Over the last 25 years, I’ve traveled to over 60 countries around the world conducting information security research and working as a consultant to government and private-sector organizations. I wish I could say that I had all of the answers when it comes to traveling safely with technology, but every new trip proves that assumption wrong. Governments and organized criminals are exploiting technology to their benefit, and most travelers don’t notice the breadth of information stolen in those attacks nor the persistent access which the attackers have been able to achieve recently.
I’ll start with some general guidance on the current state of affairs: don’t take any data or credentials with you that you aren’t prepared to lose. This is similar guidance that I give to friends who want to go visit Mexico City, Sao Paulo or Buenos Aires with me. I tell them to only carry with them that which they are prepared to willingly hand over to anyone who asks for it. Whether that’s a wallet, a watch, a ring, cash, or credit cards. I’ve followed this policy for two decades now; I’ve been robbed multiple times but never harmed.
A key point that many people do not understand while they are traveling internationally is that there is no guarantee that governments or organized criminals will not use readily-available exploits to gain access to data and credentials opportunistically or through targeted attacks. How can these governments and organized criminals gain such easy access to data and credentials? The root cause is essentially the poor state of the world’s cryptographic infrastructure.
Let’s start with a focus on smartphones and some tips about protecting your digital privacy on mobile devices while traveling.
On iOS and Android devices, over 30 countries have applied to participate in Apple’s and Google’s trusted root certificate authority programs. This is all legal: those countries use their laws and international legal precedents to apply to have their roots of trust pre-installed at the Google and Apple factories as part of the ‘lawful intercept’ programs in each jurisdiction where smartphones are sold. This means that the governing authorities can intercept and manipulate any TLS-protected network connection without the user’s consent or knowledge. Most concerning of the countries participating in Apple’s and Google’s trusted root programs are Turkey, Iran, and Venezuela. But there is evidence that even supposedly privacy-respecting countries will use their ‘lawful intercept’ capabilities to exploit the situation for industrial espionage and regulatory enforcement actions.
Unfortunately, if you are an iOS user, there is nothing you can do about these roots of trust without jailbreaking your device and making changes to the trusted root store. Google has provided an option in Android version 7 and later to allow a user to toggle the trust settings for each certificate authority (go to Settings > Security & location > Encryption & credentials > Trusted credentials to view the toggle options).
My recommended list of minimal certificate trusts includes Amazon, Baltimore, Comodo, Digicert, Entrust, Geotrust, Globalsign, GoDaddy, Identrust, Network Solutions, OpenTrust, SecureTrust, Thawte, Verisign and Visa certificate authorities. This generally provides a decent user experience without the blatant government-operated roots of trust risks.
International travelers should be watching for any strange alerts about network or trust settings that appear and take action if they believe that a new root certificate has been injected into the trust store as most network operators have permissions to manipulate the roots of trust on devices which are connected to their cellular networks. Again, on Android, find the newly-installed root and make sure to toggle the trust relationship off.
So, the first recommendation for the wary international tech traveler – leave your iPhone at home and use a Pixel or Android One device with all software updates installed and the trust settings reduced as recommended.
The next major mobile risk area that can be managed by tech travelers has to do with the credentials that are associated with our digital identities. Unfortunately, even on a properly-configured Android device, it is extremely likely that mobile applications will leak credentials to a hostile network operator. The best recommendation is to practice some mobile application and digital identity hygiene before leaving on your trip. Here’s how:
Why so much focus on credentials? We have seen in multiple cases over the years in which hostile governments have opportunistically captured user credentials and then used them at a later time when they are needed. This happens especially often in EU regulatory proceedings where companies are being investigated for trade or business practice violations of EU business laws.
The third and most-important mobile guidance for tech travelers to protect themselves is to avoid the use of the default texting or voice calling applications that come with your phone while traveling. This guidance also extends to any of the OTT applications like iMessage, WhatsApp, Telegram, Skype, Google Hangouts, etc.
For personal use, Signal is probably the highest-integrity and most-broadly-deployed app available today. For corporate use, offerings from KoolSpan and Silent Circle are good options. Over the last several months, I’ve been working on a project called Hotshot which provides good protection for direct and group messaging for enterprises. There are many options --just be careful of applications which don’t have good key management or that rely on roots of trust.
Now, let’s talk about laptops. If you are traveling with data that you really don’t want others to have access to at customs checkpoints or when you leave a laptop in your hotel room, then you really just have one option.
The combination of a hardware Trusted Platform Module (TPM) and BitLocker is the best technology available to consumers and enterprises today for protecting data at rest in hostile environments. For situations where data is truly sensitive and the user does not want anyone to be able to gain access to it, my recommendation is to enable BitLocker with a pre-boot PIN. This will require some additional discipline and user actions on every shutdown and boot, but it provides an excellent way to protect data even if a user is under duress.
For example, if a traveler is being challenged to search his/her laptop at a customs checkpoint, the traveler can conveniently ‘forget’ the PIN, thus eliminating any potential to easily access the data on the BitLocker protected drive. To enjoy the full benefits of this configuration, the user will want to do a complete shutdown of the device every time they are finished with a session. Closing the laptop lid and entering sleep mode will not allow for the full benefits of this approach. For more details, see this how-to-geek article.
It’s important to note that Macbooks do not have a TPM and do not support high-integrity drive encryption. So, again, if you want to protect truly sensitive data, leave your Apple device at home.
The same principle of roots of trust applies to laptops and the security of TLS connections. In Windows, any user with Administrator permissions can delete trusted roots through the Certificates MMC. For more information, see this TechNet blog article.
For root of trust management tips on macOS, see this ECN blog post.
On both Windows and Mac systems, I recommend reducing the number of trusted root authorities to the same list as for Android above.
System integrity is key for laptops and the same guidance applies to laptops as above with mobile devices when it comes to making sure that all operating system and application software updates are installed and any credentials used from the laptop reset upon returning from your travels.
For situations when a traveler needs access to a critical system while traveling abroad, it’s highly recommended to require the use of a hardware-based multi-factor authentication token like Yubikey. The cryptographic protections on the secrets within the Yubikey are sufficient to make even the most-determined nation-state eavesdropper look for another way to gain access to credentials or data.
The bottom line is that there are inherent flaws in the technology we use that allow for less-than-ethical or actively-hostile governments (or organized criminal organizations with governments’ help) to gain access to credentials and data while traveling internationally. With the steps outlined above, it is possible to significantly increase the level of effort required to gain access to your data and credentials.
Interested in learning more about this topic from experts like Aaron? Mark your calendars for the InfoSec World Conference & Expo in Orlando, Florida in April 2019.