Are you travelling on business in a high cyber risk area?

03 June 2019

2 comments

by Gaz Collins Incident Response Manager

Email +44 (0)7483 416720

by Dan Snowden Cyber Incident Response Analyst

Email +44 (0)7483 407124

Four steps to mitigate cyber risk while in transit

We know that business travel can heighten cyber security risks for our clients. Keeping your organisation’s privacy and data protected whilst travelling on business is often a case of common sense; by adopting practices such as avoiding open WiFi hotspots and being mindful of sharing too much location data, most business trips should be uneventful from a cyber security perspective.

In this article, we wanted to move away from the obvious by outlining four scenarios that you might not necessarily have thought of and some steps that you can take to mitigate cyber risk while travelling on business:

1. Be aware of Lawful Interception

Lawful Interception, commonly referred to as ‘LI’, is a facility that almost all mobile network operators in every country worldwide provide to local law enforcement and intelligence agencies, allowing them to access both metadata around communications that have previously taken place as well as real-time access to voice, SMS and in many cases data communications.

Here in the UK, law and legislation such as  The Regulation of Investigatory Powers Act (RIPA) and article 8 of The Human Rights Act (HRA) provides safeguards against the abuse of Lawful Interception. However, such strict controls and protections of citizens’ rights are not in place in many business destinations around the globe, meaning that you cannot assume that your mobile communications will remain private when on your travels.

Why might your mobile communications be intercepted?

In most cases, the average business traveller is unlikely to fall under the notice of agencies with a right of access to the local LI system. That being said, bear in mind the following:

  • Will you be communicating with individuals who might already be of interest to local law enforcement or intelligence agencies and therefore end up being targeted by association?
  • Are you traveling in a country where bribery may be a common occurrence? Would local business competitors gain anything from listening in to your communications in country? It is not unprecedented for LI systems to have been abused with the assistance of corrupt law enforcement officials and this will again depend on the controls and safeguards that are (or are not) in place.
  • LI systems have in the past been infiltrated by foreign intelligence agencies, with network users having their communications intercepted and exfiltrated. Might this be a possibility in the country where you are travelling?

A way around this issue of course is to make it much more difficult to intercept your communications in the first place.

Encryption of communications ‘end to end’ (that is, encrypting the communication on the sending phone and decrypting it at the recipient phone) is a common feature of most messaging applications available today. Many of these applications also provide the ability to make voice calls. While using them relies on your contacts having access to the same applications, if you are concerned about the privacy of your mobile communications then they can provide an effective way of avoiding more easily intercepted mobile voice and SMS channels.

It is also important to bear in mind the laws around the use of encryption in the country to which you are travelling - more on this later.

2. Keep that phone out of sight

Being discreet when using our phones out in public is a common sense practice that can prevent them from being snatched from our clutches by a potential thief. You would be forgiven however for not giving the same consideration when it comes to the law enforcement agencies of the country to which you are travelling.

Contrary to popular myth, it is very difficult to break into a modern smartphone to access its contents. This has left the world’s law enforcement agencies in a tight spot when it comes to mobile forensics to support criminal investigations. With this being the case, one novel (and wonderfully simple) workaround for law enforcement is to simply confiscate a phone whilst it is unlocked, mid use in the owner’s hands.

So how does this relate to you, the law abiding business traveller?

You may be right in thinking that the government of the country to which you are travelling is wholly uninterested in your activities but take a moment to think about what that country might gain from the data on your phone:

  • Perhaps you regularly do business with government agencies or defence contractors and have access to highly sensitive data for which your destination country would pay dearly?
  • Maybe you work for a media organisation that doesn’t paint your destination country in as favourable a light as it would like?
  • Did you recently visit a country with whom the country you are visiting doesn’t have the best diplomatic relationship?

These are all reasons for which your destination country’s government might pay you more attention than you might have first thought. This is especially the case at airports.

The long queue at immigration presents the perfect opportunity for the authorities to lift your phone. You are tired and less alert, you are in a captive space and you are likely to take out your phone and send that message to the family to let them know that you have arrived safely.

