Video: World Cup fans beware: Russia travel comes with cyber risk
Look, I grew up in New Jersey and lived in Florida, so I'm pretty comfortable with the idea of scary places. But the kind of scary I'm talking about here is foreign governments that might be after your digital soul.
If you're traveling to countries like Russia or China (and, yeah, entering or returning to the US), there's always the risk that governments may have the opportunity to gain access to your digital bits. When in country, it's distinctly possible that not only governments, but hackers and criminals, will try to intercept your traffic and steal identifying information or even insert malware into your transmissions.
I am more than a little paranoid, and on the rare occasion I consider traveling out of the country, I plan for as much protection as possible. In this article, I'm going to help you see some of the techniques I consider when I'm thinking about traveling over either pond.
Let me be clear: These approaches aren't for everyone. If you're not deeply concerned about your data being intercepted or your devices being infected, just take the easy way out. But if you're a fan of spy movies and are concerned about how to stay as digitally safe as possible, here are a few slightly "out there" spycraft-style tips you might want to consider.
Where they can get you
Let's first discuss where you're at most risk. Digital travel risk can really be broken down into two vectors: Losing physical control of your devices and communications interception.
In the case of losing physical control of your devices, the most likely occurrence is transiting a national border. During your passage through airport metal detectors or through customs, you may have to hand over your devices.
To be fair, this isn't just about what happens if you enter Russia or China, for example. We know the US government has been doing border searches of digital devices.
I'm able to hold two opposing viewpoints in my mind at once. As a longtime counterterrorism wonk, I see the huge preventative value in these searches, but as a personal privacy advocate, I can see why you wouldn't want anyone who is not you touching your toys.
Border crossings are an instance where you have absolutely no control. If you have to give up your devices, you have to give up your devices. But there are other occasions where laziness, stupidity, or convenience might lead you to letting someone else touch your device.
You might decide it's not convenient to lug your laptop to breakfast, so you leave it in your room, but a room maintenance person might gain access to it, potentially loading malware onto it without your knowledge. This is a so-called "evil maid" attack (because not all security terms are gender neutral). A more worrisome risk is government access (either through a secretive evil maid) or a more blatant open seizing or holding of a device to examine or modify it.
You might drop your phone in a cab as you're rushing for an appointment. You might hand your phone to a stranger to take a picture in front of a monument, and that stranger runs off with your device. You might check your laptop into a hotel safe, where anyone on staff can gain all-day access to your gear. And so on.
The second way they can get you is through traffic interception. After all, you're dependent on using whatever telecom services exist in the host country to access the internet, make calls, or send texts.
When you consider traveling outside the country, you should certainly consider using a VPN, but there are other techniques you might employ. Before I go further, I should point out that the internet echo chamber (that is, bloggers and press who simply repeat what other bloggers and press write) is convinced use of a VPN is illegal in Russia.
Read also: Putin reportedly bans VPN use in Russia
The true answer was hard to nail down and took my contacting the Russian Foreign Ministry, the US State Department, and two attorneys, one in Russia and one in the US. But, the fact is, operating a VPN for the public is restricted (not illegal) in Russia. Use, according to the advice of the two attorneys who read the actual law and not just other blog posts, is legal. See my full analysis of this issue.
Air-gapping the effin' planet
Here's the thing. I don't want there to be any connection between what I say when traveling and my world back home. If possible, I don't want some foreign government to know who I'm talking to, what I'm saying, email addresses of associates, and so on.
Essentially, I want to "air gap" (or keep off the internet) all my travel communications. Since that's not really practical if you need to communicate, the next best thing is to be extremely deliberate in how you communicate. Let's look at some of those steps.
Let's start with the one I'm sure is going to have the most pushback in the comments below. Never, ever travel with the devices you use at home.
Before you leave, buy yourself an inexpensive laptop and load Linux on it. Get yourself the cheapest, oldest iPhone that supports the current iOS. Skip Android phones, because they're easier to hack unless you're absolutely sure you can patch and have the latest up-to-date releases (but I wouldn't). You'll need to make sure you get one appropriate for carrier availability in the country you're visiting. Always do your research ahead of time.
Now, here's the thing: You will use these two devices while traveling, and then, just before you return home, destroy them. If you can't find a hammer, you can use a chair leg. Smack the living heck out of them, until you can bend and break them. Leave them in shards, and then toss them out.
There are two reasons you want to do this. First, you don't want any of your data to get into the wrong hands.
One of my editors argues with this approach, saying a new, up-to-date and fully patched device that's completely blank -- like a new out-of-the-box iPhone 7/8 -- is perfectly fine for crossing the border. His premise is you download your data once you cross the border, load up and install -- then enable strong PIN code and don't turn on the fingerprint. But this is too easy a trap. First, downloading your data opens you up to a tremendous interception risk.
