If you will be traveling internationally, you might be wondering how to protect your mobile devices (especially phones and tablets) while abroad.
First, you must understand and accept that EVERY NETWORK you connect to (including your home network) is potentially hostile; this is not an isolated problem that only travelers must face.
There is no such thing as “zero risk” to a device.
However, there are certain things travelers can do when preparing for travel, while traveling, and after travel. Performing these steps can help reduce your risk and information footprint while traveling.
In this 3 part series of software-agnostic advice, we will explore the information security aspects of:
- How to prepare your devices for travel
- How to maintain security during travel
- How to clean-up after travel
Part One – How to Prepare Mobile Devices for Secure International Travel
Who Are You Protecting Yourself From?
Thieves, Competitors, Governments, Scammers, unscrupulous Border Patrol agents.
What Are the Risks?
If you have sensitive, confidential, private, or perhaps more important data, it is your responsibility alone to protect this data.
Actually, these tips can help reduce your risk at any time, but there are always trade-offs with security, and many of these tips can be slightly inconvenient.
Where Should You Begin?
- If you participate in your company’s BYOD (Bring Your Own Device) program, or are bringing a corporate-owned device, be sure to check with your company to ensure that they are ok with you bringing it. Some countries have embargoes that can make this tricky for certain corporations and business types. When in doubt, talk to your Legal team.
- Be sure to check with the US State Department (or your country’s equivalent) for alerts and warnings: https://travel.state.gov/content/passports/en/alertswarnings.html/
- Consider using a “burner phone” that you don’t care about for use while traveling. Inexpensive phones can be purchased easily. If you are comfortable using one type of phone OS, I suggest getting a burner phone that is the same operating system, i.e. if you primarily use an iPad and iPhone, get a burner iPhone. There is a massive learning curve associated with switching to a new OS, and you may not fully understand all of the security and privacy settings of a new OS.
- Start by making a backup.
- Before you begin preparing your device for travel, make a backup. Then, make a second backup, just to be sure 🙂
- Consider putting one copy of your backup in cloud storage, and then storing one locally. Or keep one copy on an external drive in a safe place at home, and one copy on your computer. This is to prevent data loss later.
- The goal of backups is to have a “gold standard” copy of the way you want things to be when you restore your device after your trip.
- Backup (and/or format) any external storage
- Consider overwriting free space with 1’s or similar action
- Be sure to perform a DoD-level “secure erase” while formatting to get rid of any data remnance
- NOTE: Secure erase and free space overwriting can be performed multiple times
- Reinstall a fresh copy of your device OS to remove stored application settings or errant files
- DO NOT RESTORE from a backup! This defeats the purpose of doing a fresh install.
- Patch your OS to the latest version and update all Apps
- If you’re using an unpatched device (or an older OS), all the privacy and security steps in the world won’t help you!
- Do not travel with a laptop, if you can avoid it. Use a tablet, instead.
- Register with the US Embassy in the country you are visiting.
After that you have completed the first preparatory steps, you can begin working on the rest.
You definitely do not have do do ALL of these things. I recently returned from international travel, and only took about 85% of my own advice.
The remainder of these steps can essentially be performed in no particular order.
- Register new, temporary accounts for Google, Samsung, Microsoft, iCloud, etc.
- You want to have a separate account for automatically backing up photos to the cloud and logging into mandatory device services
- Use unique usernames and passwords
- Enable Multi-Factor Authentication!
- If you need to access “paid” applications:
- Create a “Family” and add your new account, authorize Family Purchases
- Next Level: You can purchase the apps again under the new account
- Otherwise, it’s up to you whether you really need to use those apps during your trip.
- If you are using native Mail, make sure your incoming IMAP/POP/Exchange/etc server uses encryption, and make sure that your outgoing SMTP server also supports encryption. This means your authentication and email data will not be exposed to other network nodes.
- Use the web-based email client, rather than native device mail clients, to access your mail. This will prevent mail from being stored on the device, and ensure that the connection is TLS encrypted.
- Sign up for and use a VPN service. Make sure it will work in the country you are visiting
- After you have updated our device, turn off automatic updates in your device and app store
- You will want to review each update, and potentially not update while traveling. Malicious payloads can potentially be injected into updates from spoofed sources.
- Purchase and install a glass “privacy screen cover“ to prevent shoulder surfing of what’s on your screen and what you’re entering
- This will replace your current screen protector, if you have one
- Even with a privacy screen, you must remain vigilant during use – people directly behind you will still be able to shoulder-surf. Someone on either side will not be able to see your screen, but be wary.
