Your personal technology is vulnerable not only in your hotel room safe but tucked in your pocket walking down a street. We talked with technology expert David Holtzman about the unknown risks you take with your proprietary business information when you travel. —Editor
Our readers are on the road a lot. What should they look out for?
It’s all risk/reward, you know. In this case it’s risk/convenience. I travel half the year and go to some pretty obscure places. I travel with a lot of computer equipment. So I spend significant time before each trip thinking through what electronics I’m going to bring. And then I think what happens if they get lost or stolen and what the likelihood is that is going to happen.
So if I’m going to Toronto, I don’t worry about it. If I’m going to Beijing, I worry a lot. China’s government is known to have programs to explicitly attack and hack almost any digital device that any foreigner brings in. They don’t want the money. They want the information.
When I went to Beijing this year, I took a second laptop with me. I scrubbed the laptop before I did anything with it. I formatted it, reinstalled the operating system—didn’t put anything personal on it. Everything I needed that was personal I kept on an encrypted hard drive I plugged in when needed. When I got back, I tested the laptop, and it had at least three malware programs that had been installed by somebody at some point while I was in Beijing.
Would they do that remotely, or do you think they got access to your computer?
Who knows? There’s a thing called an evil maid attack. Figuratively, if a maid in a hotel gets five minutes with your computer, you’re screwed. There isn’t a computer in the world that a good hacker couldn’t crack if they get their hands on it for five minutes with nobody looking.
What about leaving it in the hotel safe?
All hotel safes are made by a couple of manufacturers. There’s master key codes to get into them. Half the people in the hotel know what those are. Some of them have little holes in the back that you can press a paperclip in and make the door pop open. Because every couple of hours some guest is forgetting the combo for their safe, all the staff people need to be able to pop the safe open. It’s not secure.
The best way to protect something is to encrypt it—or just don’t bring it on your trip at all.
You also have to worry, depending on your nationality, coming back into the United States. ICE has a renewed interest in taking people’s computers and phones and downloading the contents, looking for who knows what. They’ve even done this to some Americans. This has happened at the Canadian border on many occasions recently. And there are a lot of cases in court right now challenging this.
Even if you’re American, if you have an iPhone with a bunch of encrypted junk and you cross the border into the United States, in theory these guys can grab your phone and try to force you to unlock it. And there are devices that will enable them to read it even if you don’t cooperate.
In Russia you should expect someone to try to take your data. I think that’s true in most countries. I would even worry about France.
At this point, if you’re travelling internationally, I think you should assume anything digital you have on you is probably going to get read. If you don’t want it read, encrypt it.
With Apple laptops, you can encrypt the whole hard drive pretty easily. If you encrypt the hard drive, it’s pretty solid. If they have a really good reason to go after you, they’re going to have to get your password to unlock it and at least you’ll know.
Wi-Fi is another big problem. One of the biggest scams in the world today is free Wi-Fi. Airport free Wi-Fi, coffee shop free Wi-Fi. There’s a device—I actually have one—called a Pineapple, which costs about $150. A Pineapple is totally legal in this country. You plug it into your laptop, you go into an airport or hotel, and it allows you to create a fake Wi-Fi network.
You can pick a name for it. So let’s say you’re in a Marriot Hotel and you create a Wi-Fi called “Marriot Guest Network #2.” Everybody will start seeing that. They’ve got the password from Marriott Guest Network, so they just assume it’s an extension and they type in the password. Since it’s a man-in-the-middle thing, everything you type in goes into that, and then it passes it through to wherever you were trying to go, like Amazon or your personal web account or your bank.
So if you type in your password to get into some website, a Pineapple has copied it?
Yeah. It’s very common. It’s used all over the world. I doubt there’s an airport in the world where there isn’t somebody doing that. It’s just so common. If you see free Wi-Fi anywhere, you should be very skeptical. Try very hard not to use it if you care about what’s in your computer and what you’re typing.
