“Data exfiltration.” The phrase is emotionless but what it describes—and how this impacts business travelers—is raw and brutal. Experts will tell you that, increasingly, the data travelers bring with them wherever they go are highly valuable and also highly desired. And that has spawned a tug-of-war between highly skilled cyber criminals and the executives who are their targets.
“The problem is that we live in a post-PC era,” says Alan Brill at security consulting firm Kroll Associates. Most companies have gotten good at securing laptops of traveling executives. There’s a quarter-century of experience and the know-how is deep. But in the post-PC era, there is as much information on phones and tablets, and the protections are often thinner.
It can get downright hairy. “We have seen many cases of executives who have been personally targeted,” says Gregg Smith, CEO of Koolspan, a security company in Bethesda, Md. “I can think of one Fortune 25 CEO who was compromised twice in a quarter. He was traveling overseas.” A frightening fact about most smart phones is that carrier level updates are permitted by default. And in at least some countries, that means eavesdropping malware may be loaded onto the phones of targeted traveling executives.
“When you are traveling you want to be fully aware that there are ways information can leak out of your phone,” says Terry Jost, an expert with consulting firm EY (Ernst & Young). And of course that same “leakage” occurs with tablet computers and sometimes even laptops.
Our stakes, too, are enormous because we travel with many gigabytes of data—email, address books, files—often on multiple devices: smart phone, tablet, laptop.
Physical theft is a risk as old as time. American journalist Gail Harrington was eating in an American chain restaurant in Lima, Peru, her BlackBerry safely tucked in the middle of the table. Several boys were walking around the eatery, offering candy for sale. She declined and returned to her meal. When she looked for her phone, it was gone.
Most data theft is by happenstance. A phone or a tablet is stolen in a crime of opportunity. In many cases, there are no sincere efforts to access the data. The thief merely wants to make quick money selling stolen hardware. But there are also instances in which the victim is identified, stalked and pounced upon. Security experts say there is a palpable rise in cases that look like targeting of specific executives, at least in a handful of countries.
Location, Location, Location
“Within an hour of landing in China, there will be malware on your mobile device,” says Dave Anderson, a senior director at Voltage Security in Cupertino, Calif.
Security experts point to similarly elevated risks for certain travelers in Russia, much of the Middle East and France. Other experts put the United States on that list, at least for travelers of interest to the federal government.
Many organizations, notes Brill, advise executives headed to high-risk countries to travel only with what he calls “sanitized devices”—a phone, tablet and laptop with minimal or no data—and with firm instructions to assume every interaction is eavesdropped upon.
But don’t believe there are no concerns everywhere else. Security experts are adamant that wherever travelers go, they have to assume their devices and their data are in danger. But they also have a medley of suggestions as to how to protect gear and its contents.
Public Computer Risk
Never use public computers (for instance, in hotel business centers), urges EY’s Jost. This also applies to in-room iPads provided by some hotels as an amenity. They are fine for checking last night’s sports scores, or reading a movie review. Maybe even doing light research on a local business contact by checking newspaper archives. By all means, too, play a feverish round of Sudoku and watch a video on A&E. But don’t check email, don’t even think about logging into company servers, don’t look at credit card statements, don’t go to any website where a username/password login is required.
The risks that such devices are contaminated are just too high. Crooks are adept at installing “key logging” software, which means they can easily know your every keystroke.
The safest assumption about shared, public computers, say the experts, is to assume there is no privacy on them.
Hotel Room Theft
“I have had a laptop stolen from my hotel room, at a business conference,” says Wolfgang Goerlich, vice president of consulting services at VioPoint, an information security company.
He is hardly alone in that club. Many phones, tablets and laptops go missing from hotel rooms. It’s so common that most guests stash their gear in the in-room safe.
Best advice: Pare down electronics on trips so only the essentials are brought, and thus there is no temptation to leave gear behind in the room anyway.
Always password protect a laptop, and where possible, encrypt all data on the device—but understand that data encryption is illegal in some countries (notably China and Russia), and it is grounds for seizing the device, notes Kroll’s Brill. He adds: “If you don’t want your computer inspected, don’t bring it across a border.”
