While mobile devices like smartphones and tablets enable employees to work during foreign travels, their portability and always-on state make them vulnerable to compromise, theft, damage, and loss. These risks are heightened during foreign travels, where both government and personal information are at greater risk, including user account details, contacts, and application data, with government and industry employees as prime targets for foreign adversaries seeking to steal confidential data and Intellectual Property (IP), as well as personal data.
In this article, we will provide some Best Practices on how to secure mobile devices (and their data) used by employees during their international travels outside the continental United States (OCONUS) and U.S. territories, including the procedures to follow before, during, and after travel.
Security Threats while Abroad
The use of mobile devices outside the continental United States (OCONUS) presents numerous security risks, with compromised devices having their cameras, microphones, GPS, and other sensors exploited to eavesdrop, steal information, or launch attacks on enterprise IT systems.
Foreign Mobile Networks
Mobile devices can connect to any available wireless network, including untrusted Wi-Fi, Bluetooth, Radio Frequency (RF), Near-Field Communications (NFC) as well as foreign-owned cellular networks.
This always-on connectivity poses significant risks for agency mobile device users and the data stored on their devices when used overseas, as wireless communications are vulnerable to interception, jamming, and other threats; eavesdropping on Wi-Fi, cellular, and Bluetooth communications is common, especially with commercially available equipment.
Any Wi-Fi network, either domestically or abroad, should be considered untrusted and potentially monitored if outside U.S. government control, as untrusted networks increase the risk of eavesdropping attacks, which can intercept data traffic to and from mobile devices.
Also, international cellular networks, often directly or proxy controlled by foreign governments, can monitor all communications to and from devices, potentially resulting in user tracking, intercepted messages, redirected or eavesdropped voice calls, and potential financial theft. In extreme cases,
foreign government-controlled carriers can intentionally push malware to mobile devices by requesting firmware or operating system updates, with or without user acknowledgment and awareness.
Surveillance and Monitoring
Phishing techniques through email or SMS target high-value travelers, such as senior officials, to install malware that compromises devices or backend systems, or installs surveillance software to intercept communications and activate cameras or microphones without user knowledge. Physical access to a device, such as at border crossings or in unattended locations, is a direct method for malware delivery.
Corporations also gather marketing information from mobile devices, often through adware in apps, which can be sold to nation-state and criminal organizations, exposing personal and usage data. Also, the use of QR codes exponentially increased since COVID-19 pandemic for contactless transactions (ex: restaurant’s menus), making them new targets for embedding malicious URLs or phishing pages to exfiltrate data or solicit sensitive information.
Even foreign embassies and consulates, which are usually viewed/considered as safe places, are technically to be considered as foreign territories for that matter, with government personnel's activities likely to be monitored, with mobile devices particularly susceptible to interception, inspection, and malware infections.
Location Tracking
Geolocation and timing services are crucial for cellular network operations and are commonly used by mobile applications to deliver context-specific information. During travel, these services can be exploited for unauthorized tracking of the user and their device, posing risks to safety, security, and privacy, as geolocation data can be transmitted through a device's Wi-Fi and cellular signals, while mobile applications may send this data intentionally or unintentionally, either maliciously or benignly, and often in unsecure ways, making it susceptible to unauthorized collection.
International Borders
At international border crossings, police officers, customs agents and other government officials can potentially request access to travelers' mobile devices, asking them to unlock the device or provide passwords. Compliance allows officials to search, read, or copy data such as documents, emails, passwords, contacts, browser history, social media information, and SIM card data, so minimizing sensitive data on devices is crucial to reduce exposure. Refusal to unlock devices may result in many cases in seizure or detention, so it is recommended that employees power off their devices before crossing borders and report any incidents of device seizure or tampering to their supervisor and the local U.S. embassy or consulate whenever possible.
How to Mitigate Common Risks
Security is a shared effort and responsibility between the security IT team (management) providing the mobile devices, and the employees using them.
Before Leaving for Travel
Use Temporary, Dedicated Devices
The organization should provide employees with dedicated devices, such as loaner phones, with restricted contacts and emails specifically for their upcoming travel, as well as a minimum set of approved, managed applications so they can perform their duties.
