Being safe on hostile WiFi/mobile networks

Post style: reflective musing — not intended as advice/guidance but you’re free to take it that way.

This post is about a trip I made which was high risk (from an information security perspective) and the steps I took to defend my digital life. It was a personal trip and I didn’t do any work while I was outside of the UK. For generalisation rather than obfuscation: I won’t state where I went.

But first… clarifying the risk

  • threat actors — who would be interested in you and your data, and what is their ‘capability’ (tools; personnel volume and talent-base; money; time etc)
  • probability — for simplicity, lets call this the motivation of the threat actor(s) combined with a view on how successful their attempts may be if they tried
  • consequence — what could actually happen if the threat actor was successful in getting access to your IT

Human rights workers, activists, journalists, government workers, cybersecurity professionals, law enforcement personnel (to name but a drop in the ocean) should likely consider their IT security more than others — even if they are not travelling for work.

It is also worth clarifying that ‘threat actors’ can also be automated systems or malware rather than a hooded deviant in a basement room with your picture on the wall.

What are we defending?

  • social media
  • contacts
  • emails
  • documents/files
  • login information to other stuff
  • the IT you use to do all of the above
  • access to any of the above stuff/people through something else

Not only are you protecting what you have/take with you while on the hostile network but you’re protecting everything when you get back — it may be impossible to detect you’ve contracted malware and you do not want to introduce that on your home WiFi or take it into work.

Limiting scope of consequence

If you yourself can’t access the things you want to protect the chance of them being accessed by anyone/something else due to being on a hostile network is much much lower.

On with it then!

I am skipping over some aspects entirely, or being a little less detailed in some areas — this is because while the tactics are likely public in another location, I received various bits of guidance/advice under strict confidentiality and handling terms.

I also stuck to being a ‘normal user’ than take Micah’s approach of creating a honeypot.

Temporary equipment

That may seem like a lot of effort (and it is) so simply leave things that you don’t need behind instead — if you’re on holiday, you probably only need a phone and a tablet which are much easier to setup than a laptop.

In my case, I took an iPhone and iPad.

Virtual Private Network (VPN)

I went with an ExpressVPN trial and as both devices were iOS based, installed their app and configured it to be always-on.

14th September 2021 micro update
Given ExpressVPN’s sale and reported links between ExpressVPN and a member of Project Raven I would not recommend using ExpressVPN. Use TunnelBear or another VPN service based in a privacy-friendly jurisdiction that publishes independent audit reports that verify their internal security and organisational claims.

Online reviews and their website indicated a good global presence, a focus on privacy and known to be working in the place I was going.

VPNs usually encrypt and tunnel ‘all’ of your device network traffic to the VPN server (and then out to the Internet from there).

VPNs aren’t perfect and your device is likely to ‘bleed’ information anyway, but it will give away less (and hopefully apps are using encryption like well-configured HTTPS anyway).

I don’t explicitly trust ExpressVPN but I trust their VPN service more than I trust a network which I believe to be hostile.

There is a download/upload speed performance hit and things like location services get a little funny but it is entirely workable and a very strong defence tactic.

ExpressVPN let you customise your preference for security (stronger encryption) over speed (weaker encryption) — I let it choose (balances both) and I noticed it was using SSL VPN most of the time instead of IPSec.

NextDNS (encrypted DNS)

Using an encrypted DNS and encrypted VPN may appear odd, but in many situations a VPN can ‘drop’ or be blocked (including forcing you to turn it off to get connectivity) and encrypted DNS will pick up the slack to a great extent.

NextDNS is quite a flexible service, it allows you to block your DNS lookups based on a number of pre-made and maintained filters, including known malware or even domains known for their popular abuse (such as .email).

New temporary SIM card

Ideally you would also have a second (new and temporary) number to use for any multi-factor authentication via SMS. It isn’t a great protection, but it is probably good enough for SS7 attacks, and the best you can get without setting up a secret virtual number SMS thing that you can securely check (I was going to but then ran out of time before I left).

It happened to work out that I ordered from WorldSIM due to data bundle pricing, and this had the benefit of being issued as an Estonian SIM.

(Make sure you put a PIN code on the SIM card.)

Sacrifice your data allowance

Avoiding WiFi entirely will also help you avoid being caught with a pineapple which may not lead to data theft/manipulation, but could still lead to ‘profiling’ and key information gathering.

From a technology perspective: monitoring and manipulating data/users on WiFi networks is much easier to achieve than on a mobile data network (but yes, stingrays do exist).

I chewed through a lot more data than if I had been in the UK (for the same time period nearly 4x as much) — particularly due to my use of Dropbox.com (see below).

New temporary email address / cloud account

Your email / cloud account(s) are largely your crown jewels — contacts; files/documents; emails and so on as well as access to everything else (password resets probably go to your email address).

Forward emails you need from your normal accounts to your new one — before you leave for the airport!

If you must setup forwarding rules, make them extremely specific and narrow and remove them as soon as you can — also ensure you’re not forwarding things like password resets.

Known chargers / USB data blocker

I marked my chargers so I knew they were mine and also in such a way I knew if they had been taken apart and put back together. I used a PortaPow at all times anyway.

Messaging apps

Photos/videos via Dropbox.com

On the plus side this made me to curate photos before I did the upload in order to save data (and time required to upload).

Account passwords / multi-factor authentication (MFA)

I setup a new password manager account for my new devices to hold all of my credentials and notes.

