Last weekend witnessed the closing ceremony in Beijing of what Wired magazine dubbed the 'Burner Phone Olympics'.
A burner phone, for the uninitiated, is a mobile phone used for a limited period and then discarded. Long used as a communications tool by drug dealers and other criminals, legitimate organisations have begun equipping their business travellers with them as well.
Britain’s Olympic Association was one of several to offer temporary phones to athletes and team officials heading to Beijing. The associations feared the Chinese authorities might access data stored on permanent digital devices brought into the country, for example through the partially unencrypted My2022 app that the Chinese government required everyone attending the Winter Games to download. The Dutch Olympic association went one step further, ordering its entourage to leave personal phones and laptops at home.
With warnings also issued last week that foreign workers in Ukraine should carry satellite phones – which can still function in the event of a cyber-attack on mobile networks – the need for organisations to plan comprehensive business traveller cybersecurity strategies is becoming ever starker.
Criminals, state interests, cyberterrorists and political 'hacktivists' are all potentially interested in the contents of business travellers' digital devices, according to Peter Davies, IT director for the travel risk management services provider Anvil Group.
Runli Guo, chief information security officer for the ground transportation management platform Gett, adds that data interceptions might be directed at the individual traveller or at their employer. In the former case, says Guo, “most cybercriminals are opportunists after a quick buck” through unearthing the intended victim’s credit card or bank account details. But more ambitious or differently motivated hackers may be interested in accessing company secrets on employees’ devices or, Guo says, using “the individual’s phone, laptop or tablet as an entry point into the wider organisation.”
“A device might not have data I want on it but it might give me the key to open a virtual private network,” confirms Davies. “The laptop or mobile is just a mechanism for me to get somewhere else. If it’s connected to the corporate infrastructure, I can access lots of stuff.
“As a traveller you have more risk. Your attack surface is much wider. Whatever assets you carry on portable devices are easier to acquire, whether electronically or by stealing, and the counter-measures you can put in place are fewer. In a network environment you can have lots of tools to warn someone is trying to break through your firewalls. We still have some technology that will help us, but we’re more at risk because the infrastructure we’re connecting to isn’t completely under our control,” Davies says.
Under a protocol called the Wassenaar Arrangement, travellers are usually allowed to cross international borders with encrypted mobile devices. But not all countries are signatories to the arrangement or, if they are, do not support the exemption tolerating personal use of encrypted devices. Countries that only allow this exemption with a permit (which may, or may not, be issued and may not necessarily be respected even if it is) include Belarus, China, Hungary, Iran, Israel, Kazakhstan, Moldova, Morocco, Myanmar, Russia, Saudi Arabia, Tunisia and Ukraine.
Fortunately, organisations can take plenty of steps to improve cybersecurity for their travellers. Perhaps the most fundamental is to make travellers aware. “The biggest threat to an organisation is simply a lack of basic precautions taken by staff: using unsecured wi-fi hotspots or Bluetooth, leaving your device unattended, or losing devices in a public place,” says Guo. “And also ask yourself how good is your cyber-hygiene? If it’s easy for someone to break in then attackers are more likely to go after you – they often just go for low-hanging fruit.”
On trips where potential state espionage is a concern, caution begins at border control, according to BCD Travel information security director Frank Schuchard. “If they take your laptop away and bring it back 30 minutes later I’m not sure I would start it up again during my trip,” he says. “I would instead ask the person I am visiting if they have a laptop I could use.”
An even safer precaution, Schuchard added, would be for the traveller to bring a laptop stripped of all but essential files for the trip, to go online exclusively through their company’s virtual private network during the visit and then to have the laptop cleaned again on their return.
Travellers also need to be warned to avoid or minimise all other types of electronic connectivity. “If travelling to certain countries, unless you need it for a specific purpose, I would suggest travellers disable the auto-connect feature on their phones because they don’t want it to control where they are going to connect,” says Davies.
“Location-sharing helps us know where you are and we can send you targeted information about events happening near you, so you do want to leave those ones on, but you want to turn off everything other than what you need to minimise the data you share.”
Davies also urges companies to remind travellers to deploy biometric security features such as facial recognition or thumbprints. “A device with more security on it is more likely to be handed in because most people can’t get access to the data anyway, so it’s no use to them,” he says. “But mainly you’re buying time. You’re delaying malicious actors gaining access to whatever’s on that device.”
That time can be used by travellers who realise they’ve mislaid their device to call security, so another element of good cyber-hygiene is instructing travellers to raise the alarm immediately they perceive a problem. Access to a security hotline is therefore very important, but of course travellers need to store that number somewhere other than on the phone or laptop whose disappearance they are endeavouring to report.
Finally, travellers need reminding to keep quiet on social media. “Don’t tell anyone on Facebook you’re going to New York next week to see your business partner,” says Schuchard. The classic cautionary tale here is the former England footballer John Terry. In 2017 he posted photos on Instagram of himself and his wife enjoying the ski slopes of the Alps. Burglars took advantage of the intelligence to enter the couple’s house and relieve them of designer handbags worth £126,000 plus jewellery to the value of £220,000.