Old tech, new battles: Inside F-Secure’s formidable Faraday cage

Even the air conditioning duct has a grille over it

Tesla Coil, Steve Beger (Flickr), Creative Commons 2.0

A Faraday cage, originally commissioned and assembled 10 years ago as a means to allow Finnish security firm F-Secure to test Bluetooth-based mobile malware, is still finding productive work even though the type of malware that spawned its creation is long dead.

The copper-lined, 4-by-3 metre enclosure is still used for mobile application testing.

“People don’t properly encrypt their stuff, so information leaks out,” said F-Secure security advisor Sean Sullivan. “You even get cases of apps sending things in the clear.”

“The Faraday cage makes things easier to test, as well as helping us to comply with Finland’s tough privacy laws,” he added.

The cage has a fibre-optic feed into a router, which is on a power lock that means it is only activated when the door of the enclosure is closed. Even the air intake is fitted with a wire mesh. “It’s rated as impenetrable to anything up to the grade of military radar,” said Sullivan.

Smaller on the inside. F-Secure’s Faraday room

Faraday cages of the type used by F-Secure were also employed by Nokia to test base stations, but their use across the industry is rare. Bluetooth worms of the type the F-Secure enclosure was originally built to safely confine have died off as a threat, only to be replaced with a different, arguably more intractable, set of problems.

F-Secure's Helsinki headquarters has 450 staff, around 150 of which are either engineers or security researchers. The modern building fronts onto the Baltic Sea, which freezes over in the depths of winter.

The security firm’s network is isolated and segmented into three parts. A production (with green cables) network handles regular office traffic (sales, accounts, marketing etc.); a yellow cable network allows analysts to pull down real and suspected malware samples in storage; while a red network hosts virtual machines running live malware.

Running malware is a necessary step to figuring out what it does, which code obfuscation, encryption and other tricks seek to disguise.

Malware authors often code their creations so that they don’t run in virtual machines but F-Secure and others attempt to disguise their virtual environment to thwart such trickery, even to the extent of running unlisted Tor nodes in their environment.

The cat and mouse game over VM detection can be considered as one battle in a much larger war. ®


Biting the hand that feeds IT © 1998–2017