Keeping your smartphone working for you - not your adversary
Digital Signature Management is about managing the personal details and activities you expose to the internet. This article will address an easy to use and relatively inexpensive hardware solution for one of the key problem sets in Digital Signature Management - the Smartphone.
The Smartphone Dilemma
One of the hardest digital signatures to manage is that of the ubiquitous smartphone. Whether you use an iPhone, Android, or a custom security device like the Silent Circle Blackphone, your device, by connecting to the cellular network, continuously leaks your location. Correlation of your location data may provide sensitive details on your business activities and associates. It can also be used by malicious actors as a surveillance tool to record sensitive business conversations. If you have a complex threat model, allowing your adversary access to your business activities in this way is an unacceptable risk.
We recommend not taking your smartphone into meetings where you might conduct sensitive business. Leaving your phone (switched on) in a secure container in your (occupied and attended) home or office, or with a reliable associate is the best way to prevent potential adversaries from monitoring your activities via your smartphone. But what happens when you don’t have the home/office/associate option? Let’s say you’re alone on business travel to another city. It wouldn’t be wise to leave your phone in your hotel safe or rental car, since both are easily accessible to a moderately-resourced threat actor. In these situations, it may be preferable to bring your smartphone with you and use a device called a Faraday shield.
Faraday Shield Basics
A Faraday shield is essentially a container consisting of a conductive metal mesh that blocks both incoming and outgoing RF (radio frequency) signals. It was originally developed by Michael Faraday in 1836 during his experiments with electromagnetic energy. Fortunately, modern technology has delivered the concept of the Faraday Cage, or shield, into practical devices such as bags and briefcases that we can use to isolate and protect our digital devices.
Faraday bags have a conductive metal mesh woven into the bag’s fabric. They are routinely used by law enforcement computer forensics experts to isolate smartphones and computers in order to prevent remote wiping or electromagnetic contamination of crime scene evidence. Enterprise security personnel use them to isolate travel phones and laptops from returning corporate travelers prior to wiping and reinstalling operating systems. In our case, they are an easy fix to the problem of what to do with your smartphone when you are working solo and don’t want your phone leaking your sensitive business activities. While Faraday shields block RF signals they don’t block X-rays, due to their wavelength, which makes them acceptable for use with airport security screening devices.
There are a wide variety of Faraday shields on the market today. They range from tactical-looking forensics bags, to designer purses, wallets, backpacks, briefcases, and messenger bags. Faraday shields aren’t secret. Security officials can spot them, especially if your Faraday shield looks exactly like the forensics bags that they also use. If you are an international traveler, or just someone who doesn’t want the extra attention of the security state, then we recommend using the Faraday shields that have a “designer” vice “tacti-cool” appearance.
Using a Faraday Shield
We use the Faraday shield with our smartphone primarily to defeat location tracking via cellular network data and IMSI catchers, although they are also helpful in preventing some types of remote and close-proximity hacks (more on this in a later article). To use a Faraday shield/bag, simply put your smartphone or digital device into the bag and properly seal it in accordance with the manufacturer’s directions.
When you use a Faraday shield to isolate your smartphone, the cellular network only sees that your smartphone hasn’t maintained periodic contact with the network, similar to when you go into an area with no cellular coverage. Whereas, if you turn off your smartphone or switch it to airplane mode, the smartphone will communicate to the cellular network that it is switching off. This action is recorded in call data records and may highlight your activities. Therefore, if you want to minimize anomalies in your digital signature, don’t switch off your smartphone or place it in airplane mode prior to putting it into your Faraday shield/bag (we will refer to Faraday devices as a “shield” regardless of the design from here on out).
Employ your Faraday shield before you arrive in the area of your sensitive business event (SBE). Likewise, wait until you are well away from your SBE before you remove your smartphone from the Faraday shield. A general rule-of-thumb is don’t let your smartphone connect to the cell tower that services the immediate area of your SBE. We realize this is a difficult call in a large urban environment replete with femtocells, but generally speaking, give yourself 1-1.5 kilometers of distance from the SBE in an urban environment, and 5-8 kilometers in a rural environment.
If you want to get even more “tradecrafty” with your digital signature management, you can plan a route to your SBE that takes you into a naturally occurring zero-signal area such as underground parking garages, elevators, or tunnels (beware of femtocells), and drop your smartphone into the Faraday shield while you are in the zero-signal environment. This prevents an adversary from noticing that your smartphone stopped talking to the cell network even though it was in a high-signal environment - an anomaly that may be noticed by an astute SIGINT analyst.
Be aware that while Faraday shields can block RF signals, they cannot block sound. So it is possible for a compromised smartphone to record a conversation on disc and upload the sound file to a third-party at a later time when the phone connects to the internet. To mitigate this, put something between the shielded smartphone and the conversation. You can place the shielded smartphone in your satchel, briefcase, or purse and remove it from the immediate area of the conversation (i.e. remove it from the table, or place it in another room).
As with all operational security measures, you should avoid overtly employing your Faraday shield in view of CCTV cameras or security personnel. Keep your Faraday shield with your digital devices and avoid leaving it in your hotel room or rental vehicle while traveling to prevent tampering or modification by malicious actors.
Business is Business
Faraday shields can also be used to prevent an un-vetted business contact from using their phone to hot-mic or live-stream your SBE to a third-party. While most professionals understand the dangers of having their smartphones out on the table while conducting sensitive business, there are still those who haven’t been paying attention or are new to doing business in a complex threat model. You can help protect the confidentiality of your conversation by kindly requesting that your business contact place their smartphone in the Faraday shield you have provided and then removing it from the table for the duration of the meeting.
If you are planning to provide a Faraday shield for a business contact, you should be prepared to give a brief explanation for why it is a necessary. You can state that today’s meeting will cover sensitive proprietary information, and cite a recent example of an unauthorized recording of a conversation that has appeared in the news. Then simply state that your company requires this procedure in order to protect their intellectual property or confidential information.
If you have a complex threat model, then you already know you are facing a well-resourced adversary. Your adversary wants to know your plans and intentions, as well as your associates and pattern of life. Location data derived from a smartphone can provide a wealth of key information on who you do business with, when, and where. It’s enough data to interfere in your business operations and enable future physical or digital attacks.
In today’s overly connected world, it has become more and more difficult to manage your digital signature while still reaping the benefits of modern technology. Faraday shields are an inexpensive and readily available way to keep your smartphone working for you and not your adversary.