Mobile Device Security for International Travelers – Part 2: How to Maintain Privacy During International Travel

Defense, Mobile and Device, Personal Security, Privacy, Tips, Travel

 

If you will be traveling internationally, you might be wondering how to protect your privacy and securely use your mobile devices (especially phones and tablets) while abroad.

First, you must understand and accept that EVERY place you visit (including your home city) is potentially hostile; this is not an isolated problem that only travelers must face.

There is no such thing as “zero risk” to a device.

However, there are certain things travelers can do when preparing for travel, while traveling, and after travel.  Performing these steps can help reduce your risk and information footprint while traveling.

In this three-part series of software-agnostic advice, we will explore the information security aspects of:

1. How to prepare your devices for travel
2. How to maintain security during travel
3. How to clean-up your devices after travel 

Part Two – How to Maintain Mobile Device Security During International Travel

Who Are You Protecting Yourself From?

Thieves, Competitors, Governments, Scammers, Intelligence Officers, Spies, Fraudsters, Militias, Insurgents, Unscrupulous Border Patrol Agents.

What Are the Risks?

If you have sensitive, confidential, private, PII, or perhaps more important data, it is your responsibility alone to protect this data.

These tips can help reduce your risk at any time, not just travel.  Keep in mind that, as is common in security, there are always trade-offs, and many of these tips can be slightly inconvenient, take more time, or just be annoying.  Such is the price we seem to have to pay for privacy.

Operational Security (OPSEC)

You’ve left for your trip, and have performed the steps in “Part One” of this series to prepare your devices for travel.

At this point, your paranoia should kick in at least a little bit. Assume you are being monitored and watched for the entirety of your trip. Whether it’s by a random stranger on a train, an intelligence agent, or a hidden camera, everything you do, view, and say could potentially be watched and scrutinized.

But what things can you do to protect yourself while you’re actually traveling?
Operational security (OPSEC) is your main concern now.  The principles of OPSEC can be learned, but OPSEC must be practiced to be effective.

Awareness is the first rule of OPSEC: Observe and memorize your surroundings, the people around you, location of potential emergency exits, nearby cameras, security guards/police/military, and patterns of activity.

Now that you know where you are and the things that are around you, you can adjust your behavior and use your devices accordingly.

Make sure any of your traveling companions understand the threats, risks, and rules. You can trust them with watching your devices, if you wish, but only if they agree to follow your rules.

While you should definitely be concerned about theft, almost more importantly, you should be concerned about someone tampering with your device!