In terms of network connectivity, employees should install new SIM cards compatible with the destination’s service area, preferably international SIM cards purchased domestically. If not possible, employees should purchase them locally at an official retailer store, never from a kiosk or shop at the airport (unsecure chain of supply).
A Mobile Threat Defense (MTD) solution should also be deployed on these dedicated mobile devices, to help protect them against cybersecurity attacks like malware, phishing, viruses and alike.
Enforce Device Security
IT security team should implement several crucial measures to safeguard data. First, they should disable lock-screen notifications to prevent sensitive information from being visible without unlocking the device, as well as enabling an automatic screen lock after a short period, such as five minutes, to ensure devices are secured quickly if left unattended, complemented setting devices to automatically wipe data after a specified number of unsuccessful login attempts can protect data if a device is lost or stolen.
Secure Remote Access
The IT security team should also provide employees with specific solutions for them to access internal data securely from their mobile devices while abroad. This is usually achieved using a typical Virtual Private Network (VPN) solution, or even better a Zero Trust Network Access (ZTNA) solution, that will grant access based on behavioral analysis, and eventually trigger Multi-Factor Authentication (MFA) if needed.
For organizations that need to ensure that no actual data does reside on the data at any time (referred to as “data at rest”), it is recommended to implement a Virtual Mobile Infrastructure (VMI) solution, for example Hypori Halo, that allows employees to access confidential data securely without storing it locally on their devices.
Educate Your Employees
Prior to their international trip, employees should attend security awareness training, to get guidance and Best Practices on how to use their mobile devices safely while abroad.
During Travel
When traveling abroad, end-users should be vigilant in protecting their mobile devices from potential security threats. They should only connect their devices to authorized computers to prevent unauthorized data access or malware installation and use only agency-issued chargers to avoid malicious software that can be introduced through compromised charging stations, a practice known as "juice jacking."
In term of network communications, Bluetooth should be turned off and remain disabled, unless it is mission-essential (in which case, users should follow their agency's guidance). Similarly, if Wi-Fi use is allowed, it should be turned off when not in use as otherwise the device's radios continuously search for networks, which can be used to track the user's location. Plus disabling Wi-Fi also helps conserve battery life. Additionally, government travelers should also disable NFC communications, as these connections can be monitored by payment or hotel apps, potentially allowing for security breaches or attacks.
When using Wi-Fi, avoid connecting to open Wi-Fi networks, and exercise caution with secured Wi-Fi networks at hotels, restaurants, airports, and other public or commercial institutions, except those operated by the U.S. Government. If using such networks is necessary, ensure that communications are secured back-to-back between the mobile devices and the internal network, using above mentioned VPN or ZTNA solution.
Users should refrain from opening unknown email attachments and clicking on unfamiliar links in emails or SMS messages, as these can be phishing attempts or malware delivery methods. It is important not to attempt to circumvent any security restrictions in place, as they are designed to protect sensitive data. Any suspicious behavior observed on the device, such as unexpected pop-ups or sluggish performance, should be reported immediately to the relevant IT support. Additionally, keeping the device's operating system and mobile applications up to date ensures that the latest security patches are applied, reducing vulnerabilities to known exploits.
When Returning from Travel
Once employees are back from their international trip, they should neither plug their device into any of their computers, nor connect it to their personal (home) or corporate network, but instead return it immediately to the IT team that provide them with it in the first place for review.
IT security team will then eventually run some forensics inspections on the device (hardware and software), to determine either it has been comprised or not; once completed, they will wipe the device completely before reloading the software.
For many, foreign travel is a necessity as is working while traveling. However, it is important to remember that your devices are always vulnerable, especially during foreign travel, and with today’s ever-increasing security threats, ensuring your infrastructure and devices are protected is paramount. While cybersecurity risks will always exist, there are many actions you can take to mitigate these risks. First and foremost, please follow your agency-prescribed procedures when traveling overseas, as these are generally based on best practices. If you have any questions, please reach out to the team at ISEC7 Government Services and we can help you navigate the options available to help strengthen and protect your devices, both at home and while traveling abroad.