I made a precise list of every account my devices had access to and had been loaded into the temporary password manager account.

I didn’t change my recovery to my new temporary email account as if the new temporary email account was compromised, they could just do a bunch of recovery processes and get into a bunch of my accounts (in simple theory).

For every account of any type, I always setup MFA and this time was no different — and as usual, strongly preferred TOTP over SMS.

Biometrics v Passphrases

I didn’t use biometrics to unlock the password manager apps.

Pre-warming friends/team

I was very selectively with the contacts I put onto my temporary devices and did things like shorten the names so they reasonably only made sense to me and only added their mobile number if my usual contact entry for them had full name; mobile; email and date of birth (for example) — I didn’t add any contacts from clients.

I also said (more than once) when my normal details would be back in use — someone calling me on my temporary number when I was back in the UK wouldn’t be so helpful.

My out of office (on my usual accounts) gave out my temporary contact details with travel dates and reminded people not to send sensitive/important information. I did include my WhatsApp fingerprint with a link on what it meant and how to verify it.

I setup an out of office on my temporary accounts to re-iterate that they were temporary accounts and which dates I would be using them.

Technical nitty gritty

  • Setup Face ID and/or Touch ID with a very strong alphanumeric passphrase (remember, you still need to remember it and be able to type it, but you won’t do it that often)
  • Signed in using my temporary iCloud
  • Added my temporary Google account (just for mail)
  • Set PIN codes on SIM cards
  • Turned off:
  1. Siri
  2. Bluetooth
  3. Control Centre on Lock Screen
  4. Spotlight Siri Suggestions
  5. Handoff
  6. Suggested apps
  7. Voice dial
  8. Everything under ‘Allow Access When Locked’
  9. Everything under ‘iCloud’ except Find My iPhone
  10. iCloud Backups (doesn’t maintain end-to-end encryption for iMessages etc)
  11. Mail/Messages previews
  12. Send as SMS fallback
  13. Javascript in Safari
  14. Automatic downloads (inc updates) in iTunes & App Stores
  15. Chat backups in WhatsApp
  • Turned on:
  1. Wipe after 10 failed passcode entries
  2. Always-on VPN (via ExpressVPN app)
  3. Encrypted DNS (via NextDNS app)

I went with as least apps as I could get away with on the basis I then had less to setup! A handful of games; different map apps; streaming video (using new accounts) and language translation (offline dictionaries).

Given I knew I had to ration data, I pre-downloaded media using the Amazon Prime and Netflix apps so I had a good stock of TV shows and movies on my iPad and iPhone.

I also installed Brave, as this is a JavaScript enabled browser (which I kept off unless the site didn’t work properly) but it has HTTPS Everywhere and pretty good ad-blocking.

Ignore/reject any and all updates

While we can debate the probability of such an attack and the effort required to pull it off, it is simpler to say that you can probably live without those software updates so just ignore them.

Reject carrier updates as well — in iOS the buttons are awfully close together and popup randomly, but pay attention and make sure you are hitting ‘Cancel’. Carrier updates can change a lot of the configuration on your SIM card, including to redirect your voice/data.

Physical device security

Near but unattended

Out and about

As I had limited the potential consequences I didn’t do anything different/special but I did use Airport mode (a lot) in an attempt to ration data.

Hotel safe

I also placed a proportional amount of trust in Apple’s trusted platform module (TPM) — the hardware inside the devices which does the encryption and security-related checks around Face ID / Touch ID; unlocking your phone etc.

While I had installed ExpressVPN (etc) on the iPad, I never actually turned on WiFi (it was a WiFi only model) so that wasn’t very exciting.

User experience — the bad

  • iPhones and iPads aren’t cheap (!)
  • It took some time to setup — largely because of new devices
  • I didn’t have access to Facebook
  • Separation anxiety from my emails
  • I did wonder who ignored my pre-warming and out of office and was trying to reach me
  • Changing passwords (even with a password manager to help)
  • I had very little idea what my Estonian number was (+372 blank blank blank something 2…?) so every time someone I met asked me I had to look it up
  • Waiting x seconds for the VPN to re-connect
  • Effort/time in decommissioning

User experience — the good

  • I didn’t have access to Facebook (!)
  • I took a slightly odd pleasure in not having my emails (don’t know ~= can’t work)
  • I actually focused on where I was and who I was with
  • My photos/videos mean more to me
  • Technical security turned into a hands-on practical exercise (I have my own regime under normal circumstances but otherwise day to day I spend my time offering advice rather than doing things)
  • It sort of felt cool?

Coming back home

Contacts

Decommissioning

What I found on the devices.

Account trashing / re-sanitisation

I went through the list I had previously made of every account I had access to while I was away and went through them all to change passwords; double-check recovery settings; kick-out all existing sessions (etc).

I took my Curve card (use referral M0SB4, please)and Revolut card given wonderful foreign ATM and exchange rate benefits, so in addition to changing those access details, I do monitor the cards for odd transactions (I also informed both companies who do the same).

A quick outtro

The considerations here are also a narrow scope due to temporary devices and accounts. Life would have been very different if I needed to access my company emails/documents awhile abroad as while the technology configuration above likely would have been very similar, the way the company email/documents would have setup would have been different.

You might find other exciting posts in my Medium profile.

The thin blue line between technology and everything else. joelgsamuel.com