Last year at Thotcon the presenters were given what were purported to be faraday shielded backpacks - backpacks manufactured with fabric woven out of very fine conductive wires that are said to reflect radio frequency signals inside and outside. The idea is that if you have a cellphone and you put it inside the bag, you could be sure that the phone was not talking to any cell towers so it would be harder to track the person carrying the phone, as well as preventing any malware that may have been installed from phoning home. So the reasoning goes, even if you think you've shut your phone off it may actually have been put into soft-off mode, and you can't always pull the battery to make sure (cough cough Apple). Due to the fact that mobiles are incredibly useful (and expensive) devices folks aren't always willing to ditch them, hence, shielded backpacks.
Seele and I had an excellent discussion that night about whether or not said faraday backpacks were all they were cracked up to be. Marketing being what it is, the claims made by the manufacturer were equally likely to be complete jetwash as they were plausible. Since that time I've been noodling around ways that one could be put to the test to see if they're worth a tinker's dam. Of course there are lots of cheap faraday bags on the market ($50us-$100us) with unknown workmanship or construction. Actual backpacks tend to be on the expensive side, around $200us and only going up from there. That's quite a bit of money to drop on a test subject. While I was in Pittsburgh taking care of my mom last summer and buying medical supplies for her off of Amazon (because the USPS was kneecapped, and consequently can't ship things very well), their recommendation system decided that I'd suddenly turned into a mall ninja and started recommending all sorts of weird (well, weirder, I guess) stuff for me. Including a square yard of faraday fabric from TitanRF at a surprisingly reasonable price. And thus the gears began to turn.
While not exactly the same thing I figured that I could get hold of some and put it through its paces to see if it did... well, anything at all. Let's just say that I'm skeptical of the utility of anything hawked at mall ninjas because they tend to be long on disposable income and short on training. So I placed an order for some faraday fabric as well as 60 feet of conductive thread and, just in case, a double ended cable that I could use as a ground strap in case my early results were less than pleasing.
Given the use cases of faraday shielding bags I figured that I'd put four different radio-enabled devices through their paces while covered with different numbers of layers of faraday fabric to see how well they operated, if at all. Immediately at hand I had a Samsung SM-G965U cellphone (GSM type) which I also used as a sensor for some tests, a Baofeng UV-5R hand-held ham radio, an Adafruit Feather Huzzah that I'd previously used to prototype my embedded environment monitoring devices, a standard RFID card (a Mifare Classic 1k operating at 13.56 MHz), and just for fun the chip in the back of my hand. But no radio device is any good without something to pick up a signal from it so I used my work cellphone (another Samsung), an RTL-SDR manufactured by Nooelec, and a generic ACR122U RFID/NFC card reader/writer.
When the fabric came in I sat down to develop a test protocol. I eventually decided that there were five different trials that I would run on each device, progressing to the next if one didn't work: One layer of faraday fabric, then two layers, then three layers, then wrapping the whole gizmo up in the fabric like a burrito. Wherever possible I used an on-board or isolated power supply (like a battery) to power the device to minimize the possibility of signal leakage down or around the line (tip of the pin to Peter Watts for teaching me that one).
The first thing I tried was the RFID card. I plugged the reader/writer into Windbringer and used ACR122U-reader-writer to interact with it. The control test (java -jar ./acr122urw.jar --dump), as one would reasonably expect resulted in the software printing the contents of the card. Much to my surprise, just laying the faraday fabric over the card was sufficient to shield it, even with the reader sitting right on top. Then just for fun I decided to test the chip in my hand. I used my phone as the reader with the NFC Tools Pro app for Android. I laid the fabric over my hand and wasn't able to read the chip successfully. Same result with cutting a 2 inch by 2 inch square of faraday fabric and taping it on my hand. Sticking one, then two layers of faraday fabric under a bandaid, however did not work as intended. At Laurelindel's suggestion, adding a square of aluminum cut from a soda can successfully blocked my phone's NFC reader. As it turned out, a square of soda can about the size of my thumbnail by itself was sufficient to block the implanted chip from being read (and looks less conspicuous).
The third thing I tried was the obligatory cellphone. Unfortunately, with one phone inside the faraday fabric and the other in my hand making calls and sending text messages I wasn't able to take any photographs of this. Suffice it to say that the control test (one phone call, one text message) worked, but one layer of faraday fabric did not (both the call and text message got through). Then I tried two layers of fabric; once again, signals still got through. Same with three layers of fabric around the phone. Things weren't looking good at this point. Following the Mythbusters tradition of "doing whatever was possible to make this work" I wrapped the phone up with all of the faraday fabric like a burrito and that actually worked as expected. Incoming calls went to voicemail and text messages didn't hit until the phone was unwrapped. So with that as my benchmark, I unwrapped the phone bit by bit until the fabric stopped blocking any signals. All in all, it took five layers of faraday fabric to cut off a GSM cellphone. Doable (especially if you sew a pocket to put the phone in) but a bit unwieldly.
