This may sound like a nightmare or a Black Mirror episode about a dystopic future, but you now have to check your laptop if you’re flying to the United States or United Kingdom from 10 airports in 8 North African and Middle Eastern countries.
Citing possible security risks — involving bombs, not computer viruses — U.S. and U.K officials are restricting electronic devices larger than a smartphone from airline cabins for these flights. And this may only be the beginning of such restrictions.
Erka Koivunen, F-Secure’s Chief Information Officer, has a lot of — probably too much — experience flying with a laptop from his days working for the National Cyber Security Centre Finland. So we asked him about what you need to know about traveling with your portable PC.
1. The biggest risk of checking your laptop is that it will be misplaced, lost, broken or stolen.
“The most obvious threat for any checked luggage will be delay, misplacement, breakage and opportunistic theft — in that order,” he told me. Airports are unpredictable places, especially when baggage handlers strike, as they often do in Europe. “The surest way to spend your business trip without your laptop is to check it in the fuselage.”
2. You don’t have many rights in an airport.
“Airports are places where the authorities can exercise massive control over your movement,” he said. “If you are subject of targeted surveillance, it will be trivial for the authorities to single you out, and perform tricks on you and your gadgets.”
Officials can demand your Facebook password, insist you unlock your phone so they can browse it or take your laptop off to “inspect” it in private.
“Refusal to cooperate will be grounds to reject your entry to destination or arrest,” he said. “For most business travelers it would be foolish to resist. Surely, you most likely will hate every minute of the experience but a lone civil servant will not want to initiate a diplomatic crisis and business executives won’t want want to endanger business goals of their trip.”
If you’re a high-value target of an elaborate criminal or terrorism investigation, a ranking government official or a prominent businessperson or academic, your data is seriously at risk — especially if your device leaves your hands.
“It takes a while to copy a hard disk, but surely one can do it, especially if that person can delay the flight if necessary,” Erka said. “Most likely the device will be treated with a keylogger or other kind of implant that could allow the device’s usage to be monitored, remote access to be granted or the device — and its holder — to be located later.”
3. A poorly configured device makes it easier for officials to infect you with malware.
“VIPs and self-styled ‘exceptional people’ often prefer ease-of-use and demand exemptions from corporate policies,” Erka said. “Thus their laptops open without asking for annoying passwords. They log on as admins with minimal security software installed, yet they have access to the entire network. If thieves, intelligence agents or law enforcement officials get ahold of these devices, they get a free ride.”
But these are threats a traveler faces anywhere from a hotel room to a meeting room. Erka suggests that you don’t just focus your OPSEC — operational security — on airport security. Unless you never leave your laptop unattended, assume that someone will try to access it.
“Full disk encryption, password protections and sensible hardening against malicious USB devices will make it harder for the intruder to get programmatic access to the contents of laptop,” he said. “Make sure that your device purges encryption keys from the memory when laptop is not in use. ‘Shutdown’ and ‘hibernate’ are safer options than ‘sleep,’ because in ‘sleep’ mode the system keeps keys in the memory where you — or an intruder — can read them.”
Your laptop should be designed to work just for you.
“If done right, a thief who steals your laptop from your car trunk will only get a dumb device with no access to the content,” he said. “Laptops are cheap. You’d want your employees to give one up to a mugger rather than fight. There’s no point in making them play the hero in an effort to protect the corporate secrets that their IT support failed to secure with a flip of a setting.”
So what should you do if you think your laptop may be searched?
“Whenever I am asked to part with my gadgets in a surroundings I cannot control, I make sure they are locked, encrypted and inside a tamper-evident bag, like the ones security guards use to collect money from stores at the end of the day,” he said. “The bag will force the intruder to leave a visible mark. This allows me to report back to my security team that we have had a breach. Encryption makes sure that whoever it was, they will need to invest some serious effort to get access to data.”
Get in the habit of doing this whenever you travel, overseas or not.
“Good OPSEC comes from methodical and consistent application of security safeguards.
4. Consider leaving your laptop at home — or bringing a burner.
“If you’re an executive, researcher or developer traveling to a country where you expected to be subjected to ‘enhanced inspections,’ I would advise you travel without much of your gadget arsenal. Or think about a secondary ‘burner’ device,” Erka said. “If that’s not possible, I would advise you to purge the device of most locally stored data and rid the device of authentication tokens, cookies and certificates.”
A burner could protect your security and protect you from further embarrassment.
“It will be easier to give the device back for a post-inspection by your own security team if your feel like your whole life isn’t about to be subjected to yet another intrusive search.”
5. Let people know that you’re entering immigration.
“Our chief research officer Mikko Hypponen makes it a habit to tweet whenever he is about to enter US immigration, and he follows that up with another on when he has passed the checks,” Erka said.
“You may want to do something similar but less public by sending a text message or a chat message to troops back at home or where you’re headed.”
Then when you’re free again you can send another message to let your associates know that all is well. Or he suggests that you can send a message that says “I was not coerced to say that I am okay and at my destination” just to freak them out.
[Image by meenakshi madhavan | Flickr]