Post style: reflective musing — not intended as advice/guidance but you’re free to take it that way.
This post is about a trip I made which was high risk (from an information security perspective) and the steps I took to defend my digital life. It was a personal trip and I didn’t do any work while I was outside of the UK. For generalisation rather than obfuscation: I won’t state where I went.
But first… clarifying the risk
Information security while travelling should be important to everyone but the ‘threat actors’; ‘probability’ and ‘consequence’ (there are others, but I mention those for simplicity to avoid going through potentially 33!) vary based on who you are and what you do.
- threat actors — who would be interested in you and your data, and what is their ‘capability’ (tools; personnel volume and talent-base; money; time etc)
- probability — for simplicity, lets call this the motivation of the threat actor(s) combined with a view on how successful their attempts may be if they tried
- consequence — what could actually happen if the threat actor was successful in getting access to your IT
Human rights workers, activists, journalists, government workers, cybersecurity professionals, law enforcement personnel (to name but a drop in the ocean) should likely consider their IT security more than others — even if they are not travelling for work.
It is also worth clarifying that ‘threat actors’ can also be automated systems or malware rather than a hooded deviant in a basement room with your picture on the wall.
What are we defending?
The list of what information you have changes depending on who you are and what you do, but regardless of personal/work life, you’re probably protecting:
- social media
- login information to other stuff
- the IT you use to do all of the above
- access to any of the above stuff/people through something else
Not only are you protecting what you have/take with you while on the hostile network but you’re protecting everything when you get back — it may be impossible to detect you’ve contracted malware and you do not want to introduce that on your home WiFi or take it into work.
Limiting scope of consequence
If you yourself can’t access the things you want to protect the chance of them being accessed by anyone/something else due to being on a hostile network is much much lower.
On with it then!
What I actually did (mostly).
I am skipping over some aspects entirely, or being a little less detailed in some areas — this is because while the tactics are likely public in another location, I received various bits of guidance/advice under strict confidentiality and handling terms.
I also stuck to being a ‘normal user’ than take Micah’s approach of creating a honeypot.
It may sound a little 007, but use a burner everything. In movies and TV shows, you will see someone buying a disposable mobile (cell) phone, extend this to all of your IT — laptops; tablets; fitness trackers etc.
That may seem like a lot of effort (and it is) so simply leave things that you don’t need behind instead — if you’re on holiday, you probably only need a phone and a tablet which are much easier to setup than a laptop.
In my case, I took an iPhone and iPad.
Virtual Private Network (VPN)
For simplicity I used a new off-the-shelf VPN solution rather than use one run by my company — I wasn’t travelling for work; the VPN might not work (and I’d find out the hard way!) and the physical VPN servers are not all around the world so performance would be bad.
I went with an ExpressVPN trial and as both devices were iOS based, installed their app and configured it to be always-on.
14th September 2021 micro update
Given ExpressVPN’s sale and reported links between ExpressVPN and a member of Project Raven I would not recommend using ExpressVPN. Use TunnelBear or another VPN service based in a privacy-friendly jurisdiction that publishes independent audit reports that verify their internal security and organisational claims.
Online reviews and their website indicated a good global presence, a focus on privacy and known to be working in the place I was going.
VPNs usually encrypt and tunnel ‘all’ of your device network traffic to the VPN server (and then out to the Internet from there).
VPNs aren’t perfect and your device is likely to ‘bleed’ information anyway, but it will give away less (and hopefully apps are using encryption like well-configured HTTPS anyway).
I don’t explicitly trust ExpressVPN but I trust their VPN service more than I trust a network which I believe to be hostile.
There is a download/upload speed performance hit and things like location services get a little funny but it is entirely workable and a very strong defence tactic.
ExpressVPN let you customise your preference for security (stronger encryption) over speed (weaker encryption) — I let it choose (balances both) and I noticed it was using SSL VPN most of the time instead of IPSec.
NextDNS (encrypted DNS)
NextDNS (affiliate link) is one of many encrypted DNS providers (simply put, uses an encrypted DNS protocol such as DNS-over-HTTPS or DNS-over-TLS).
Using an encrypted DNS and encrypted VPN may appear odd, but in many situations a VPN can ‘drop’ or be blocked (including forcing you to turn it off to get connectivity) and encrypted DNS will pick up the slack to a great extent.
NextDNS is quite a flexible service, it allows you to block your DNS lookups based on a number of pre-made and maintained filters, including known malware or even domains known for their popular abuse (such as .email).
New temporary SIM card
While a little frustrating to work around, travel using a temporary new number and SIM card (that you only use once). Foreign SIMs usually get to bypass any local network policies, although you may only get 3G instead of 4G (for example).