Second, if you've bought a new, spiffy phone, you're unlikely to be willing to destroy it. You don't want anything that has touched a worrisome foreign network to ever have a chance, perhaps a year from now when you forget, to touch your own network, ever. Remember, if you were just a normal traveler, you wouldn't be reading a paranoid's guide.
But, second, you want to make sure you don't ever attach devices that have been in someone else's hands to any network you rely on. By destroying these things before you return to your home country, you remove the chance that a malware transfer agent could have been placed on one of the devices and gets into your environment back home.
This was actually the concern way back in the second Bush administration during a meeting (actually in New Orleans). Senior officials were asked to leave their phones outside of a conference room. Mexican diplomat Rafael Quintero Curiel took them, and they were out of officials' hands for at least 20 minutes, until the US Secret Service recovered them on the way to the airport.
In this case, Curiel was more likely to want to mine the phones for their secrets, but he also had more than enough time to install hidden eavesdropping apps that could listen or record while in the White House -- had the Secret Service returned those phones back to their owners.
If the gear you use in a foreign country stays in that foreign country, it can't infect your gear back home. Yeah, I know. The objection is "what if you never use it at home." But you will. There will be a moment. If you kill them before you get home, you won't make that terrible mistake.
Yes, this practice could cost you a few hundred bucks, but how much is the whole trip costing you? And how much would infecting your home network or that of your employer cost? It's worth it to buy some disposable burner devices and then make darned sure you dispose of them. Don't forget to use safety glasses.
Do not let them pass through customs. Period. Destroy them first.
Use a VPN
Yes, you can, in theory, use a VPN to protect your traffic from your computer to the VPN service, but now you're faced with trusting a VPN service provider with your data. Paranoids trust no one.
- VPN services 2018: The ultimate guide to protecting your data on the internet
- Take home along: How a VPN can help travelers connect wherever they go
- CNET's Best mobile VPN services for 2018
- CNET's The Best VPN services for 2018
No Facebook. No Twitter.
No matter how much you might want to check your Facebook or share your travel joys, don't. No excuses. As soon as you use your own password (even with multi-factor auth) to access your own account, you open the door to the bad guys not only having access to your accounts, but being able to build a map of your relationships.
Just don't do it. No arguments. Don't.
Create temporary email accounts
Do not use your own email account. Instead, create a temporary email account, preferably on a service you don't normally use. If you're a Gmail user, create an Outlook.com account, and vice versa.
Understand this: You won't actually be emailing to your friends and associates. You will be emailing to an intermediary, who will then email your friends and associates. You'll use this account to email that intermediary. More on that in a minute.
Hire a virtual personal assistance service
Virtual personal assistants were all the rage about four years ago, but have since declined in excitement and press attention. What they do (and most are outside the US) is provide online services and phone-based services for a fee. For example, you could ask your personal assistant service to find you a lawn care service and make an appointment. Or you could ask your virtual personal assistant to send an email for you.
Let me be clear. Never, ever give access to any of your accounts to this service. Create accounts that are temporary and wholly new. Treat this service as an answering service, not as a virtual assistant. Your email on your main email accounts will go completely unread and untouched by anyone while you're away.
This is an intermediary letter drop for those you specifically tell to email to this address and service.
In this case, I'm going to reluctantly recommend you set up a temporary relationship with one of the more well-known services. Certain services like GetFriday or AskSunday allow you to set up some initial parameters that they remember between tasks. For example, you could train them that "email my wife" means sending a message to a specific email address that they keep track of.
Other personal services (like FancyHands) do not remember details between assignments. This won't work for our application.
The purpose of the virtual assistant service is to act as a temporary intermediary for sending and receiving communications. Do not give them access to your main email account. Ever!
Instead, let the four or five people you need to communicate with regularly know that you'll be receiving email via the personal assistant service. Let's say you need to communicate with two clients. Give those two clients the email address of your virtual personal assistant. If they want to reach you while you're away, that's how to do it.
Next, train your virtual personal assistant to transcode messages. In other words, if your two clients are email@example.com and firstname.lastname@example.org, you'll want to give each a code name. So Bob becomes Ted and Carol becomes Alice.
Here's how you train your assistant: When he or she gets an email from Bob, copy the text from the message and send yourself an email on your temporary email account. Indicate that the message is from Ted. It will be up to you to keep track of who's who in your mind (don't write this stuff down).
If you need to send a message to Bob, send an email to your personal assistant and indicate that the following text is to be sent to Ted. Likewise, with sending or getting mail from Carol, you and the assistant will use the codename Alice.
The idea here is that no one in the country you're visiting will be able to relate you to your specific clients or friends. Yes, there is a risk is using an outside company to do this letter drop service, but what you're doing is reducing your footprint in the country you're visiting.
Get yourself a prepaid credit card at the local Walgreens (or whatever) and pay for this service with that prepaid card. While we're on the topic of credit cards, it'd be best if you can be issued a temporary card just for travel. It's risky taking a prepaid card, because if you lose it, you're screwed. Some banks will issue temporary travel cards, and that's probably best.
