Edit This Page

International travel investigation

If a company representative plans to travel abroad in potentially hostile areas, ideally they will use a dispensable tablet or phone specifically for the trip and leave the laptop or device they use for work at home. The traveler should use that designated device under the assumption that it and any data upon it is or will be compromised (i.e., they shouldn’t input, send or receive any sensitive data on it).

This section will cover three aspects of how a device might be handled, used and connected to communications infrastructure as a result of international travel. If, for example, a company representative returns from abroad and reports a potential incident, you need to determine how the device has changed, what parties handled the device, how the device connected to mobile infrastructure and the Internet, and what data may have been exposed.

Customs

When a traveler enters or exits a country, customs authorities may inspect luggage including personal effects such as a mobile device or laptop. During customs procedures, authorities may intercept and examine a tablet or phone. Depending on the country, authorities may also perform a forensic acquisition on the device. A forensic acquisition consists of extracting data from the device and creating a copy of that data (called a forensic image). When authorities take possession of the device, they also have an opportunity to implant malicious code on the device for the purposes of surveillance.

Connecting to mobile infrastructure and networks abroad

Once an employee is overseas, their phone will connect to that country’s cell phone network. Mobile carriers have considerable, low-level access to the devices that connect to their infrastructure. In China, the three main telecommunications providers - China Mobile, China Unicom and China Telecom - are state-owned enterprises. Numbers from June 2015 show China Mobile with a 60.2 percent market share compared to China Unicom’s 24.5 percent and China Telecom’s 15.3 percent. If someone from your company connects to a cell tower in China, it’s likely the tower is state-owned.

A mobile carrier or malicious party can route a traveler’s device to specific networks upon the device’s connection to a base transceiver station (BTS), which is part of the technology a cell tower uses to facilitate mobile communication. The baseband processor, a chip found within a mobile device, handles the communications emanating from and received by the device. Security flaws within a device’s baseband processor can be exploited via a BTS as explained by Ralf-Philipp Weinmann in his paper "Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks." In addition, mobile security researcher Aaron Turner also stated, “Foreign carriers and malicious BTS operators can 'catch and release' your device while making updates or settings changes that will enable persistent monitoring,” in a presentation at RSA Conference 2013 entitled, "Mobile APT - How Rogue Base Stations Can Root Your Devices".

If you’re called to respond to an incident related to a company representative’s travel abroad, you’ll want to keep the possibility of a baseband attack in mind. If possible, you’ll also want to consider taking forensic images of the device prior to travel abroad and upon the device’s return to the home country.

Connecting to Wi-Fi abroad

Business travelers connecting to Wi-Fi presents another vector by which malicious individuals may compromise a mobile device. One example of this is the Darkhotel campaign labeled an advanced persistent threat (APT) by Kaspersky Lab. In their report on the attack published in November 2014, Kaspersky Lab researchers stated that Darkhotel targeted corporate executives staying at hotels around the world via the hotel’s in-house Wi-Fi or business-center Internet access points.

The report states that the majority of infections occurred in Japan, Taiwan, and China. The malicious actors behind the attack seemed to have information about targeted executives’ names and the hotels at which they planned to stay. The attack used forged certificates to dupe executives into downloading what posed as one of several major software releases but was in fact a Trojan consisting of keyloggers and other malware. While the Darkhotel campaign does not target mobile specifically, it’s an example of the targeting of executives abroad via Wi-Fi.