Ideally you would also have a second (new and temporary) number to use for any multi-factor authentication via SMS. It isn’t a great protection, but it is probably good enough for SS7 attacks, and the best you can get without setting up a secret virtual number SMS thing that you can securely check (I was going to but then ran out of time before I left).
It happened to work out that I ordered from WorldSIM due to data bundle pricing, and this had the benefit of being issued as an Estonian SIM.
(Make sure you put a PIN code on the SIM card.)
Sacrifice your data allowance
Stay off WiFi while travelling (the entire time, including at hotels) given the whole point of this is about hostile network management and it is highly probable that the WiFi connection (your device to the WiFi antenna) will be unencrypted.
Avoiding WiFi entirely will also help you avoid being caught with a pineapple which may not lead to data theft/manipulation, but could still lead to ‘profiling’ and key information gathering.
From a technology perspective: monitoring and manipulating data/users on WiFi networks is much easier to achieve than on a mobile data network (but yes, stingrays do exist).
I chewed through a lot more data than if I had been in the UK (for the same time period nearly 4x as much) — particularly due to my use of Dropbox.com (see below).
New temporary email address / cloud account
While also frustrating, do it. I created a new Google account and used it to create a new iCloud account.
Your email / cloud account(s) are largely your crown jewels — contacts; files/documents; emails and so on as well as access to everything else (password resets probably go to your email address).
Forward emails you need from your normal accounts to your new one — before you leave for the airport!
If you must setup forwarding rules, make them extremely specific and narrow and remove them as soon as you can — also ensure you’re not forwarding things like password resets.
Known chargers / USB data blocker
As a general rule (even when not travelling) if the charger/USB port is not mine, I always use a USB data blocker (aka, ‘condom’) — I use PortaPow ones.
I marked my chargers so I knew they were mine and also in such a way I knew if they had been taken apart and put back together. I used a PortaPow at all times anyway.
I normally use iMessages; WhatsApp or Signal so I set those up with my new accounts and Estonian SIM.
Photos/videos via Dropbox.com
I used a new temporary Dropbox.com (with Plus trial) to upload my photos/videos that I took while away. Before I left, I setup a share between the new Dropbox.com ‘Camera Uploads’ folder, and my usual Dropbox.com account.
On the plus side this made me to curate photos before I did the upload in order to save data (and time required to upload).
Account passwords / multi-factor authentication (MFA)
It is likely you will need to ‘take’ some other accounts with you. I used my usual Instagram and Uber account, so I changed these passwords (etc) before I left — and then again when I came back.
I setup a new password manager account for my new devices to hold all of my credentials and notes.
I made a precise list of every account my devices had access to and had been loaded into the temporary password manager account.
I didn’t change my recovery to my new temporary email account as if the new temporary email account was compromised, they could just do a bunch of recovery processes and get into a bunch of my accounts (in simple theory).
For every account of any type, I always setup MFA and this time was no different — and as usual, strongly preferred TOTP over SMS.
Biometrics v Passphrases
I did use Face ID and Touch ID to unlock the devices during normal use as in my view the probability of a physical attempt was the same as elsewhere — pick-pocket theft in a tourist area etc.
I didn’t use biometrics to unlock the password manager apps.
As I had a temporary email / cloud account and contact details I let people know in advance what my new contact details were and reminded them which dates I was going to use them.
I was very selectively with the contacts I put onto my temporary devices and did things like shorten the names so they reasonably only made sense to me and only added their mobile number if my usual contact entry for them had full name; mobile; email and date of birth (for example) — I didn’t add any contacts from clients.
I also said (more than once) when my normal details would be back in use — someone calling me on my temporary number when I was back in the UK wouldn’t be so helpful.
My out of office (on my usual accounts) gave out my temporary contact details with travel dates and reminded people not to send sensitive/important information. I did include my WhatsApp fingerprint with a link on what it meant and how to verify it.
I setup an out of office on my temporary accounts to re-iterate that they were temporary accounts and which dates I would be using them.
Technical nitty gritty
A quick list of stuff I did (roughly in order) at a technical level in iOS:
- Setup Face ID and/or Touch ID with a very strong alphanumeric passphrase (remember, you still need to remember it and be able to type it, but you won’t do it that often)
- Signed in using my temporary iCloud
- Added my temporary Google account (just for mail)
- Set PIN codes on SIM cards
- Turned off:
- Control Centre on Lock Screen
- Spotlight Siri Suggestions
- Suggested apps
- Voice dial
- Everything under ‘Allow Access When Locked’
- Everything under ‘iCloud’ except Find My iPhone
- iCloud Backups (doesn’t maintain end-to-end encryption for iMessages etc)
- Mail/Messages previews
- Send as SMS fallback
- Automatic downloads (inc updates) in iTunes & App Stores
- Chat backups in WhatsApp
- Turned on:
- Wipe after 10 failed passcode entries
- Always-on VPN (via ExpressVPN app)
- Encrypted DNS (via NextDNS app)
I went with as least apps as I could get away with on the basis I then had less to setup! A handful of games; different map apps; streaming video (using new accounts) and language translation (offline dictionaries).
