As we emerge from the pandemic, organizations will confront a new world of business travel and a new world of cybersecurity tips for travelers. What has changed? What hasn’t changed?
The particular cybersecurity risks and threats that might face business travelers are, of course, always evolving. But during 2020 and 2021, most of our business travel was replaced by video calls and other alternatives. We stopped traveling. And yet, the landscape kept changing. Here’s what you need to know about what’s new in cybersecurity for travelers.
Airport Smartphone Searches
The biggest change for U.S. business travelers is the legal status of smartphones. The U.S. Constitution’s Fourth Amendment says citizens have the right to be “secure in their persons, houses, papers and effects, against unreasonable searches and seizures”.
It’s still uncertain whether smartphones are covered under the “papers and effects” part of that clause. Specifically, can U.S. Customs and Border Protection agents search American citizens’ smartphones?
The answer used to be no. Then the answer became ‘well, sort of’. But late last year, a U.S. appeals court ruled that Customs and Border Protection agents are allowed by law to search phones and laptops, including so-called “advanced searches”. They can legally do so without a warrant or even the burden of reasonable suspicion. Phone data is now fair game at the airport.
The case stems from a lawsuit by a group of citizens including a NASA employee. Customs agents pressured scientist Sidd Bikkannavar to unlock a secure, government-issued phone.
It’s possible that this ruling may be overturned in future court cases. But, as we stand now, smartphone data is subject to search at border crossings and airports. All the previous airport cybersecurity threats still exist. Plus, now customs agents can search phones.
The law didn’t protect a NASA scientist. So it doesn’t protect your company’s business secrets or your personal privacy.
The Travel Cybersecurity Angle on Vaccine Passports
The newest change that didn’t exist before the lockdowns, but does now, is the so-called vaccine passport or health certificate required for travel. These exist to show that travelers have gotten the COVID-19 vaccine, have recovered from the disease or have received a negative test result within the past two or three days.
The European Union, for example, is working on something called a Digital Green Certificate. The ‘certificate’ would be required for travel within the European Union, as well as to non-EU countries like Norway, Iceland and Switzerland. Foreign visitors to Europe will need to show acceptable proof that a traveler won’t infect others with COVID-19. And this concept will no doubt go global as countries open up to foreign travelers.
Other countries and regions have been working on similar programs, and there is a strong desire for these systems to work together. It’s likely that these schemes will be mostly electronic, displayable on smartphones as QR codes or barcodes.
Health passes that demonstrate the likelihood that the bearer is disease-free are likely to remain a permanent part of travel. They could also include certification of immunity to other diseases, including future pandemic viruses.
The Problem With QR Codes
The electronic versions of these passports will use QR codes, which are potentially problematic from a security point of view. They are trivially easy to copy — attackers can share or use a simple screenshot of a legitimate QR code. So, it will be imperative for these systems to be secure and user-authenticated. The digital versions of these health passes will also need to securely access medical records, as the immunity conveyed by vaccines is often temporary.
For all these reasons, health passes represent a non-trivial security challenge for both the official bodies that issue them and for travelers and the businesses they work for. Border agents in some countries, for example, may use smartphone-based health apps as a pretext to take possession of unlocked smartphones. Then, they could bring the phones out of sight of the owners and possibly download their data.
Tomorrow’s Travel Involves New Documents
New documents require new cybersecurity tips, but some haven’t been in place long enough yet for good advice to come through. Another change in the world of business travel is the DTC, or digital travel credential. In late 2020, the United Nations International Civil Aviation Organization, the body that sets the global standards for passports, published a new standard. This DTC standard is a system for carrying the equivalent of a passport on one’s smartphone. (Notably, the standard uses blockchain as well as biometrics.)
In the near future, it’s likely that business travelers (and tourists) will use smartphones, rather than passports. They may use the passport only as a backup document in case of questions or loss of the smartphone.
In the short term, frequent travelers will use the DTC first — business travelers, mostly — as part of a seamless travel system. It will operate like today’s Global Entry, where the traveler fills out a questionnaire, goes to an interview and receives a background check. Then, in the future, they can sail past the lines and checkpoints that non-members have to suffer through.
New Doorway to Access Smartphone Data
A recent report found that the U.S. Customs and Border Protection agency purchased vehicle forensics kits for accessing data from cars. As car dashboards get smarter, more people are connecting their smartphones through Bluetooth or direct cable connection, and data flows between the car and the phone. Privacy advocates are concerned that this news represents a trend in which border agencies use these tools to circumvent legal restrictions on smartphone searches.
Customs agents, spies and threat actors all have new tools that access smartphone data through cars. That means business travelers need new training, awareness and precautions in response. Keep this in mind when you rent cars or otherwise connect smartphones to smart car dashboard systems.
Cybersecurity Tips to Match New Developments
We’re confronting a future in which business travelers’ smartphones will contain new categories of sensitive personal and business information. They can hold or provide access to contact lists, credit cards, business emails, chat histories, photos and more. They now could also contain access to passport information, health histories and other important data.
Cyber attackers will understand that breaching a smartphone is the key to a universe of cyber crimes. It can open someone up to anything from social engineering attacks to blackmail to identity theft to embezzlement. State-sponsored spies will have new incentives to target the smartphones of business travelers. And customs agents will have new incentives to download or search the content of smartphones. New rules will allow them to do so globally more and more.
For this new world, we need new cybersecurity tips. On the outside, you should travel with a wiped second phone containing the minimum apps you need. Other travel cybersecurity practices will be evolving quickly over the next few years as we adjust to the new environment.
So as we re-engage with the practice of business travel, it’s important to understand the new risks and threats and respond accordingly. From there, we can build new assumptions and cybersecurity tips into how our mobile security tools operate and how business travelers should behave while traveling.