When I got back, I tested the laptop, and it had at least three malware programs that had been installed by somebody at some point while I was in Beijing.Tweet
If you’re surfing the internet, does that leave you vulnerable?
There are things that could be left on your computer if you click certain things. You know they talk about phishing and spear phishing with your emails. There’s stuff like that on websites. Each time you go from page to page, you’re essentially clicking a link. The way browsers are implemented is you’re actually running a small program. So it could be malicious code that tries to install a back door, a Trojan, a virus, a worm, something on your computer. You probably wouldn’t know. In theory, just even browsing could get you nailed. In practice, probably not, but you might.
I would guess at least one of every six computers is hacked and nobody knows. The hacker that put something on there isn’t ready to do anything with it. Or they just nailed a million computers at once and may turn them into a bot net. Or they may start pulling information out next Tuesday at 1 a.m. You just won’t know.
Is that the smart way hackers do it? They go in, don’t let you know, and they’re just taking your information.
The smart ones.
Because they can use that data later?
I got a call from a friend of my sister. She had just gotten an email that was addressed to her by name, and in the subject line it had a password that she used for a lot of her accounts. It said, “Hi, I know your password is blank, blank, blank.” And then underneath it, the text of the message says: I know you’re looking at porn. I took over your computer’s camera and I have pictures of you looking at porn. If you pay me $2,000 in bitcoin, I won’t tell everybody. And by the way, I downloaded your address book. I know who all your friends and relatives are, and I’m going to send them copies of pictures of you looking at porn on your computer unless you pay me.”
She was terrified. That’s called spear phishing because it’s targeted. It looked personal. I talked her down off the cliff and explained what it was. Then I went back and looked in my junk folder, and I had the same email. And it had one of my old passwords.
The theory used by hackers is that most people, if they use a password on this system, may use the same on another site. The truth is most people do. We need so many. I mean, I must have 500 passwords. Most people have at least 50 or 60, and when you have all these passwords you can’t make them up and remember them. Hackers can programmatically go after that.
To protect yourself, there is something called a password locker. You pay an annual subscription, and it encrypts your passwords so you get one master password and you use that to unlock each of the other passwords.
Of course, the problem is if you allow somebody to get your master. Now they have all of your passwords. So that goes back to my original point that there is no absolute security. These are mitigation strategies. Everyone should absolutely use one of these password lockers.
What about your cell phone when you travel?
Depends what you think is a risk, right? There is a device called a Stingray, and this is a problem in Washington, D.C., where we are. A Stingray is a fake cell phone tower. You can build one for a couple thousand bucks, or you can buy a really good one for $100,000.
A Stingray is not a tower; it’s just a box. The way cell phones work is your phone signal goes from cell to cell to cell. It just hands it off. If you walk down the block, you’re probably going to go through three different cells without even knowing it. There are probably 20 cell phone towers my phone could see right now. You put a Stingray down, anywhere, and it looks like one of those towers to your phone. So as you walk down the street, you may very well connect to that Stingray instead of a real cell phone tower.
It’s another variation of the man-in-the-middle concept. So now everything you type is going through that Stingray, which is then going out to the real internet. So if you use a password, guess what? They just got your password. If it’s a voice call, they got your voice call, they’ve got your text messaging. This is very common in congested urban areas like Washington and New York.
The reason this is so common is because law enforcement started using this and when citizens wanted to go to court and stop it, the government stepped in and protected their ability to use it. They want to do it without getting a warrant or a subpoena, which has allowed the industry to thrive. Everybody in the world has these things. I doubt there’s a single government that doesn’t have Stingrays.
This is one of a traveler’s biggest vulnerabilities. I don’t think the average person could tell. As a consequence, you have to assume anywhere you are in the world, anything you’re saying on a cell phone, anything you text, has been taken by somebody and looked at. So that’s a pretty big risk.
Another kind of risk is “snarfing.” This relates to Bluetooth. Bluetooth is a horrible protocol from a security viewpoint. The only saving grace for Bluetooth is its short range, but if somebody gets within 20 or 30 feet of you, it’s not impossible to use Bluetooth and go onto your phone and steal everything. That’s why it’s called snarfing.
