This is the third and final post in a 3-part mini series on risky smartphone travel.
Posts in this series
- Part 1— risks, threat actor capability, smartphone choice, VPNs, encrypted DNS, smartphone configuration
- Part 2 — contacts/accounts, the high risk travel itself, traveller preparation, mobile data -v- Wi-Fi, roaming, and monitoring
- Part 3 — this post — the return, decommissioning, tamper seals and long-lived roaming risks
I am on Twitter as @JoelGSamuel.
The traveller can stop travelling
In the previous post (second in this series) we communicated to the traveller to export data they need, and decommission the phone (unless you’re preserving it for forensics).
Decommissioning the travel smartphone
- Disable roaming on the telco account
- Disable the VPN account (revoke VPN client certificate, etc)
- Drain the battery — paranoia in this series in 12/10, if the device has been modified and/or malware can survive reboots/resets then this compensates for being unable to take batteries out of iPhones/iPads
- IT service asset separation— once a travel smartphone, always a travel smartphone. Keep it somewhere away from the usual smartphone stock
- Mobile device management isolation — put it into an isolated group, so the device can’t be provisioned again without explicit IT action to take it out of the isolation group
- Re-secure corporate productivity accounts — likely revoke all sessions, re-check for new forwarding/delegation rules
- Check the anti-tamper seals — hopefully not rubbed off too badly by sweaty palms/use, compare against pictures taken
- Swap those SIM cards — time to change IMSI. If the number was burner, great, if it was a number they need back then ask the network operator to do a SIM swap
After trip care
In the world where they took their usual corporate productivity account and/or mobile phone number — the risks “mostly… sort of” fall back to where they were before.
If you re-secured the productivity accounts, you should have a good enough baseline of “OK, things are back to normal now”.
As a result of the trip, perhaps they get more attention (uptick in spearphishing, SMSishing etc) but in general all of this should be based on your standard security workflows within the IT Service Desk and/or Cyber Security SOC.
The typical IT operations/SOC monitoring should already be detecting things like revoked VPN client certificates/accounts being attempted.