The proliferation of sensitive data on mobile electronic devices increases the risk of theft, loss, and interception by national, corporate, or individual actors. This is a well-known issue for business travelers. This article outlines general recommendations for traveling safely with your electronic devices, and also includes a specific warning relating to North America, Russian, and Chinese border security.
These are general guidelines for protecting your laptop computers and/or smartphones, safeguarding the information stored on them, and limiting liability due to theft or loss. It is highly recommended that all advice detailed within this article be reviewed by your compliance department and legal counsel.
- In most countries, harbor no expectation of privacy in hotels, offices, or public places.
- Many countries regularly monitor networks and phone lines in hotels and business centers. Assume all conversations are intercepted. In some, hotel rooms are often searched.
- Security agencies and criminals can track your movements using your mobile phone and can turn on the microphone in your device, even if you think it is off. If you are in a particularly sensitive meeting, remove the battery to prevent this.
- Security agencies and criminals can insert malware into your device via wireless and other connections.
- When connected to home or office networks, the malware can migrate to other assets.
- Malware can be transferred to your device through USB drives, memory cards, and other storage mediums.
- Transferring sensitive or proprietary information from abroad is therefore risky.
- Security agencies and criminals are highly adept at phishing attacks.
- If your device was searched without your presence, or if your hotel room was searched while your device was in the room and you were not, you should assume the device was compromised or duplicated.
- Recognize that nation-state malware may not be detected/caught by most commercially-available anti-malware/anti-virus software.
- If you can do without the device, don’t take it with you on your trip.
- Don’t take any information you don’t need. If you have to take sensitive materials, make sure they are encrypted, if permitted. Use a dedicated travel laptop and/or phone for your trip, if possible. Do not purchase a phone from a suspect country. Backup all information you take; leave your backup at home.
- Make sure you have strong (newly-created) passwords on your devices before you travel.
- Make sure you have up-to-date security software on your laptop (anti-virus, firewall, encryption, host-based intrusion detection/prevention).
- Make sure your operating system and browser are up-to-date and patched.
- Ensure that only necessary applications/apps are installed on your laptop/phone.
- Disable Bluetooth and other features you don’t need.
- Disable the camera if not needed, and/or cover the lens(es) with tape or some other covering.
- Carry your devices with you aboard the airplane.
- Never leave electronic devices unattended or out of sight.
- Don’t use USB drives given to you as they may be compromised. Also, don’t connect your own USB drive to another computer for the same reason. If you do, assume device is compromised and wipe it as soon as you can.
- Be aware of who is looking at your screen, especially in public areas. Use a polarizing filter on your screen if possible. Shield passwords from view (shoulder surfing).
- Minimize data held locally on travel devices (especially data of a sensitive or critical nature).
- Do not open emails with attachments from people you don’t know.
- Use a VPN whenever possible. Keep in mind that some protocols (e.g. SSL VPN) can be spoofed.
- Avoid wireless networks when possible. In some countries they are controlled by security agencies, and are generally considered insecure.
- Turn off connections when not in use.
- Make sure your computer is shut-down and not in “sleep” or “hibernation” mode before you reach customs.
- If your device or information was compromised, report it immediately to your organization’s security department.
- Change your passwords when you return. Watch for inappropriate access attempts upon return (including VPN logs).
- If it is a concern, recycle the batteries and destroy the devices upon return.
NFC Concerns with Smartphones
Today’s new smartphones come with NFC (Near Field Communications), which allows phones to read and transmit to radio frequency-enabled devices. These can be used to pay for parking and vending machines, or receive links to sites and people.
However, recent security research into NFC discovered a number of vulnerabilities that could allow anyone with another NFC-enabled phone to compromise and/or take over the device by simply bringing the two close to each other.
To minimize these risks, I suggest the following:
- Do not take your smartphone with you – carry a “dumb” phone instead; or
- Disable NFC on the device; and
- Keep your phone in an RF shielded case
I also recommend placing tamper-proof stickers on screw holes and other strategic places on laptops and smartphones to help deter and/or detect interlopers. If the device shows signs of tampering, you should consider it compromised. Do not use the device, and report the incident to your security department.
Many countries have some sort of import controls related to technology, specifically, encryption. China and Russia, for example, do not recognize the personal exemption clause in the Wassenaar Arrangement. Most other countries allow the use of encryption for personal purposes on devices passing through customs.
USA/Canada: In the United States and Canada, border agents have considerable latitude to search electronic devices at the border or take them elsewhere for inspection, whether or not you have done something wrong. When border agencies encounter information that is encrypted or written in foreign language, they may send the device, or a copy of the data, to other government agencies to access the information.
A border agent may ask you to divulge your password or other encryption key upon border crossing attempt. It is critical that your general counsel clearly state what you are to do in this case. However, keep in mind that in failing to comply so may translate as being “uncooperative” and the agent can seize your device for further inspection and/or forbid your entry to the country.
Border control agencies can also keep your device or copies of your data for a “brief, reasonable” amount of time to be searched on or off-site. Returning U.S. or Canadian citizens from embargoed countries may be inspected to ensure no prohibited materials were carried beyond the border.
Russia: It is prohibited to enter the country with encrypted devices, unless you have government permission. Licenses issued by both the Federal Security Service (Federal’naya Sluzhba Bezopasnosti or “FSB”) and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia. This would normally be the company that is seeking to bring an encryption product into Russia.
China: It is prohibited to enter the country with encrypted devices, unless you have government permission. A permit issued by the Beijing Office of State Encryption Administrative Bureau is required. You can either apply for the permit on your own, or contact your encryption software vendor.
Other Countries with Encryption Controls
The following countries also require a permit or license in order to bring encryption technologies that could be used for militaristic purposes or disseminated:
- Belarus - a license issued by the Belarus Ministry of Foreign Affairs or the State Center for Information Security of the Security Council is required.
- Burma (Myanmar) - a license is required, but licensing regime documentation is unavailable.
- Hungary - an International Import Certificate is required.
- Iran - a license issued by Iran’s Supreme Council for Cultural Revolution is required.
- Israel - a license from the Director-General of the Ministry of Defense is required. For information regarding applicable laws, policies and forms, visit: http://www.mod.gov.il/pages/encryption/preface.asp.
- Kazakhstan - a license issued by Kazakhstan’s Licensing Commission of the Committee of National Security is required.
- Moldova - a license issued by Moldova’s Ministry of National Security is required.
- Morocco - a license is required, but licensing regime documentation is unavailable.
- Saudi Arabia – reports say that the use of encryption is generally banned, but research provided shows inconsistent information.
- Tunisia - a license issued by Tunisia’s National Agency for Electronic Certification (ANCE) is required.
- Ukraine - a license issued by the Department of Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine (SBU) is required. The Ukraine also does not recognize a “personal use exemption”, similarly with Russia and China.
Eldon Sprickerhoff, Founder and Chief Security Officer at eSentire
Image Credit: Slon Dot Pics / Pexels