Editor's Note: This is the sixth installment in a series in which Stratfor discusses the many facets of travel security. Click here for Part 1, Part 2, Part 3, Part 4, Part 5 and Part 7.
German business magazine Wirtschaftswoche on June 25 reported a novel counterespionage technique used by the board members of a German chemical company, Evonik. In Evonik's executive meetings at the office, everyone must put their cellphones in a metal tin — essentially a cookie jar — to block the phones’ signals and possibly to block their microphones as well. Mobile devices can be accessed remotely via malicious software, known as malware, turning them into listening devices, but the right tin can will act like a Faraday cage to block mobile signals. Evonik’s technique works, with some exceptions, if the executives' only security goal is to stop someone from listening in on their meeting. Evonik’s executives are operating under a correct assumption: Mobile devices are easily compromised and present an information-security risk.
The Risks to Mobile Devices
Mobile devices are more vulnerable to criminals when traveling, particularly in unfamiliar places. Business travelers often depend on devices such as laptops, mobile phones, PDAs or tablet computers. They also carry mobile storage devices, such as USB keys, MP3 players and external hard drives. Travelers who fail to secure these devices while traveling abroad expose the devices and the information they contain to data theft and infiltration by malware that can be installed on the device.
Travelers' devices also are vulnerable to physical theft. Criminals target laptops and smart phones for their high resale value. These devices are frequently stolen in airports, bars and restaurants as well as on trains and buses — and even in the street. Laptops and mobile devices should not be set down anywhere a thief can quickly snatch it and run. Even carrying a laptop or mobile device in something other than its case, such as a backpack or a buttoned pocket, will push a criminal, who is looking for the easiest target, to go after someone else.
There are more risks, however, than physical theft. Private competitors or foreign governments may seek to access devices in order to glean valuable company-specific information such as client lists, account numbers and, most valuably, intellectual property.
Some countries use their national intelligence services to spy on visiting executives, especially when the executive's competition in the host country is state subsidized or the technology involved is considered a national priority by the host government. This makes the visitor’s information vulnerable not only to hostile intelligence, but to hostile intelligence backed by state resources, which are significantly greater than those of corporate spies. This has been known to occur in Russia, India and China as well as in countries that many executives might not consider hostile, such as France and Israel.
Commercially available encryption programs can help protect sensitive information on computers when traveling. But the program's password should never be saved on the computer; in fact, it is best to avoid saving any passwords, or at least to use different and more secure passwords for important accounts. In addition, icons for the encryption program should not be displayed on the desktop or task bar. Airport security personnel in some countries have been known to start up a visiting executive's laptop and, upon finding a software encryption program icon, have attempted to retrieve the computer's data and have even damaged the computers when they could not gain access. For another layer of assurance, entire or partial disk encryption minimizes the exposure of data and takes the burden off the user to manually encrypt and decrypt files and folders.
The best way to protect sensitive information contained on a laptop or mobile device is to avoid exposing it to potentially compromising situations. The computer should only contain information specific to the current trip and, when possible, should not contain account numbers, passwords or other sensitive information. Then, should the device be compromised, the executive can take some comfort in knowing that not all of the company's sensitive information has leaked out. When traveling, it is best to replace the regular computer or hard drive with a clean one. This helps protect the data abroad and avoid compromise when the trip ends. The methods described below, used to access a traveler's electronic device, can also be used to plant malware that will extract information through online networks only after the users returns to their office.
It also is important to ensure that all important data on a laptop is backed up in another location. In high-crime areas it is advisable to carry data in an external hard drive or a mobile storage device, separate from the rest of the computer. This approach involves security concerns of its own, outlined below. However, should the laptop be stolen, the thief will not get the data, which is likely far more valuable to a traveling executive than the machine itself.
In some countries, the local intelligence service may try to access laptops or mobile devices left in an executive’s room in order to extract data or place malware. They may even steal the devices to make the incident look like a common theft. For this reason, laptops and mobile devices should never be left in a hotel room, or even in the room’s safe — especially in a country in which the government needs only to ask for a key from the hotel.
Ensuring the constant, physical security of mobile devices and computers is necessary to effectively secure important information. Executive protection personnel should take custody of a traveling executive’s electronic devices when they are not in use — for instance, while the executive is making a speech or attending an engagement.
One alternative is to carry only a smart phone or tablet computer, especially if it can be done without carrying sensitive information, and only used for less-sensitive email communication through encrypted servers. These devices are smaller and easier to carry at all times. But wireless devices have their own inherent security risks and are still vulnerable to theft. Moreover, mobile devices are not nearly as secure as laptops and usually do not encrypt their data.
The prevalence of information breaches over computer and phone networks may make some of this advice seem less important. Yet while networks provide access across continents, devices in physical proximity remain much easier to breach. The basic ability to intercept signals, which criminals can easily do on Wi-Fi networks, is a concern for all encrypted communication, and it is undetectable because it intercepts the data on radio waves rather than by infiltrating the computer. Even the best-encrypted communication has its failure points. One simple and important way to mitigate the risk of compromise is to turn off all network interfaces until they are needed. Most laptops and mobile devices leave Bluetooth on by default, and this is often easily compromised in its standard configuration. Other interfaces like infrared, GPS radios and 2G or 3G radios should be disabled to avoid the risk of compromise or tracking via tower triangulation.
When traveling in a country considered hostile or known to be involved in corporate espionage, a traveler should assume that all communications networks, both wired and wireless, are compromised. Researchers have demonstrated how GSM phone networks can be compromised using a few phones, a laptop and the right software. A virtual private network (VPN), which many companies use to partially encrypt their communications, is best used for email and similar communications. Individuals can set up their own VPNs fairly easily at no cost.
Any traveler, from a student to an executive, can take key preventive measures to help ensure security. An individual can help prevent compromise by locking devices and requiring password access; not installing software, particularly mobile applications, from unknown developers; diligently installing software updates; and not accessing sensitive information, particularly bank accounts, through mobile devices. It is never a good idea to check bank accounts through a mobile device’s browser — a trusted application from the individual's bank is a better idea — and the same applies to company email and other communications that should remain secure. Consider that with all advancing technology, security is a step or two behind. Smart phones in particular are running on new operating systems. This means that mobile devices are often more easily breached than computers.
Even when a traveler or executive takes all available security precautions, vulnerabilities still exist. For example, RSA, the security division of EMC Corp., has specialized in data security, particularly secure authentication for network access including using mobile devices, since creating the first public security key algorithm in 1977. The March 2011 infiltration of RSA, and subsequent infiltrations of L-3 Communications Corp. and Lockheed Martin Corp. using information on RSA’s security tokens, demonstrates that the most secure data can be breached. RSA provides secure authentication for network access, including using mobile devices.
Laptops, tablets, smart phones and other mobile devices have become essential travel accessories. They hold a vast amount of information in a relatively small space and offer easy access to communications. For this same reason, these devices and the information they contain are very valuable for anyone with hostile intentions. Travelers who safeguard the information on these devices and take precautions to mitigate the effects of a compromise could be sparing their companies serious harm. If possible, travelers should go without their usual electronic devices. A company can designate certain laptops for foreign travel, to be sanitized by an IT department or contractor on return. Any mobile storage devices, which can easily carry malware, should also go through such a sanitation process, and disposable phones can be purchased overseas.
Of course, this advice may seem impractical. Given the number of vulnerabilities, it is always best to assume electronic devices and data are compromised. The surest way for travelers to protect their electronic data is to keep the most important information in their heads, offline or in secure storage.