This may seem far fetched but we have actual experience of this happening to colleagues at previous employers. Although in these cases our colleagues were eventually reunited with their phones and sent on their way, it is safe to assume that their phones were harvested for data whilst they were out of their possession.

So if you can, leave your phone in your pocket until you are safely through immigration.

3. Think before you encrypt

While it is good cyber security practice to keep your devices encrypted when travelling, data encryption laws vary from country to country and, in many countries, the mere act of importing, exporting and/or using encrypted devices can be illegal.

Some countries, including China, Israel and Russia may require the acquisition of an import licence before encryption software can legally be brought in. Others, for example, Saudi Arabia, reportedly ban any form of encryption, however, this is generally considered to be unenforced. Although it is usually the case that import licences are not required for standard consumer device encryption (e.g., Bitlocker on Windows laptops), laws around this can change frequently, and you should always check whether additional licences need to be acquired before travelling.

Once you’ve managed to actually bring your device into the country, with or without encryption, an additional barrier may still be applied to the use of encrypted communications. Virtual Private Networks (VPNs) are commonly used by organisations to enable encrypted communications between remote employees and a corporate private network. In China, for example, the current law states that foreign organisations are allowed to use VPNs purely for internal work purposes, however, as of March last year, this should now be supplied by an “authorised” VPN provider approved by the Chinese government. While some organisations still use existing corporate VPNs, as the law is not enforced strictly, a crack down on the use of external VPNs could begin at any point.

Although navigating the encryption laws for each country can be difficult, if these laws are violated, you may not only be prevented from entering a country but could have systems confiscated (potentially losing sensitive data), or, in more extreme cases, face fines or even arrest.

So, what should you do when travelling to countries where the laws prevent you from encrypting devices or communications?

One option is to take an unencrypted ‘burner’ laptop. A burner laptop should be a completely clean device that:

  • has never stored sensitive information on it without being fully wiped;
  • contains the minimal information required for business purposes; and
  • should be wiped and have its operating system reinstalled upon returning from travel.

Although it is also possible to remove encryption from your usual corporate device, this introduces a new risk if sensitive information is present in some form on the machine. If the country permits it, a VPN should also be used when connecting devices to the internet, to increase the security of communications.

4. Ditch the public charging stations

Although it may be tempting to boost your phone’s battery while waiting for your next train or flight, have you ever stopped to consider the security of free charging kiosks and USB outlets? These charging stations are found in many airports, conference centres, and train stations, and almost exclusively use standard USB charging cables or USB ports, which, in addition to supplying power to your device, also allow data to be transferred.

This means that once your phone is unlocked, and in some cases, even when still locked, almost all the information on your phone, including emails, messages, contact information and photos could be compromised. Even when mobile devices can be set to ‘Charging Only’ mode, which supposedly prevents USB data transfer at the software level, some information about the device can still be gathered, such as the device name and serial number, which could allow the device to be fingerprinted.

It is true that data transfer to an unrecognised system requires user input to confirm on many smart phones, which should help to reduce the risk of data theft. However, other methods may be used to bypass this, for example, splitting and recording the screen of the device can be performed without the user’s knowledge and could be used to steal passwords and other sensitive information.

Instead of using the charging station next time you find yourself on low battery when travelling, try to find an AC outlet and charge your device using your own USB cable and power adapter.

If it is necessary to charge your devices via USB outlets, USB data blockers can be purchased for less than £5 and attached to the end of your regular charging cable, to provide hardware level peace of mind that only power is flowing through the cable and not data.

Finally, if no data blocker is available, and the use of a USB outlet is necessary, it is still safer to turn off the device or leave it charging without unlocking the phone, as many modern phones will attempt to prevent data transfer when locked.

Conclusion

Here we have listed just a few of the many cyber security pitfalls to consider when travelling, which could put your business at risk. One misstep could allow sensitive business information to fall into the wrong hands, which could not only cause reputational damage but also incur fines and potentially endanger lives. It is therefore important to remain vigilant when travelling and remember to follow the four steps outlined above!

by Gaz Collins Incident Response Manager

Email +44 (0)7483 416720

by Dan Snowden Cyber Incident Response Analyst

Email +44 (0)7483 407124