Smartphone counterespionage for travelers

If you’re traveling abroad on business, there’s a good chance you’ll need to bring along a smartphone to get around, meet up with associates or learn about the idiosyncrasies of local culture. But even if you’re security-savvy and never let your device out of sight or engage in risky activities like connecting to WiFi, local intelligence services can monitor you through your cellular connection alone. Knowing how this happens will help you mount an effective counter-defense the next time you land on foreign soil.

As soon as your flight lands, devices known as IMSI catchers located in or near the terminal may be waiting for your phone to turn on and look for a cellular connection. An IMSI catcher is essentially a fake cell tower situated between your phone and the real cell network that allows the operators to, at a minimum, grab your smartphone’s phone number and IMSI (the SIM card’s ID number). Agents can then crossmatch these numbers against existing watchlists or databases and perhaps even associate these numbers with your flight’s passenger list.

If you’re deemed a target worthy of espionage, the IMSI catcher may even be used to install malware on your device. Such malware can take complete control of your phone, granting spies access to the contents on it, the communications from it and even its cameras and microphones.

IMSI catchers have been detected at airports throughout the world, including in the United States. But really, they can be located anywhere, including at chokepoints like train stations and shopping centers as well as in the vicinity of hotels typically frequented by foreign travelers.

If you’re lucky enough to avoid an IMSI catcher, you can still be monitored by local intelligence through the cell network alone. This is especially true in countries where the cellular infrastructure is state-owned. At the very least, spies will have access to your real-time location and the metadata of your calls. As with IMSI catchers, the cell network can also be used to deliver malware to your device, typically through a malicious carrier update that happens behind the scenes.

The end result is that if you’re traveling to a foreign country, especially one that’s hostile to your home country or known to engage in economic espionage, you have to assume that your smartphone will be compromised at some point. The key is to limit both the data available for espionage and any signals that may trigger escalated surveillance.

Tip #1: Bring a burner phone

Your smartphone is an extension of your life, serving as a repository of your trusted contacts, important photos, sensitive communications and much more. The last thing you want is for spies to access all of it. So, leave your smartphone at home and opt for a burner phone.

Before your trip, add to the device only the bare minimum of assets you will need for the duration, including any notes, photos or offline maps. If you will need to use email or another communications service, create a throwaway account before your visit.

After the trip, be sure to wipe this device before attempting to connect to any networks back home or before disposing of the device entirely.

Tip #2: Stay under the radar

Local intelligence services have access to passenger lists for incoming international flights and therefore can potentially single you out as a person of interest before you even step on their soil. And simply having a foreign phone number may be cause for monitoring.

During your trip, you may be tempted to turn off your phone in situations where you’d prefer not to be monitored. The problem with this approach is that turning off your phone sends a signal to the cell network, which in turn may tip off spies that you’re about to have an important meeting or visit an important location, inviting additional scrutiny.

You may also want to avoid placing phone calls back to your home country to numbers associated with your organization, especially if it’s an organization that may already be on the radar of local intelligence due to its size, industry or R&D efforts.

Tip #3: Limit the information shared with your phone

Spies can use access to your company accounts to dig for sensitive information or create a jumping-off point for further intrusions into your organization’s network. Personal accounts can also include clues about your business and perhaps even contain private information that could be embarrassing if widely shared. Avoid logging into any company or personal accounts during your stay.

And even if you have access to an encrypted messaging app like Signal, you may wish to avoid communicating with associates back home, or at least doing so openly. Instead, you can speak in coded language or use handwritten notes that can be relayed when you return.

Tip #4: Use a Faraday case to protect your location

Let’s say you’re meeting with a potential strategic supplier and want to keep it under wraps. You’re going to want to keep the partner’s location hidden, but the obvious methods for doing so, including turning off your phone or leaving it back in your hotel room, are problematic. In this situation, you can instead use a Faraday case to block out any signals. When you do so, the cell network will think that you have simply lost your network connection, not that you’re trying to evade tracking.

You can even go step further and throw spies off your scent by heading in the wrong direction and then putting your phone in the Faraday case before making your way to the correct destination.

Tip #5: Be mindful of off-device conversations

Now let’s say that your meeting with the partner is going well and you’re about to sit down for negotiations. Knowing that your meeting may be spied on through your phone’s cameras and microphones, you may opt to find an unwieldy alternative to verbal communication, perhaps communicating exclusively through handwritten notes. More realistically, you’ll want a solution for masking the audio available to your phone’s microphones to ensure that anyone listening on the other end can’t make out what you’re saying.

Ideally, your Faraday case will also have an audio masking component to safeguard any conversations captured by spyware on the phone, as such spyware will attempt to upload audio after the fact when a connection is reestablished. If location isn’t an issue, you can also use a smartphone-coupled audio masking device.

Conclusion

Smartphones are a key front in the war for information taking place between nations, and unfortunately, civilians aren’t immune to this fight, especially when on foreign soil. However, by giving up your expectations of privacy when traveling abroad and planning for the worst-case scenario, you stand a fighting chance at keeping your information out of the wrong hands.