Storing and Transporting Devices

  • Whatever you bring with you on your trip must stay with you at all times.  You must never, ever leave your devices in your hotel room or another location unattended, even for a few seconds. Even while you get breakfast or run down to the Concierge.
    • This is one great reason not to bring a laptop and only use a tablet; a tablet is lighter and easier to carry, and you can locally or remotely wipe a tablet easily.
    • The hotel’s in-room safe is NOT somewhere you want to keep a device at any time unless you’re physically in the room with it (e.g. While you are sleeping.
  • Never trust a hotel safe – Most have master keys and/or master codes (e.g. 9999…) that are well known to thieves, hotel employees, and others.
  • The hotel’s front desk safe is also not acceptable storage. If your device is out of your sight, it’s out of your control. Anyone can compromise it, and the hotel may be complicit in it. I’ve heard stories of hotel security taking bribes to tip off thieves.
  • Never let anyone else handle or hold your phone. They could swap your phone with another phone, run off with it, or plug something into it, causing damage, malware, or data loss/exhilaration.
  • Never put any mobile device or storage mechanism (e.g. USB thumb drive, SD card, DVD player, camera, projector with a HDD) into checked luggage.  Checked luggage is out of your sight and vulnerable.
  • Important items like your passport, smart watch, and memory cards should also never leave your direct sight.
    • Next Level: Bring your bag of “things” into the hotel bathroom with you while you shower (just into view, not actually in the shower :P), so it’s truly never out of your sight.
  • While you’re carrying your items, what you actually carry them in does matter. Do not carry an obvious “camera bag” or “laptop bag”. Briefcases are a terrible idea.
    • Flimsy bag and laptop locks will only prevent honest people from walking away with your items, so don’t rely on them.
    • Backpacks are great, but they are also an easy target for pickpockets.
    • Any bag you carry should be as inconspicuous as possible.
    • Several consumer “travel gear” brands exist that are engineered to create difficulty for thieves and pickpockets. If you are not perceived as an easy target, a thief or scammer may move on to someone else.
    • These types of products use slash-proof fabric, RFID-blocking tech, double straps,  hidden zippers, or zippers with locking mechanisms. This gear can help decrease your risk as part of an overall protection strategy.
    • eBags.com is a great resource for finding security-minded travel gear.
    • Keep in mind that RFID-blocking wallets and bags do not fully block RFID; they only decrease the range at which the device can be read. Yes, you should use RFID-blocking wallets and holders to decrease your risk, but do not assume they provide you 100% security.
  • The absolute best travel accessory I have started using this year is a device from Tumi called the Global Locator.
    • The Tumi Global Locator is a tracking device that is approximately the size of a MiFi or battery charger, and it uses a GPS with cellular and Bluetooth that can locate itself and let you know where it is.
    • If I check a bag, I always have the device turned on and placed inside the locked bag.
    • The Global Locator has two modes: Travel Mode and Hotel Mode. The modes are configured via the app on your smart device on the fly.
      • Travel Mode is basically for flying or while on the road. The device will sleep while traveling faster than a certain speed, so it complies with FAA regulations for cellular devices. When you arrive at an airport, and the device is no longer moving, it will phone home and let you know where it is. You will know if your checked bag made it to your destination, or if it is lost, you will know what airport it is in.
      • Hotel Mode is a movement-sensitive mode. You can place the device in your bag when you leave the hotel, tape it to the inside of your in-room safe door, etc. If the device moves at all, it will alert you via the method you choose (SMS, push, email, etc).
    • The device also has a “proximity sensor” that can tell you when your device is very nearby, or if it leaves your vicinity.
    • The Tumi Global Locator device is available online or in-store, and is currently $150. It truly works great, and I highly recommend it.
    • After the first year of bundled service, it is $50/year for the service.
    • The price is well worth the peace of mind provided, and this device has come in handy for me several times.
    • I use it everywhere I go, even if I don’t check a bag.
    • There are many everyday uses for the Global Locator I’m sure you can come up with yourself.

