Some Thoughts on Faraday Bags and Operational Security
I recently took a trip to Moscow to interview National Security Agency whistblower Edward Snowden about operational security. In the article I published on The Intercept, I mentioned that I used a faraday bag.
Our first meeting would be in the hotel lobby, and I arrived with all my important electronic gear in tow. I had powered down my smartphone and placed it in a “faraday bag” designed to block all radio emissions.
Since I published my interview, many people have asked me for more information about this faraday bag — which product did I get, what does it protect against, how does it work? So here are some quick thoughts on the topic.
What are faraday bags?
Faraday bags, or more generally, faraday cages, are named after the brilliant scientist Michael Faraday. If you’re a nerd, I recommend watching the 10th episode of Neil DeGrasse Tyson’s Cosmos to learn more about him.
They’re made of a material that blocks electric fields from passing through it. Smartphones have a ton of different built-in radios: GSM, CDMA, 2G, 3G, 4G, wifi, bluetooth, NFC, GPS, and others. Each of these communicates wirelessly by sending and receiving information through the air in the form of radio emissions on different frequencies. If you put your smartphone inside of a faraday bag, it might be listening for incoming radio emissions, but none will reach it, and it might be attempting to communicate to the outside, but all of its messages will fail to penetrate the bag.
Which one should I buy?
I bought my faraday bag on Amazon. I didn’t have a particular product in mind; I basically just read reviews and got a nice one that was a little on the bigger side so that I could fit multiple phones, and also my passport (which has an RFID chip, which also communicates using radio emissions).
It doesn’t particularly matter which product you choose, but make sure that you test it after you get it to confirm that it works. Testing it is easy enough. Put your phone inside the bag, and then use another phone to try calling it. If your phone rings, it doesn’t work. You can also test data in a similar fashion — try sending yourself a notification over data (like a Facebook message) and see if your phone receives it while it’s inside the bag.
Why might this be useful for operational security?
First, assume that your smartphone is hacked and that the attacker can utilize all of its radios and sensors. Also assume that your attacker can get information from third party companies, such as your cell phone carrier, which will know your location and be in a position to eavesdrop on much of your phone usage.
Smartphones are crazy useful, so it sucks to not use them just because you can’t trust them. Instead, you can use faraday bags to selectively keep certain information away from your phone, despite the fact that you can’t trust it.
If you carry your phone around with you, your attacker gets to learn your location. From when you turn on your phone after your airplane lands, to taking public transit or a taxi to your hotel, to going out for dinner or drinks, or anything else — the attacker can see your exact location.
So if you want to have a meeting without revealing to your attacker where this meeting is taking place (your attacker can likely infer who you’re meeting with based on what other phones are in the same location), but you don’t want to leave your phone in your hotel room, you can safely bring it with you inside a faraday bag, because your phone itself won’t be able to determine its location. It may try to, but those signals won’t penetrate the material of the bag.
Your phone might be spying on you in other ways, too. It has a microphone, so it could be listening to your conversations and streaming them back to your attacker over the internet, or using some other wireless technology like wifi or bluetooth. Keeping your phone in a faraday bag will prevent your phone from communicating at all.
But here’s an important caveat: Your phone could be listening to your conversations and storing them on disk, waiting for an internet connection. As soon as you take your phone out of your faraday bag, it can use the internet to upload recorded audio to your attacker.
Faraday bags block electric fields, but they don’t block sound. If you don’t want your phone to overhear a conversation, just putting it in a faraday bag isn’t enough. You also need to put it out of earshot. Put it in a different room, muffle it under some pillows, or put it in the refrigerator.
Legacy comments, imported from previous version of this blog:
Dear Micah Lee, I am not as smart as all you guys on this blog about all this technology, so please bare with me. I was hoping you can answer a question for me. I wanted to get a Faraday bag to shield me from radiation and electromagnetic fields. Yes, I am one of those crazy nuts who still worry about that. I understand that the Faraday bag would do that. But I had hoped that while my cell phone is in the F/bag, that my friends can still leave messages or texts, and then I can check them later. But from what I am reading on this blog, it doesn't sound like anyone would be able to get through and leave any kind of message. Am I right about that? Since you are much smarter than I on this topic, do you have any thoughts/suggestions? It would be very much appreciated!!