Just by being close to you?
Yeah. You read a couple of years ago about celebrities whose nude selfies were published online. That’s how a bunch of them were caught. These guys would sit with snarfing equipment—something that looks like a laptop with a gadget stuck in a USB port. They’ll be sitting outside a movie premiere or the Oscars where you know a lot of celebrities are going to walk by. They just stand there and have this thing in a little bag, and as [the victims] walk within range, this thing is going to attack the Bluetooth on their phone and very likely will get in and take everything on their phone. That’s a pretty big risk.
There are special phones sold that can protect against all of these things. They’re expensive.
I would guess at least one of every six computers is hacked and nobody knows.Tweet
What about using your hotspot on your phone if you’re in a hotel? Is that any safer than hotel Wi-Fi?
It’s better than the Wi-Fi in the hotel. It’s not great, but it’s better.
Could someone still steal everything on your phone?
Not with a hotspot. The way the hotspot works is it’s got two connections: one cellular, going out, and one Wi-Fi going to you. The Wi-Fi is your Wi-Fi. Presumably you know what it is, so you don’t connect to anybody else’s Wi-Fi. But on the cellular side you’re still vulnerable to Stingrays picking up anything on your call. So you’ve got some protection.
If you’re doing something that’s potentially very lucrative and you’re a good target for industrial espionage, bottom line is just think long and hard about putting it on any device that’s out of your control. Don’t allow anybody physical access to your phone or laptop. Minimize the amount of interconnectedness you do. Use your own cell phone hotspot if you have one.
What about airline Wi-Fi?
Airline Wi-Fi uses GoGo. You connect, and then a popup comes and tries to make you pay or put in a password. All of it is open Wi-Fi. It’s basically a legitimized man-in-the-middle attack. They create a fake internet just like in that hotel. So on airlines, you can actually leave the popup and then go underneath and look at your email, even if you haven’t paid for it.
What is your vulnerability at 35,000 feet?
It’s enormous. I mean, you’re up there physically, but your internet traffic is going through this fake internet thing. If you use it too much, you’ll find sometimes your icons get taken over. All of a sudden a program that has an icon is replaced by the GoGo icon. It’s putting this crazy stuff into your computer.
From your perspective, you’re just browsing. But you’re not really, because the program is doing a bunch of complicated things so they can be sure they’re charging you for it. If they weren’t, it would just be a straight pass-through, and you’d be a lot safer. Because they want to make sure you don’t get it for free, they take over part of your computer, which makes you vulnerable.
Vulnerable to other passengers on plane?
There’s a thing called packet sniffing. It’s a software gadget. The most common is called Wireshark. It’s free, and it’s legal. If you run this thing on any network, it will show you every packet that goes across the network.
So I can be sitting three rows behind you in an airplane with this packet sniffer—
And you’ll see everything I’m typing that comes across the network.
I’ve got a couple of hours on a plane and want to look at my corporate financials. What’s my risk?
If you’re just looking at it, you’re a lot safer.
But if somebody emailed them to me?
Then you’re not safe.
Same with the sniffers three rows behind me?
Yeah, they got you. But they can get you through Bluetooth, anyway, or maybe some other way. All email is basically—I hate to sound paranoid about this—but you should assume all email is monitored by someone.
The National Security Agency grabs every piece of traffic on the open internet it can get its hands on—every single email anywhere in the world. They capture and store it in a place in Utah at a data mountain facility called Bumblehive. This is well known. And they’ve been doing this for at least six years.
But they don’t necessarily look at it all?
No, they don’t.
But if it contains pejorative words, they check it right away?
Yeah. It’s a program that used to be called Echelon. It’s a classified NSA program. They’ve been doing this for almost 10 years. It will only go to a human being’s attention if you say words that somebody cares about, like Putin or atom bomb and North Korea or whatever words they care about.
Holtzman is president of Global POV. firstname.lastname@example.org