As the 2022 Olympic Games in Beijing approached, the FBI advised athletes not to take their personal phones to the global event. Instead, they recommended taking a burner phone. Coupled with the release of guidance from Federal Mobility Group on traveling with your mobile device for federal employees, as well as the ongoing war in Ukraine and growing global tensions, this might be an opportune time to understand the risks – both in leaving your phone at home, as well as the risks in taking a burner.
Why Cybercriminals Want to Hack your Phone
Most notably, your cell phone is probably one of, if not the most personal object in your life. It always knows where you are, what you do in the real world, and what you do in the online world. It knows all your secrets, your conversations, your photos, and how much money you have in your bank account. Your cell phone is an extension of your being in many ways. If you or I were nefarious characters, our cell phones would likely offer a tempting target. If you or I were a government that wanted a convenient way of keeping tabs on a nation, that would also be an attractive target. Your cell phone is the easiest way to access your personal details, which is why it is necessary to protect it and take cautionary measures.
Understanding Hacker Tactics
You may be asking yourself, how does one hack a mobile device? First, let’s consider the hardware components. When you charge a mobile device, you’re not using a dumb cable. It should be a dumb cable; the cable should just really have two wires – a positive and a negative – but that isn’t the case. Charging cables are smart. USB-C and Lightning ports are capable of transferring tremendous amounts of data as well as charge. Now, you may be asking yourself why that’s a problem. Well, although you may think you’re simply charging a device, in reality, you’re plugging in something designed and honed over many years to be a highly efficient data handling conduit.
This brings us to our first two pivotal pieces of advice. Number one, don’t plug your phone into any convenient USB slots in your hotel room, wall socket, or communal charging station. Quite frankly, you simply have no idea what they’re connected to, and this could make you an easy target for digital predators. The same goes for anyone lending you a USB charger. The fact that mobile phone manufacturers are increasingly shipping without a charger makes this type of attack even easier.
Number two, do not accept a charging cable from anyone, anywhere, when traveling. Why? Because there are multiple off-the-shelf charging cables that can hack your device. They look like an everyday USB-C or Lightning cable but contain a system or chip that will attempt to extract data from your device. Be sure to use your own charging cable.
Another point worth highlighting is ensuring your personal devices stay on you and are accessible at all times. When going through customs or when displacing yourself between locations, it is paramount that you keep your valuable tech close to your body but hidden from potential theft.
Sadly, even if you manage to achieve all of these things, your device still needs to be able to communicate with your friends, family, and loved ones back home, and in most places, that means having a 4G connection. Any SMS message your device sends and receives is not encrypted, so be sure not to use SMS. Depending on who is trying to hack your device, most normal phone conversations can be tapped and recorded, so do not use your device as a phone while traveling.
Simple Measures You Can Take to Protect Yourself
The best way to keep yourself from being monitored is to use end-to-end encryption for communication, such as telegram or signal for voice and text messaging. You should always use a VPN for all communications from your device that take place on the internet. If you can’t use a VPN, you should restrict the apps that you’re using to those using HTTPs. Your location will be known, and although there isn’t much you can do about this, you can increase your digital security by changing sim cards regularly and ensuring all communications are encrypted.
5G is more secure than 4G, but if you’re worried about the state-owned carrier for the country you’re traveling in, you shouldn’t put your faith in anything outside of the device you’re using. Even then, you should only feel safe if you’re carefully following the advice that has been detailed above.
Yes, this advice can seem over the top, and yes, in many cases, it is. However, if you’re a government official going to another country, you should most definitely take all these precautions and likely even more. If you’re just going on a holiday? You should certainly be careful. While an attacker might not be targeting you specifically, nor will a state agency be recording your calls or monitoring your location, putting a bunch of cables or USB chargers around for anyone to pick up remains a well-trodden attack.
The Bottom Line of A Burner Phone: Should I travel with a burner phone?
Now the question remains: should a burner phone be a travel prerequisite? Again, it depends on who you are, your acceptable level of risk, and how much of your information and privacy you’re willing – or not willing – to give up.
That last question is particularly important, especially when it comes to the idea of a burner. If you’re installing your company email, one drive, Facebook, etc., onto your burner, then, in the end, you’re not really limiting your exposure while traveling at all. Therefore, you need to consider what type of limited access you’re willing to have on that device while traveling. If you’re planning on only using the device for communication through some end-to-end encryption apps, then a burner would be an ideal solution with some caveats, which we will discuss below.
The biggest perk about a burner device is if it has been compromised, the device can be factory reset once you return from your travels. Conversely, a personal phone may not be a device you wish to factory reset.
That being said, there is one major caveat with burner devices. It is essential that travelers be cautious when using their burner devices. As Orange has shown with their recent collaboration with Kryptowire, travelers need to make sure they use a burner from a manufacturer that prioritizes security and takes it seriously. If a traveler opts for a cheap burner, there is a good chance that the device relies on an older version of Android or contains system apps with major security flaws. We discussed this in a blog post, so if you decide that the best approach is not to take your device at all, make sure to pick a device that will strengthen your security posture, not inadvertently weaken it.
As a final piece of advice, be sure to turn your phone off and on every day while you’re away. Although this may sound odd, many hacks we have seen recently are memory resident and are therefore cleared when a phone is restarted. Unfortunately, however, hackers have a way of tricking you into thinking you have restarted your device when, in reality, it hasn’t been restarted at all. Therefore it is essential that you shut your device down once a day.
Fundamentally, when traveling, remember that security risks are really dependent on the company or the individual. If you’re not working for a big company or a government agency, the best advice you can follow to improve your digital safety is not to let people use your device, use your own cables, use your own charger, use a VPN, and use end-to-end encryption applications for messaging and phone calls. This will make your device a difficult target for most hackers.
If you’re worried or work for what you suspect would be a potential target, then take a burner phone (Remember! Pick a good, verified device), strip the number of services you use to a minimum (i.e., just the messaging app, and maybe an external email) and you’ll have mitigated even more risk.
Hopefully, this illustrates some of the risks – and ways of protecting yourself from those risks – for that device which is a virtual extension of you.
There is a paradigm shift that is continuing to take place in the modern world. The future of consumer computing is Android and iOS. This change brings new challenges and new ways of thinking about security, and Quokka is at the forefront of tackling these challenges. We help you understand and mitigate these issues, both as a developer and an enterprise. Check out the Quokka website to understand how we do that.