The next test involved one of my Baofeng hand-held radios. I tuned it to a reasonably standard frequency (400.000 MHz), plugged an SDR into Windbringer and used GQRX to isolate the signal. For some reason GQRX's spectrogram display was configured for an eye-searing neon yellow background and neon green-and-red "this is actual signal" color scheme. At any rate I verified that the software-defined radio was properly picking up my hand-held by keying the mic and talking into it for a couple of seconds and watching the waterfall display show something other than migraine inducing neon yellow. I found out early on that using a rubber band or a ziptie to hold the button down didn't work, so I had to press it through the faraday fabric. I don't think this made much of a difference in the test results. One layer of faraday fabric over the radio didn't do anything. Two layers attenuated the signal somewhat but it still reached the receiver. Three layers of faraday fabric around the HT was the minimum needed to cut it off.
Finally I tested regular old 802.11 wifi (2.4 GHz) against the faraday fabric. This took the longest because I had to write some code for Micropython that hit a URL every couple of seconds to leave a record in the server's logfiles. And, to be honest, work was kicking my ass so I didn't do a whole lot of hacking for a week or two. It's not terribly complicated code nor is it particularly pretty but I did make it available in case anyone was interested in looking at it. (github) (gitlab) (git.hackers.town) I configured the Huzzah to hit a public URL on my website, the robots.txt file because it would be easy to filter for and by definition wasn't sensitive. After flashing the code onto the Huzzah and plugging it into a power bank I pinged it a few times to make sure it was on my home wireless network, logged into Dreamhost and watched my server logs for a while to make sure that the gizmo was online and sending requests to the web server (tail -f access.log | grep robots.txt). Then I began testing.
I made sure to cover or wrap everything with the faraday fabric, including the environment sensor (there was no point in desoldering it), the USB cable, and the power bank. One layer of faraday fabric did not block the signal. Two layers attenuated the signal in an inconsistent fashion (when HTTP GET requests did get through they were not on the regular 30 second schedule). Even three layers of faraday fabric did not completely block the signal, though it appeared to be very attenuated from the network traffic. Ultimately, wrapping the whole thing up like a burrito was necessary to block wifi - nine contiguous layers of faraday fabric. An additional observation: The fully charged power bank went from 100% power to 84% in a span of 22 minutes. This is very unusual for that power bank: It's in good condition and regularly exercised. To put it another way, even my Pwnagotchi doesn't suck down power that fast. I suspect this was due to the wireless stack in the 8266 chip searching in vain for the access point and either cranking up the transmit power as far as it could (which would burn through battery power), retransmitting the packets it wasn't getting any acknowledgements of from the other end, or some combination thereof.
Looking at the data I collected it would seem that the sweet spot for TitanRF faraday fabric is highly dependent upon the radio frequencies that you're trying to proof against. For GSM cellular, which operates between 900 and 1900 MHz you're going to need a minimum of five (5) layers of faraday fabric. You may as well take the time (and if you're buying faraday fabric from Amazon you have the time) to sew yourself a nice, thick pouch to stuff your phone in, or maybe line a box with the same amount of faraday fabric. For the shortwave radio I used, which operates in the VHF band between 136 and 174 MHz and in the UHF band between 400 and 520 MHz, you're looking at three layers of faraday fabric around the device. However you can just disconnect the battery and not worry about it. If your use case for these bands is different, and I'm not sure off the top of my head what it might be, you're on your own (but write up and post your results if you can). If it's wifi you're worried about you're going to have to swaddle the device in about nine layers of faraday fabric if you can't disconnect the battery. For RFID you can just lay a piece of faraday fabric on top... or just about anything else metallic for that matter. NFC is a bit trickier, in which case I'd recommend not using faraday fabric at all, but a slice from a soda can and some tape. I didn't try any tests with the fabric grounded because I was (eventually) able to get repeatable results without going to that extreme.
My working hypothesis is this:
In RF theory as the frequency (the number of cycles from high to low) of a signal goes up, the wavelength (the height of the wave as measured from the zero line on a graph) of the signal goes down, and vice-versa. Wavelength is an actual, physical distance; longwave signals are called that because they're... well... long. If you drew a line on the ground to represent the zero line of your graph and you wanted to put a coffee can on the ground at a point that represented the peak of the lowest frequency longwave signal (150 kHz) you'd have to walk almost 2 kilometers. On the other hand if you wanted to measure out your average 2.4 GHz wifi signal on the floor, you could put a dime in front of your feet and a second dime roughly 12.5 centimeters away from it (12.491352 cm, precisely). The math is pretty straightforward:
λ (wavelength in meters) = 299,792,458 (speed of light in meters per second) / f (frequency in Hz)
If you want to play around with the math there's an interactive wavelength calculator that you can plug the frequency into and get the wavelength in meters as the result.
I haven't yet tried to figure out the thread count (the number of threads in a square inch) of the faraday fabric and MOS Equipment hasn't gotten back to me. However, what I think is going on is that lower frequency signals like those used to read RFID and NFC chips have long enough wavelengths that they are more likely to smack into the conductive threads of the faraday fabric and not penetrate than the higher frequency signals used for cellular and wireless communication. For radio signals that are skinny enough to sneak through, multiple layers of faraday fabric make it increasingly likely that they'll hit the conductors. The higher the frequency, the smaller the wavelength, the more layers needed to try to block the signals. Incoming signals that hit the faraday fabric are somewhat likely to be absorbed before they reach what you've shielded, but mostly they'll be reflected away from the device. Conversely, the device that you've shielded with faraday fabric will have its signals reflected away from the outside world if it tries to broadcast. Net result: No usable signal reception or transmission.
If you'd like to see any of the pictures I took while testing I put up a gallery here.
Happy hacking!