Over the years, I've worked for organisations with various levels of risk tolerance for business travellers. Some have been (rightly) paranoid and others have been (wrongly) placid about the threats their employees face.
The fact is, individuals are often targeted for espionage, blackmail, or other state-sponsored attacks.
Here's a list of some of the different advice I've received, roughly sorted into levels of suitability. Start at the top and work your way down until you reach a suitable level.
USB sticks? No thanks!
At some point, you'll be given a gift of a decorative USB pen drive. It'll either be part of a goodie-bag or you'll be told it has all of this quarter's TPS reports on it.
You should thank them for their kind gift. On your way back to the hotel, drop the stick in a bin.
There's just too much which can go wrong with a USB stick. Maybe it has a virus. Maybe it is an exfiltration device. Maybe it has extreme pornography and the police will catch you with it. Just chuck it. If anyone asks, say you couldn't get it to work and can they please email you the information.
USB Power? Play it safe!
USB powers everything from your phone and laptop, to your headphone and eReader. But USB cables also carry data. Some devices can be silently hacked by plugging them in to a dodgy power port.
Is it likely that the USB socket on the airport bus has been set up to exfiltrate travellers' data? Probably not - but why take the risk?
The best thing you can do is to always charge from your own device. Get a travel charger or, ideally, a portable battery and only use that for charging.
For extra paranoia, you can buy USB condoms and charging-only cables - but they tend to be slower at charging.
Reduce Your App Attack Surface
Do you need all those apps on your phone? Will you cope without your banking apps, dating apps, streaming apps? Each one is a potential vector for abuse.
Is it legal for you to date your preferred romantic partner in your intended destination? You shouldn't have to hide yourself, but having an illegal app on your phone is a great way to get picked up by the police.
Go through your phone and uninstall anything which isn't important to the trip.
A VPN probably draws more attention than it is worth, but browse cautiously
This is slightly counter-intuitive. Every important site on the web uses HTTPS. The really important ones are on a special list which means your browser will only use a secure connection. The chances of your data being intercepted is minimal.
But using a VPN immediately makes your traffic look suspicious and, in some countries, may be illegal.
That said, while the contents of your communications will be private, their destination is easy to figure out. Don't browse pornography or any other site which is liable to get you in trouble. This may include news sites from outside the country.
What passwords do you need?
Hopefully you use a password manager - and hopefully all your passwords are unique. But do you really need to carry around all of them? You password manager almost certainly allows you to create a sub-account into which you can deposit anything you need for your trip.
Similarly, you don't need all your MFA codes with you. If you do need MFA please make sure it isn't coming through SMS.
They're not flirting with you.
Mate, you're a middle-aged sales rep who scored a trip to a conference in an exotic country. Do you really think that pretty young thing is enthralled by your tales of middle-management?
No.
At best, the photos will be used to blackmail you. At worst the police will claim that they're under the age of consent and that will be used to blackmail you.
Laptops and Liability
Your IT team has provided you with a laptop which is encrypted and biometrically secured, right? But do you need that specific laptop?
They should grab a cheap laptop. Fill it with only the documents you need. When you get back home, toss it.
I'm quite serious, a £200 Chromebook is a cheap price to pay to prevent your secrets getting stolen or your network being infiltrated.
What Else?
Possibly you think some of these are overkill. Perhaps you think I'm not being paranoid enough. What would you add to the list?
10 thoughts on “Cybersecurity for the paranoid business traveller”
@Edent thanks for the article!
On the “What else” basket: is it too paranoid to get a used phone to travel to certain countries, just install the bare needs, and discard it when returning?
| Reply to original comment on mastodon.social
I'm curious if you are still at risk charging over a USB cable if you have an adapter on the cable and are plugged into a regular electric wall socket, instead of plugging into a USB port directly? At one point I had been told that that was safe, but I also know that it is possible to send data over those plugs (for example, you can get Ethernet adapters that send network data over your home's electrical wiring).
Is it your cable and charger? I'd say there was no risk. Even if it is someone else's, your phone should pop up a message saying that someone is trying to access it.
Tony
I'm a lot less worried about 'juice jacking' at an airport, I've not heard a case ever. Wifi hijacking is much more common, so avoid random 'free public wifi', especially at airports. Also be very cautious about hotel WiFi if in a country where you're at some risk.
Remove all biometric access to your device for the trip. Use a good PIN instead. Certain countries with invasive phone search laws cannot compel you to provide a PIN, but can use a finger/face/whatever at will.
A burner phone is good - an old fashioned 'feature phone' might be good. No apps, but much harder to exploit. @tjbutt58
If you need data that you don't want to reveal to customs, then don't bring it on your phone/laptop. Keep it on a server, then download it when you're at your destination.
Chris R
Cut out as much social media as possible. You may not be able to hide you have a facebook or, yuk, X account, but change the password to one you won't remember, and leave it at home in your password manager.
Purchase an inexpensive or reconditioned Android device and install Haven. It uses on-device sensors to provide monitoring and protection of physical areas, e.g. hotel rooms.
No. Haven hasn't been updated in over 5 years.
This is terrible advice.
David Brown
I use my phone's wifi hotspot instead of the hotel's.
More comments on Mastodon.
Trackbacks, Pingbacks, and Boosts
[…] Terence Eden has written a handy guide to cybersecurity for the paranoid business traveller. […]