- Decrease your application footprint:
- Remove any apps you won’t use on your trip
- Delete any payment methods you won’t use on your trip
- Unlink any accounts you won’t use on your trip
- Remove or limit biometric data for authentication
- Passwords and PIN codes are more of a pain in the you-know-what, but biometrics have been used before in court cases to compel humans to unlock their phones (unwillingly). The factor of “something you know” literally cannot be compelled in a court of law or other situations
- Enable multi-factor authentication on all accounts used on your device that support it
- Obtain and install a local SIM card ONLY IF NEEDED
- You are actually better off using your existing SIM card, if it works in the country/countries you are visiting, and if you can afford the money it will cost to roam internationally. Plugging anything unknown into your device is dangerous
- Be warned that you may end up paying significantly higher fees to roam while abroad. Check your mobile provider for any special plans they have for travel. They will usually save you a ton of money versus “pay as you go”.
- NOTE: Do NOT install any local SIM cards until EVERYTHING ELSE on the checklist has been completed!!!
- If you really want to save money, or if it’s the only option, the local SIM card works great (Be sure to use your VPN at all times…)
- Turn off “push notifications” for any unnecessary services
- This will not only save data, but it will allow you to ensure no data is received when you are not in a safe location or on a VPN.
- Use end-to-end encrypted applications (like Signal) for communications. SMS is not secure.
- Next level: Monitor your device’s network traffic to determine if any unencrypted communications occur and address, as needed.
- Google Voice is a great way to get encrypted messages on all of your devices, e.g. for MFA one time login codes.
- Next Level: Use an application like Wickr or Wire that can automatically delete messages after a certain amount of time.
- Disable Bluetooth and WiFi when you are not using them
- Log out of browser “sync” accounts, and create new profiles if it’s supported. You can also use temporary accounts for this.
- Be EXTREMELY cautious when posting to Social Media while abroad.
- Thieves may be looking for people who are “out of town” to target for burglary.
- Governments and other entities can and will monitor your activities.
- Next Level: Don’t post to Social Media at all. Don’t even login…”US customs agents may require foreigners’ social media passwords as part of vetting”
- Encrypt everything
- Encrypt your memory and removable cards
- Encrypt your backups
- Enable the option for your device to require a password/pin when it restarts
- Turn on ‘find my phone’ features and ensure the device is configured to send the last known location. Test to make sure it works from another device or from the related website.
- Enable the ability to “wipe” your phone when a certain number of failed login attempts have been made.
- Delete all saved WiFi networks your device has “previously connected to”
- Your device will attempt to login to previously connected networks, and someone can log those probes including the passwords.
- Turn on firewall features, if available.
- Turn off device “visibility” to other devices, e.g. disable Bluetooth visibility or AirDrop.
- Install anti-virus or anti-malware software, if your device supports it.
- Disable “side-loading”, which is a way for the device to allow installation of software from 3rd parties not using the trusted app store
- Do not use a jailbroken phone, as this already contains inherent risk.
If your privacy and security is your primary concern, these will help you maintain them. It should be noted that some of these tips may actually arouse suspicion if you are being questioned or detained, even if you are doing absolutely nothing wrong, illegal, or shady.
These tips are being provided for the security and privacy of your data on your devices. This advice is not legal advice, and these tips are not being given to avoid US or any other laws. There are numerous legalities and nuances that you should familiarize yourself with, if you have other goals. EFF has a great article series on your rights and what to expect at a border: https://www.eff.org/wp/digital-privacy-us-border-2017
I’m not a lawyer, and this is not legal advice — It’s never a good idea to break the law, and it’s always best to cooperate fully with border agents and people in authority.
Basically, Forget About the 4th and 5th Constitutional Amendments While Traveling
The US Constitution doesn’t exist in other countries, and, as author Quincy Larson said in Quartz:
The fourth amendment protects you against unreasonable search and seizure. The fifth amendment protects you against self-incrimination.
If a police officer were to stop you on the street of America and ask you to unlock your phone and give it to them, these amendments would give you strong legal ground for refusing to do so.
But unfortunately, the US border isn’t technically the US, and you don’t have either of these rights at the border.
It’s totally legal for a US Customs and Border Patrol officer to ask you to unlock your phone and hand it over to them. And they can detain you indefinitely if you don’t. Even if you’re a American citizen.
The US isn’t the only country that does this.