This was originally written in early 2017 for a friend of mine that asked for advice about how to avoid being hacked when traveling abroad. It mirrors much of the DHS Travel Safety advice, but is meant to be a little more practical. I’m re-posting it here for the benefit of others. Note that this checklist applies for pretty much any hostile cyber environment – but was written with China in mind.
If you have reason to think that you’ll be targeted – particularly if you have access to data valuable to the country you’ll be traveling to – seriously – don’t take your PC into the country. Set up a burner device and use it only in combination with a VPN service. Otherwise… proceed with caution:
- Set a lock and PIN on your phone.
- Turn on your phone’s auto-lock.
- Add a privacy screen to each device.
- Ensure you’ve configured full-disk encryption on the device.
- Configure two-factor authentication whenever possible.
- Configure Android or Apple’s Device Finder so you can remote wipe.
- Ensure you are running the latest software versions.
- Sign up for DHS’s Travel Alerts.
- Completely power-down the device before you arrive at your destination. Attackers can easily siphon data off a locked PC.
- Keep devices close to you and within sight at all times.
- Do NOT let authorities take the device from you during entrance / exit.
- Do NOT leave systems in your hotel room.
- Do NOT plug any media – USB stick, SD card, etc – into the system.
- Do NOT use the internet without a secure VPN connection. Many VPN services won’t work, but Express VPN seems the safest and most likely to work in China.
- Turn off Wi-Fi and avoid any public / hotel / café Wi-Fi connections unless you are automatically connecting to a VPN at time of login.
- Avoid logging into any account on any shared computer.
- Assume all HTTP/S traffic outside of a VPN will be inspected and is thus compromised.
- Keep Bluetooth off – I’m not aware of any exploitable vulnerabilities bluetooth, but no sense in exposing the attack surface if it’s not needed.
- Wipe the burner machine and re-image.
- Rotate any used passwords upon return. Use something like 1Password or Lastpass to make this easy.
- If any services share the password you used while abroad, assume it’s compromised.
Each person’s situation is unique and this advice is specifically designed for the business-person headed to China, but if you follow this advice, you’ll be a difficult target.