That's right, faraday bags are designed to block wireless signals from penetrating the bag completely. People can still send you messages, they just won't reach the phone until after you take it out of the bag and it can talk to networks again. My advise to you is to not worry about the radiation emitted by your cell phone. It's non-ionizing and isn't harmful to health. Also, your phone's radio transmitters are not very powerful compared to the transmitters on cell phone towers, FM radio towers, etc., and those signals are constantly going through your body, but that doesn't matter either because they aren't harmful to your health.
If you really want to protect your body from harmful radiation, you should wear sunscreen.
Thanks very much for your help and for clearing things up for me. Much appreciated!
Can I ask another dumb question? So then are you saying that let's say I am carrying around my phone in a faraday bag in my purse and a friend is trying to send me a text (or call me) during that time. Does that text (or voice mail message) get completely lost, or does it just "wait" in limbo (so to speak) until I take my phone out of the faraday bag, and then that text (or voicemail message) reaches my phone and gets registered (for lack of a better word) and ultimately gets sent to my phone, and I still receive that text (or voicemail message), but just after I take my phone out of the faraday bag? Is that how it works? Or is it that this friend would not be able to reach my phone at all while in the faraday bag? Thanks for your patience with my questions.
When your friend sends you a SMS message, they actually send it to your cell phone carrier, who collects a queue of messages to deliver to you. Your carrier will try to deliver it immediately, but if your handset isn't on the network, it will wait until it appears on the network before sending it. So if your phone is turned off (or if it's in a faraday bag), your messages will just queue up on your carrier's computer all until it connects to the network again, and your carrier will then send them all at once.
So just by putting your phone in a faraday bag (or turning it off) shouldn't make you lose any messages.
THANK YOU so much for taking the time to answer my inane questions!! Now I get it. I really appreciate it. Have a great weekend!
With all due respect to your posting, and IMHO, you wouldn't have a need for a Faraday bag if you are truly worried about harmful UV rays, and if you are talking about body scanners, x-rays and the like, a Faraday bag is just enough to fit a mobile phone, and maybe a tablet. The idea that a Faraday will protect your body seems impractical because there are other more plausible ways of protecting yourself from harmful rays. But if I continue, i will digress from the topic so best to stop here.
Going back to your condition that your mobile, while inside a Faraday must be able to receive messages, and or certain alerts you have chosen; this only means that a Faraday is not what you need because a good quality Faraday will prevent any type of radio connections or radio signals from bluetooth, WiFi, mobile connection, all sensors, NFC, GPS, from entering or going out of the bag. But there is a caveat here: A Faraday CANNOT stop sounds from leaving the bag, or entering the bag. Putting a mobile inside a true working Faraday is not really a foolproof way of avoiding hackers if your phone is the target. So depending on your needs and situation you're supposed to use it for.
Frankly, a Faraday, in order to be a feasible product, is being marketed as an indispensable tool to secure our privacy, and that we need to use this always. It is as a matter of fact, impractical and inconvenient if we follow the directions on the numerous ways described on the tin that a Faraday can secure our privacy. Hilarious actually because it says it secures our data from leaving the bag because it disallows any type connection. This is true but once your mobile is out of the bag, there goes your data leaving your device at the first connection it can get, and since your phone is marked to targeted, it doesn't even matter if a malware has been installed prior because there are other ways of getting to your data before it leaves your phone.