Once you return home, cancel this service. Go back to your regular email practice.
What about encrypted communication apps like Signal and WhatsApp?
I don't trust them. WhatsApp is owned by Facebook and while encrypted, could well be subject to hidden agreements with host countries. Almost all of the major vendors in the US state openly that they abide by the laws of the countries within which they operate. So, if the Russian government wants to see what's inside WhatApp and requires some level of backdoor access, it will be extremely difficult for you to know and be sure that's not happening.
Signalis a slightly different beast in that it's an open-source encryption and communication tool, so, presumably, that source has been vetted by many concerned eyes. I still don't trust it, not unless I downloaded the source, went through it line-by-line, compiled it myself, and then ran it on my phone. Even then, you're running into issues of developer certificates that can be linked back you to and your accounts on iOS, or side-loaded apps, which means you've already rooted your Android to load a secure app.
And, of course, if you don't compile it yourself, you lose all the open-source security benefits, because you have no idea what whoever posted the app put inside it before compiling.
I wouldn't use these. Instead, I'd be very careful about what I say back to anyone at home. In fact, I'd probably limit myself to an "I arrived safely" call on the hotel's phone and "I'm leaving now" and that's it. Since the hotel and the host government already know your home address, that's not too much to share. And two very short calls on pre-existing circuits won't damage your digital profile anywhere else.
WWDD: What would David do?
To be honest, I wouldn't use a virtual personal assistant when traveling. I'd use code. What I would do is set up a temporary AWS or Digital Ocean server, on a completely new account, paid with a temporary credit card.
Then, I'd write a script that parsed incoming email messages, stripped off their header information, rewrote appropriate header information, and sent the messages on to their intended destination.
This is not something most people can do. I've written my own list servers and mail managers before, so coding mail management software is something I have years of experience with. But, for those of you who need to travel and can't spin up your own custom servers and server code, the virtual assistant approach is moderately workable.
For that matter, I wouldn't use a VPN service provider either. I'd spin up another server, host my own VPN software on it, and connect my Linux-based disposable machine to my disposable VPN server in the cloud, and then never go to a site that can be traced back to me. No Amazon. No Facebook. No Twitter. Nothing.
But that's me. You need to decide what you're willing to put up with and how much effort you're willing to take.
No passwords or password management programs
Do not bring along your password management program. Instead, create just a few passwords for your temporary email accounts. Commit them to memory.
Once again, let me be clear: Let's say you desperately need access to your Gmail while away... Don't. Period. Live with being disconnected from your main accounts for a week.
What about photos?
I do not have a great answer for photos. It is possible to embed malware within simple JPGs. You can hope that your browser (or those you send pictures to) can defend against the relatively uncommon hacks in JPGs.
One recommendation would be to use another temporary server, set up an ImageMagick script to convert all the images to something like PNG, which would strip out the metadata. Unfortunately, even something like ImageMagick can't detect steganography, so you can't be sure that the actual image content is pure. Equally unfortunately, ImageMagick and the servers it runs on have also had a history of compromise.
Frankly, your best bet is to upload those images to something like Google's image cloud and hope that Google's built in enough scanning protections to make those images safe. Just remember that if you take this approach, you're using an account that's new, temporary, and completely unrelated to any accounts you normally own. I wouldn't do this, though.
Here's my WWDD for this: If you truly want to keep your photos safe while traveling, bring a film camera. Amazon still sells film, and you can buy SLR film cameras. If I were traveling someplace digitally scary and I wanted to take pictures, that's the approach I'd take.
The one foolproof method to stay digitally safe while traveling
All these techniques showcase how difficult it can be if you're traveling, want to stay safe, and are smartly paranoid. That said, I left the best technique for last. Here it is.
Leave all your toys at home.
That's it. Just travel. Take your trip. Keep a careful eye on your tickets and passport and enjoy the trip. Don't worry about digital devices. Leave them at home.
What about you? If you travel someplace digitally scary, what would you do to stay safe? Let me know in the comments below.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.
Previous and related coverage
Kroll cybersecurity and investigations senior managing director Alan Brill explains how to protect smartphones, tablets, and other internet-connected devices from cybercriminals while traveling.
The FBI is recommending that all small business and home router owners reboot devices, even if they're not among the brands known to be affected.
Special Counsel Robert Mueller's office said Friday that a grand jury has indicted 13 Russian nationals and three Russian entities accused of election meddling.
Kaspersky Lab also plans to move the tools and systems used to compile products from its source code to the country.
Russia's quest to stop encrypted messaging app Telegram also blocks thousands of Amazon, Google addresses.
The FBI also warned of Russian government actors targeting the energy grid and other critical infrastructure.
What would an escalation of tensions mean for the future of our relationships with Russian software companies, developers, and strategically outsourced tech talent?