Keys to the Kingdom: Why Unsecure Digital Devices Can Be a National Security Risk
From your smartphone, you can access just about anything you might need: the latest weather report, the phone number of most everyone you know, navigation tools, including records of where you’ve been, your bank account, and plenty more. Convenience is the power and price of many modern technologies.
But this convenience applies to anyone with access. Modern devices have a plethora of tools to protect themselves, from biometrics and passwords to two-factor authentication, and most people and institutions make use of them. Once attackers are past these, however, they have the keys to the kingdom. Your kingdom. Our digital devices are always at risk. When we travel, that risk is multiplied. And with the focus of espionage efforts shifting from government targets and military secrets to private targets and economic secrets, it’s crucial for everyone to understand the nature of this threat and how it may apply to them.
Rules are Different Within and Between Borders
It’s not news that personal data and devices can be compromised, no matter where you are in the world. We’re all used to phishing efforts, whether they’re emails, texts, or phone calls. But how we protect ourselves and what we need to worry about is defined by the laws and security systems that exist around us before we ever see those emails or text messages. And most of us take the circumstances in our own country for granted.
Things are different when we travel and cross borders.
Let’s take Australia as an example. Once you’ve landed, their “Border Force” has the authority to do a forensic digital audit of your phone. This can tell them a lot even initially: where you’ve been recently, based on geotagging or records of connections to Wi-Fi access points, or meetings you may have had recently or may have upcoming, based on items in your calendar.
More aggressive governments and border patrol units can also look through all the data and access all the apps and social media information that’s accessible from the phone. This includes all your digital personas, whether for Facebook, Instagram, X, or any other social media you use. This makes it easy for authorities to gather information from your socials and add it to their monitoring systems, which can collate all the open and accessible data you generate throughout your visit, such as geotags on pictures you post.
Furthermore, the more intrusive techniques deployed by authoritarian and oppressive governments can continue even after you’ve returned home. They may add monitoring software to your device, making it ping back to their servers with any new data. This can compromise even secure communication channels, such as Signal. In other words, anything previously protected by the need for physical access to your device, or knowing your passwords, will now be available to them.
The risk to personal information is multiplied during border crossings themselves. The reality of being in what is effectively a no-mans-land between countries is that while the rules may exist, they may not apply. Border guards have significant latitude and even though they may ostensibly be required by the laws of their country not to do things like confiscate your device or threaten you for access, it can happen anyway.
Rules around what is private and what is public also differ by jurisdiction. In some places biometric data like your face or fingerprints are considered public, and you may be legally required to use them to open your device to satisfy authorities.
Seemingly Benign Information can be Significant
Of course, none of this matters if the information that hostile actors can access is utterly benign.
But what many people don’t realize is that the nature of modern espionage has changed, including the information being targeted. Getting physical information is now an expensive, exhaustive, and intensive process. To acquire a dossier or file, agents must spend significant time and money, and put themselves at considerable risk.
The proliferation of digital devices and online information has given the espionage community a vastly more cost-effective way to steal or gather valuable information and that can pose a threat to national security. While traditional spy craft still exists, intelligence agencies these days are considerably more tech-savvy and interested in economic information, among other things. So, something as benign as your contacts list can give someone in the intelligence community reams of information, let alone something like your banking information or credentials to your offices’ front door. Having said that, the pendulum is making its way back, and the future of espionage is going to be both physical and cyber.
Intelligence agencies are also experts at pulling threads together. A collection of seemingly innocuous information, from metadata in your pictures you’ve taken to which wireless access points you connected to or records of meetings, can provide a great deal of information that can be leveraged later.
Espionage Targets are Shifting from Governments and Militaries
What bad actors can do with the information they acquire is just as important as the information itself.
In particular, we’ve seen a significant increase in attacks on civil infrastructure. For example, there’s evidence that in the years leading up to the invasion of the Ukraine, Russia was conducting numerous mini-cyberattacks on critical infrastructure. It appears that it tried to cover this up by suggesting the attacks were being done by ransomware groups or other non-state actors. When the war started, there were much larger scale and more significant attacks on infrastructure, but the tactics had all been tested in the decade prior.
What this means for national security is that someone working at anything from a wastewater treatment plant to a municipal or provincial government office could potentially be a target for espionage. And information on your smartphone that is as innocuous as where you work, or the layout of your office building, could be valuable and usable.
So, while a foreign intelligence service may not know you work in critical infrastructure, it can find out that you go to your local wastewater treatment plant five times a week from your geolocation data. It’s not hard to put two and two together there. Plus, most of us use our devices as digital note-takers. If you have a passcode to your building saved somewhere because you didn’t want to forget it, it can be vulnerable.
Protecting Information is Important for Everyone
Of course, we all want to keep our personal information private. Not too many people are going around giving out their lists of contacts or loudly sharing their political opinions, sexual preferences, cultural critiques, or health issues. Nor are most people in the habit of handing out confidential work information or sharing their location data intentionally. But that doesn’t mean they aren’t being compromised.
And beyond just the personal privacy angle, and particularly for professionals in positions of private, public, or academic power, protecting personal information while traveling can be a national security concern. Whether you’re in research, banking, finance, the health care industry, or work for a municipal or provincial government or crown corporation, the information you carry in your smartphone could have significant implications for our country’s security.
The easiest way to ensure it doesn’t is to minimize the amount of information available on your device. That’s why I usually recommend the use of a dedicated travel device, a burner phone, or something similar when traveling.
Understanding our changing espionage situation is just as important for project leaders, managers, and many other industry professionals across the entire economy. And this is why the Klavan Security offers comprehensive courses and training tailor-made for professionals.
Originally Posted on uOttawa PDI News: Article
About the Author
Andrew Amaro is a highly seasoned professional in both physical and cybersecurity operations, specializing in social engineering, dark web navigation, online privacy, risk management, and cyberattack incident response planning. He has more than 20 years of extensive security experience, including leading and coordinating technical teams involved in data exploitation, physical access, online anonymity, and digital surveillance operations in support of Canadian nation-al security investigations as well as in private-sector security.
Andrew Amaro is the Founder and Chief Holistic Security Officer of Klavan Security - Physical and Cyber Security Services.