread tin that I have handy – will that work?
I wouldn't recommend a bread tin. They tend to be made of plastic these days, but even if you have an old-school metal one, I suspect that the shielding shape would be suboptimal.
Also,smartphones are supposed to be portable. A bread tin would be very inconvenient. For example, I can't see the authorities letting you board a plane with an electronic device concealed in a bread tin! (And in Australia you'd probably anyway fall foul of quarantine rules on any interstate flight – no matter how hard you try, you can never get all the old breadcrumbs out of a bread tin.)
Paul we have been aware of this issue for some time.
However we have a slightly different approach to this here.
A can of spray on chrome can be used to treat multiple iPhones and give added bling, without you looking strange.
You spray it over the screen area too, but with brightness set to hi it does not really stop you from using the device.
You can go for a gold or silver look, but avoid the antique brass look as this blocks the screen.
How close a proximity does an attacker need to be to compromise a device?
Closer is better; the attack works trivially with no special equipment to about 1m and works satisfactorily with no special equipment to about 6m.
With a suitable handheld intensifier/deattenuator for the needed electromagnetic radiation, you can easily push that to 15m.
With a non-handheld intensifier (the sort of size and weight which would need two people to carry and set up), probably up to 100m. But then you'd be 100m away and so would have a good chance of hiding the substrate-scanning equipment.
Line-of-sight makes the attack much more robust, but is not a necessity. Scattered radiation still contains a lot of recoverable data…
Thank you so much Sophos.
I will immediately start phoning up my customers and inform them of this latest security threat, make an announcement to the press and notify our website subscribers!
You’ve saved the day, looking forward to the next conference!
Nice one Paul 🙂
Simple solution.. Don't buy one
Is there a preference as to manufacturer of said chip/crisp packet? I have avoided Pringles cans as per your advice, but would like some guidance on which manufacturer/flavour combination would provide the greatest levels of protection. Equally, would using 2 different chip/crisp packets from different manufacturers give me enhanced protection?
The "two vendor" strategy isn't necessary – that's the sort of advice you get if you ask a committee.
Just pick any convenient brand and a flavour you enjoy, since you have to eat the chips/crisps first. I chose my test rig – "Red Rock Deli Chips", as shown above – on the simple grounds that it was the only brand available in the minibar of the hotel.
I went for the plainest flavour option – "Sea Salt" – on the twin grounds that [a] I hoped the salt coating on the inside of the foil might improve electromagnetic interference, and [b] it's my favourite.
How many people noticed the date this alert was released
and how many people really looked a fool with their phone in a crisp packet
this Absolutely has to be an April Fool
What day is it today? Nice one hehe
Whiskey Tango Foxtrot ? April First in full swing already?
"Don't use flattened Pringles cans because they work as antennae" ???
Loved the "can of spray on chrome" almost as much as New Zealand's metallized glitter condoms!
THANKS for getting the day off to a good start!
I'm imagining new "mobile secure" snack package marketing. 😉
BTW, I wouldn't recommend Lay's "Sun Chips" bags. Even though I enjoy them and they have the added environmental benefit of being 100% compostable, they are decidedly loud and most likely will annoy anyone in your vicinity.
Hmm.. Although that may actually be a benefit if it wards off a potential attacker.
Could it be that the package's dimensions aid the formation of standing waves? And if so – would scraping off the metallic back at least reduce the risk if no cover is at hand?
April Fools ???????
april fool's a little early, fellas?
Paul, you're being mean. Everyone knows you need to use a cheese and onion based chip flavour because of the anti-oxidants in the onion interfere with signals.
Is this for real?… or is an April's fool Joke!….
Happy April 1st 🙂
I'm officially DONE with Sophos. Evidently they have some idea that idiocy like this is appropriate in the security arena. Instead this stunt is a clear indication of how little Sophos is concerned over security and PREVENTING misinformation. I've spent the past three days explaining this extremely bad (and frank moronic) prank to people. It's not funny and it's cost my IT support organization hours.
Sophos might as well get into the black hat business since thier goal is the same as this unacceptable fraud, waste and abuse.
Not funny. If I want funny, I'll watch a comedy. I EXPECT complete 24/7 professional performance from my security. April 1st is not a reason to become part of the problem and Sophos as evidently dedicated itself to being. Take this misinformation down, and if you want to make me laugh? Send Paul Ducklin to stand in an unemployment line since he cant take secuity seriously.
Michigan Innovations now offers a new solar foil product called The Tablet Condom. In testing, it protects your tablet from substrate hacks 100%.