Whether You're in Sochi or Your Local Coffee Shop, You Need to Take Mobile Security Seriously

As the world's media congregated in Sochi for the Winter Olympics, there were plenty of warnings about security risks for bringing laptops and smartphones.


19 February 2014

Ski Jump

As the world's media congregated in Sochi for the Winter Olympics, there were plenty of warnings about mobile security risks for those bringing laptops and smartphones with them.

The most controversial perhaps was an NBC News report which made sensational claims  about how tourists and athletes ran the risk of having their devices hacked within seconds of landing in Russia.

The true story, alas, was rather different.  The "hacks" had nothing to do with being in Sochi, Russia, and everything to do with the reporter deliberately infecting his Android phone - something he could have done from the comfort of his local coffee shop instead of travelling all the way to Russia.

Although that news report was unhelpful and apparently designed to grab viewers' attention rather than meaningfully inform them about the threats of unsecure devices, there are - of course - genuine risks for technology users, including those visiting Russia.

The United States Computer Emergency Readiness Team (US-CERT), for instance, issued an advisory in the run-up to the Winter Olympics, reminding travellers of potential privacy risks.

When traveling abroad it’s important to know your host countries laws and policies, particularly when it comes to privacy. Russia has a national system of lawful interception of all electronic communications. The System of Operative-Investigative Measures, or SORM, legally allows the Russian FSB to monitor, intercept, and block any communication sent electronically (i.e. cell phone or landline calls, internet traffic, etc.). SORM-1 captures telephone and mobile phone communications, SORM-2 intercepts internet traffic, and SORM-3 collects information from all forms of communication, providing long-term storage of all information and data on subscribers, including actual recordings and locations. Reports of Rostelecom, Russia’s national telecom operator, installing deep packet inspection (DPI ) means authorities can easily use key words to search and filter communications. Therefore, it is important that attendees understand communications while at the Games should not be considered private.

Yes, in Russia it's legal for the authorities to monitor and intercept any electronic communication, including your phone calls and internet traffic.  You may or may not care about your personal communications being monitored, but your company certainly won't be comfortable with business data being potentially exposed!

However, here's something you may well care about - not being able to take your laptop or smartphone home with you after your visit.

Quoting the US-CERT advisory again:

Russia also retains broad inbound encryption license requirements. Taking laptops and other devices into the country is unrestricted; however software may be inspected upon departure. This means, any computer or software containing sensitive or encrypted data may be confiscated by Russian authorities when individuals depart from the country. Travelers may want to consider leaving personal electronic devices (e.g. laptops, smartphones, tablets) at home or alternatively bring loaner devices that do not already store sensitive data on them and can be wiped upon return to your home country. If individuals decide to bring their personal devices, consider all communications and files on them to be vulnerable to interception or confiscation.

Ouch!

The problem is that I would never suggest using a laptop which has anything less than full disk encryption on it (in order to protect your personal data and any corporate information and emails you might have on it from thieves).

But if your laptop (and indeed, smartphone) is heavily encrypted, it could potentially be confiscated when you try to leave Russia.

One solution, of course, is to carry a device that you're happy to wipe clean or leave behind at the end of your trip. Yet, this is rather wasteful and if you’re travelling for business, it may not be the most economical decision for your company.

So, another solution that some corporations would perhaps prefer is to share sensitive data securely via the cloud, allowing corporate information and communications to be accessed in a way that doesn't leave a digital footprint on the device, but allows for secure enterprise-grade file-sharing instead.

When used in conjunction with anti-virus software and VPN technology that can give employees the ability to securely access private networks and share data remotely through public networks (even ones that are being monitored by the country's government), the risk becomes more manageable.

Remember though, VPNs aren't just for laptops!  You should also use them every time you connect to a public or untrusted WiFi spot from your smartphone in order to reduce the chances of being snooped upon.

And, as the NBC News reporter surely knew, you need to always be aware of the security risks, regardless of whether you're sitting in a coffee shop in Seattle or you're watching the ski-jumping in Sochi.