Always On Guard:  Situational Awareness

  • Any time you enter the unlock password into your device, enter data (PIN codes, passwords, keyboard input), or even view data, you should look around to find potential cameras or people who could see what you’re doing. People around you may be looking to see what you see on the screen, or what you enter using the on-screen keyboard.
  • Generally by default, every time you press a keyboard key, the character you type appears larger so you know what you typed. Other people can see this, as well.
  • On some devices, you can disable the “show the typed key for a short time after press” feature.
  • Staring at the map on your phone while navigating is almost as conspicuous as walking around with a big folding paper map; you’re going to become a target quickly. The screen cover can help, but enable audio and use a single headphone (or the vibration feature) to receive navigation guidance surreptitiously.
  • Do not walk around with your ears and mind engulfed in headphones and loud audio, as it makes you less aware of your surroundings.
  • Wired headphones are theoretically more secure than Bluetooth, as electronic eminence from cables is less likely to be snooped than Bluetooth.
  • People don’t normally approach strangers on the street. If you are approached, be aware of the person coming up to you, but also on other people behind you. Most common scams and thefts begin this way.
  • Some travel sites say you should turn off your device while going through a security checkpoint, but requiring a password or code (no biometrics!) is less suspicious and just as good, IMHO.
  • Use “private browsing” modes in your web browser of choice. This leaves no cookies, URL history, and generally provides a smaller historical activity footprint on your device.
  • Remember, “Full-disk encryption” of your device’s storage only protects your device when it boots up. Once the device is powered up and the password is entered, the disk is unencrypted for the duration of use.
  • It is NOT advisable to use “hidden volumes” or try to hide applications/data. This may be illegal and seen as obstruction or deliberate attempts to thwart the efforts of authorities/agents.
  • Never plug your device into an unknown dongle, computer, or use someone else’s cable.
  • When charging, use a “USB Condom” – a USB Type A adapter that only allows power and disables the pins for data transfer – for charging.
  • Keep an eye on your VPN service connection. If it drops, reconnect. If it drops often, turns off mobile data until you need it. If it does not work in the country you are in, get a new VPN. Enable any feature that denies traffic unless it’s connected to the VPN.
  • You should have already disabled automatic updates within your device and from any App Store, so if an update is available while you are traveling, it’s okay to be cautious or suspicious of it.
    • Review each new available software update carefully. If it is not an important security patch, you probably don’t need to update i.e. You don’t need the latest functionality in Candy Crush…
    • Spoofed sources can deliver malicious payloads under the guise of updates.
  • Your “glass privacy screen cover will help prevent  surfing of what’s on your screen and what you’re entering
    • Even with a privacy screen, you must remain vigilant while using your device, because people directly behind you will still be able to shoulder-surf.
    • Someone on either side of you will not be able to see your screen, but remember to observe your surroundings for cameras and humans.
  • Be cautious of Wifi and Bluetooth
    • Disable Bluetooth and WiFi when you are not using them.
    • Keep your devices in “airplane mode” when not using the internet for best security.
    • Never connect to a random Bluetooth device just to see what it is.
    • Don’t connect to wifi, unless you absolutely have to. Your VPN will provide some protection when connected to wifi, but not completely.
    • While WiFi is enabled, and if you are not connected to a WiFi network, your device will continuously scan for known networks and attempt to login to a previously connected network.
    • Using a WiFi Pineapple or other technology, someone can log those probes — including the wifi passwords. They can then observe and record any unencrypted data you send, try to decrypt your TLS/https traffic, and modify data being sent to or from you. WiFi is extremely easy for an attacker to use for compromising a device.
    • As part of Part 1 of this guide, you should have created your “gold master device backup” and created new device/cloud accounts for use while traveling. Once you disconnect from your primary cloud accounts and your backup has been created, you should also have deleted all of your saved WiFi networks in your device, to limit exposure.
    • Continue to remove networks you connect to during your trip; they are easy to re-add later. Your hotel WiFi will associate and remember your device’s unique MAC address, so you won’t have to pay twice for connectivity.
  • Periodically check to make sure that your device is not configured to be “visible” to other devices, e.g. disable Bluetooth visibility or AirDrop.
  • For additional privacy, use an encrypted third-party DNS provider, or even just a DNS provider that is not provided to you by WiFi or your Mobile Data provider (e.g. OpenDNS).
    • DNS queries are not usually encrypted by default and can be used for tracking and information gathering.
  • If you do not need your smart watch while traveling, don’t bring it. An inexpensive analog watch is theoretically more secure (there is no Bluetooth connectivity required), and if the watch is lost or stolen, you do not have to worry about data being lost or going into the wrong hands.
    • This tip is up to your own discretion, as smart watches can be used to locate your phone.
  • Do not perform backups while you are on travel.
    • Your latest backup should be the “gold standard” version that you created before you left.
  • Ideally, you should have your photos and any new documents automatically uploaded directly to your special “travel” cloud account, not your main account.
  • Some devices have the ability to remotely “wipe” in the event of an emergency. Do this if your device is lost or stolen.
    • Note: Remote wipe capability needs to be enabled PRIOR TO travel, or it probably will not work.
    • Your device should have already been configured to “wipe” itself when a certain number of failed login attempts have been made. You can use this to your advantage, for example, if you think someone is about to steal your phone or you are about to have a confrontational encounter.