Given I knew I had to ration data, I pre-downloaded media using the Amazon Prime and Netflix apps so I had a good stock of TV shows and movies on my iPad and iPhone.
Ignore/reject any and all updates
Before you leave, make sure you’ve updated to the latest version of things (in my case, iOS updates and app updates through the usual iOS App Store). Once you’re on hostile networks — reject/ignore those updates.
While we can debate the probability of such an attack and the effort required to pull it off, it is simpler to say that you can probably live without those software updates so just ignore them.
Reject carrier updates as well — in iOS the buttons are awfully close together and popup randomly, but pay attention and make sure you are hitting ‘Cancel’. Carrier updates can change a lot of the configuration on your SIM card, including to redirect your voice/data.
Physical device security
You can’t keep eyes on all of your devices at the same time.
Near but unattended
I either quickly turned off the device or disabled biometric unlocking when temporarily losing sight of devices — airport security etc.
Out and about
I took the usual precautions one would take when visiting any location where someone might pick your pockets.
As I had limited the potential consequences I didn’t do anything different/special but I did use Airport mode (a lot) in an attempt to ration data.
I didn’t take my temporary iPad out of the hotel (I didn’t want to carry it) so I left it in the hotel safe and took some anti-tamper measures to deter/detect the ‘evil maid’.
I also placed a proportional amount of trust in Apple’s trusted platform module (TPM) — the hardware inside the devices which does the encryption and security-related checks around Face ID / Touch ID; unlocking your phone etc.
While I had installed ExpressVPN (etc) on the iPad, I never actually turned on WiFi (it was a WiFi only model) so that wasn’t very exciting.
User experience — the bad
I thought I would list all of the annoying things about taking such defensive IT security steps:
- iPhones and iPads aren’t cheap (!)
- It took some time to setup — largely because of new devices
- I didn’t have access to Facebook
- Separation anxiety from my emails
- I did wonder who ignored my pre-warming and out of office and was trying to reach me
- Changing passwords (even with a password manager to help)
- I had very little idea what my Estonian number was (+372 blank blank blank something 2…?) so every time someone I met asked me I had to look it up
- Waiting x seconds for the VPN to re-connect
- Effort/time in decommissioning
User experience — the good
And then what I really enjoyed about being forcefully disconnected:
- I didn’t have access to Facebook (!)
- I took a slightly odd pleasure in not having my emails (don’t know ~= can’t work)
- I actually focused on where I was and who I was with
- My photos/videos mean more to me
- Technical security turned into a hands-on practical exercise (I have my own regime under normal circumstances but otherwise day to day I spend my time offering advice rather than doing things)
- It sort of felt cool?
Coming back home
As I had pre-warmed: I had been in touch with those who I would usually be in touch with; clients had been well-served and I only had 1 (!) email which actually needed my attention when I got back — I should go away and be hard to reach more often?!
With a focus on ‘don’t bring back malware’: my ‘burner’ equipment did not logically reach my house as I factory reset them while still in the Uber on the way home from the airport and then they were turned off — you can’t easily take the battery out of Apple devices (and not that I would have done, as in this context that would be disproportional).
What I found on the devices.
Guvf frpgvba vf vagragvbanyyl yrsg oynax sbe pbzrqvp inyhr.
Account trashing / re-sanitisation
I left the temporary Google and iCloud accounts to gather dust after changing the out of office to say the account is no longer in use and removing them from the temporary devices (de-registering from iMessages; WhatsApp and Signal first).
I went through the list I had previously made of every account I had access to while I was away and went through them all to change passwords; double-check recovery settings; kick-out all existing sessions (etc).
I took my Curve card (use referral M0SB4, please)and Revolut card given wonderful foreign ATM and exchange rate benefits, so in addition to changing those access details, I do monitor the cards for odd transactions (I also informed both companies who do the same).
A quick outtro
This post is by no means exhaustive and should be supplemented or superseded by advice from your employer.
The considerations here are also a narrow scope due to temporary devices and accounts. Life would have been very different if I needed to access my company emails/documents awhile abroad as while the technology configuration above likely would have been very similar, the way the company email/documents would have setup would have been different.
You might find other exciting posts in my Medium profile.