More advice is to always connect to networks using a VPN (virtual private network, a secure networking protocol provided by many organizations to their employees), if available. For those without a VPN, always use secure browsing—HTTPS—which encrypts data in motion so that even if a crook is “eavesdropping” on a session, he will probably get only gibberish.
Also, avoid public Wi-Fi in hotel rooms, airports and coffee shops, says Michael Patterson, CEO of Plixer, a network performance measuring company. Most newer smart phones can quickly create a private mobile hotspot (look under settings) that is a more secure Internet connection. At 4G speed it probably equals Wi-Fi at most hotels anyway.
Where public Wi-Fi must be used, take caution to connect only to the authentic article. Any crook can easily erect a rogue hotspot—labeled “Airport” or “Your Hotel”—and that may let him read the traffic that goes out over his fake network. You don’t want to be that victim. If in doubt of a Wi-Fi network’s authenticity, don’t use it. “I have personally witnessed rogue ‘airport’ Wi-Fi—it’s not unusual,” says Mike Gross, a security expert with 41st Parameter in Scottsdale, Ariz.
Always back up all data to a remote server (Dropbox will do in a pinch, although some companies ban its use; check with corporate IT). Hardware can be replaced. Original material sometimes can’t be.
Securing Mobile Phones and Tablets
The first rule: Set up a PIN (under settings), which essentially locks the device against unauthorized users. Absolutely, government agencies and similarly skilled entities know how to circumvent PIN protections, but this is good, free protection.
Setting a PIN also automatically sets up data encryption on newer Apple mobile devices. On Android, set up encryption by going to settings/security. With a PIN and encryption set, a phone or tablet’s data ought to be reasonably safe from prying eyes.
Another step: Under settings, disable Bluetooth protocols for pairing devices, urges Ken Westin, a security researcher and founder of Mobileprivacy.org. Smart hackers can use this linking technology to gain surreptitious entry into phones and tablets, but if they are shut off, that path is blocked.
Do not assume that a lost device will be recovered by using Find My iPhone and similar apps for Android. They are good, they work, but crooks have read the same articles you have read, and they will put the device in “airplane mode”—frustrating the “find me” tools that need a data connection on the device to locate it. Customer service consultant Dale Blosser reports that was exactly his experience when he lost an iPhone in an Austin, Texas, taxi. “I never found a trace of it,” he sighs.
The News Gets Worse
An emerging threat, according to Koolspan’s Smith, are crooks who erect rogue wireless networks that let them take control of targeted phones. “My CTO experienced this at Kennedy Airport in New York,” says Smith.
Most phones are set by default to sign onto whatever looks like the strongest nearby tower—even if it is put out by $1,500 worth of electronic parts operating in a small suitcase, which is how easy it has gotten to create faux towers, says Smith.
Sign onto that network and it seeks to lower the connection speed from 4G to GSM, where protections such as data encryption cease to work—meaning the victim’s phone is an open book. In some cases, the crooks are also said to be able to remotely turn on the phone microphone, to use it to eavesdrop on private conversations. That is why some experts urge removing a smart phone’s battery when going into a confidential meeting; but that does not work at all with iPhones and Androids that ship with sealed cases.
These attacks remain cutting edge, but, suggests Smith, they are likely to vault up in number as more crooks gain awareness of the tools for intercepting cellular traffic. The tip-off that such an attack is occurring, he says, is that precipitous speed drop—but frankly, who usually notices that?
With all of these threats, has travel become too dangerous for data? The experts adamantly disagree. Be alert, assume there may be eavesdroppers, follow the precautions and you can enjoy safe travel.
One last piece of advice from Kroll’s Brill: “If you don’t need it, don’t bring it,” and that applies to both devices and data.
These basic tips set up the first line of defense against on-the-road data theft.
- Limit devices and data to those specifically needed for a trip.
- For foreign travel, carry a “sanitized” computer with minimal or no data.
- On public computers, do not input or provide access to PINs, financial information or sensitive data.
- When leaving your hotel room, store electronics in the safe.
- If you notice lower connection speeds on your phone, beware of a faux tower attack.
- Be suspicious of generically named hotspots.
- Turn off your phone and remove the battery in confidential meetings to prevent eavesdropping.
Robert McGarvey is a freelance writer whose work focuses on business, technology and travel.