Social Media

  • Be EXTREMELY cautious when posting to Social Media while abroad.
  • It is tempting to post photos when you’re sitting on the beach or about to eat your authentic local meal.  However, you can become a target based on this location data.
  • Don’t tell people on Social Media where you are staying or how long you will be there
  • You can try asking the hotel staff to put a note on your account to not give out any information about you, not reissue keys without asking for ID, and to not route any calls to your room. It may not work, but it doesn’t hurt to ask.
  • Most of the major chain hotels have policies requiring ID before granting access, but humans are always the weakest link, and social engineering can be used against them.
  • Don’t use housekeeping in your hotel, if you don’t need it. Even if you don’t leave your devices in your room, many housekeeping staff will leave the door wide open while they’re in the room. This creates a vector for attackers to gain entry.
  • Do not post photos of the inside or outside of your hotel, a local restaurant, or other locations you visit *until you get back from travel*.  Or ever.  If you plan to return to the same location during the same trip or in the future, you probably don’t want anyone to know that information.
  • If you post where you are at a given time, a malicious actor could use this information against you – to find you, to monitor you, or perform social engineering on staff, for example.
  • If a social media app wants to enable “Location Tracking” on your device, say “no”.  Maps are a bit different, but offline maps can be used in many places (particularly with Google Maps).
  • Geolocation tags stored in images can be used to find you and gather information, patterns, etc if those tags are not stripped when posted (especially when sent via SMS or email).  Facebook and Twitter do not need to know your exact location as you should not be “checking in”, anyway.
  • When you need to read or send email, use the web-based email client (in private browsing mode), rather than native device mail clients, to access your email.  This will prevent mail from being stored on the device, and ensure that the connection is TLS encrypted.
  • Some devices have the ability to remotely “wipe” in the event of an emergency.  Be sure to do this if your device is lost or stolen.
    • Your device should have already been configured to “wipe” itself when a certain number of failed login attempts have been made. You can use this to your advantage if you think someone is about to steal your phone or you are about to have a confrontational encounter with an authority.
  • Disable Bluetooth and WiFi when you are not using them
  • Don’t use public wifi, unless you absolutely have to.
  • Your device will attempt to login to previously connected networks, and someone can log those probes including the passwords.
  • Periodically check to make sure that your device is not configured to be “visible” to other devices, e.g. disable Bluetooth visibility or AirDrop.
  • Lastly, don’t let people you are with “tag” you on social media (H/T @Easi123)
    • You may not be able to prevent them from posting photos of you or “checking in” with you, but if you have “approve tags of myself” enabled on the social platform, you can wait to approve those tags until you are somewhere else.

Caveats

If your privacy and security are your primary concern, these tips will help you, but there is no such thing as “zero risk”.

It should be noted that some of these tips may actually arouse suspicion if you are being watched, questioned, or detained, even if you are doing absolutely nothing wrong, illegal, or shady.

This is a lot of info, and really only applies to your devices, although some of these tips are good for your personal safety. You’re probably not going to be able to maintain full OPSEC for the entirety of your trip. The goal is to decrease your risk, not eliminate it entirely. Do your best.

These tips are being provided for the security and privacy of your data on your devices.  This advice is not legal advice, and these tips are not being given to avoid or subvert US law or any other laws.  There are numerous legalities and nuances that you should familiarize yourself with, before you travel or if you have other goals.
EFF has a great article series on your rights and what to expect at a border:  https://www.eff.org/wp/digital-privacy-us-border-2017

I’m not a lawyer, and this is not legal advice — It’s never a good idea to break the law, and it’s always best to cooperate fully with border agents and people in authority.

Safe travels!

 

NEXT:

Read Part 3 of This Series – “How to cean-up your devices after travel

 

Basically, Forget About the 4th and 5th Constitutional Amendments While Traveling

The US Constitution doesn’t exist in other countries, and, as author Quincy Larson said in Quartz:

The fourth amendment protects you against unreasonable search and seizure. The fifth amendment protects you against self-incrimination.

If a police officer were to stop you on the street of America and ask you to unlock your phone and give it to them, these amendments would give you strong legal ground for refusing to do so.

But unfortunately, the US border isn’t technically the US, and you don’t have either of these rights at the border.

It’s totally legal for a US Customs and Border Patrol officer to ask you to unlock your phone and hand it over to them. And they can detain you indefinitely if you don’t. Even if you’re a American citizen.

The US isn’t the only country that does this.

Source:  https://qz.com/912950/never-bring-your-phone-on-an-international-flight-unless-you-want-us-border-control-and-customs-to-take-your-data/