A Faraday has as its best use, for preventing hackers from penetrating your phone from another device nearby, whether android or not. Say, you're Video chatting on your tablet, and your mobile is nearby. A hacker can, without your noticing it as your busy doing work or video chatting on your tablet, enable your bluetooth to discover other devices in your room, your Samsung TV, then can see you also from TVcam. Then hacker via tablet bluetooth discovers your phone and if the hacker is a malicious one, can scare by sending you a message on your phone. You get scared reading the message when you realize the hacker has you covered, He threatens you and tells what you're doing because he can still see you or maybe not. You close the app and even uninstall it because that's the best way to rid of the hacker. You wonder how hacker got your mobile number and how was he able to send you a text ? You factory reset the phone right away.
A Faraday can block signals from reaching the mobile inside. When Video chatting with strangers using a tablet, make sure all devices, phone, other tablets and devices nearby have their airplane mode on. Use a VPN app to prevent hacker from discovering other devices nearby. And don't buy a Samsung TV ;-)
WTF are you talking about dude?!?
Any chance you'd share a link to the bag you bought?
I think I got this one:
Black Hole Faraday Bag - RF Signal Isolation for Forensics, Standard Window Size http://www.amazon.com/Black-Hole-Faraday-Bag-Isolation/dp/B0091WILY0/ref=sr_1_5?ie=UTF8&qid=1448558305&sr=8-5
Just wrap your car key in kitchen foil or make your own "Faraday" bag using some soft material covered in foil and place in a wallet or purse etc. Almost free and just as effective
I bought a pouch on eBay and it has never worked. I tried wrapping the key in tin foil and putting in the pouch, it still did not work. I doubt the effectiveness of these methods.
Hypothetically speaking, can one use a faraday bag for shoplifting?
Yes they can to defeat the electronic tag - individuals use a carry bag lined with tinfoil.
If you've got a fridge around, why bother with the bag?
Hi, this is marginally related to compromised phones, I noticed you are a Qubes fan, have you taken a look at "Secure Spaces" the isolated android rom? Would really be curious to hear your thoughts.
Metal tins work as well. Find an old tin and test it by putting phone inside and try calling it.
Can my employer detect the faraday bag? What type of signal, if any, will they see?
Our Faraday bags and sleeves have double the shielding material and are guaranteed to block ALL signals to and from your wireless devices.
We have had them tested at two different, independent labs, and there are positive reviews of our products all over the internet.
Free shipping to US customers and greatly discounted international shipping as well.
Josh B., but you don't say what company you are from, so that if we are interested, we could check it out.
(Also a fan of Zero History, btw)
Whilst I get the Faraday bag / pouch re. RFID chips in a passport... is there an assumption here that - for a compromised phone - "off" is not necessarily "OFF"?
I.e. Why not just power down? Or is this a tech double-bagging for surety?
Yeah. While it's very unlikely, it is in fact possible that when you power your phone off some malware displays a video for you that looks exactly like you're powering it off, but is still able to use your sensors. Removing the battery is also another way to be sure.
Ive just orderd 3 from Amazon,for my car key fobs,as I have keyless ignition.
Just as a note regarding the cons of a Faraday bag, there is an interesting example within one the Tom Clancy Campus Novels. The Agency is collecting all the meta data on their employee's mobile phones, they notice that it went to a certain area within the city and then stopped moving, at which time a new sim was activated. I believe, without doing the research wasn't this also mentioned in Snowden's stuff that it isn't just the tracking of mobiles but also the mobiles that have been turned off (or in this case placed in a F/Bag), so if two mobiles are turned off at the same times some one is up to something.
Micah, what do you think about the VPN software HIDE MY ASS?
You can't carry the fridge around the subway, taxi etc. Quite so easily.
Couldn't you just wrap your fobs and phobes in foil?
Please, please, please learn the difference between "it's" and "its" -- because not knowing (or caring) makes you look illiterate.
Typo fixed, jerk.
The difference?? Whats to know? One is an abbreviation, the other is not... (well it is possessive). Not much to 'know'. Obviously a typo
Scanning my wlan earlier I've noticed that the microwave does not disturb it. Inspired by this post, I unplugged my microwave and put one of my phones in it. and yes, a modern microwave oven is a faraday cage. I also suspect that it has similar muffling capabilities as the fridge, though I have not tested this myself.