What's in your travel bag?
A laptop filled with data? An external HDD filled with even more data? There's bound to be a phone - possibly two if you spend a lot of time in one location overseas and don't / can't switch SIMs in your main one. They probably have a fair bit of info on them, especially if your phone doubles as a camera. A tablet for when you're on the plane? That isn't uncommon.
Despite a big push for one device being able to do everything, we still tend to assign specific tasks to certain devices, and end up carrying half a dozen pieces of kit around. Convergence? It's still a long way off.
The big question is: what do you do with them once you arrive at your destination? Most people tend to keep essentials like phones and cameras in their pocket, but all those other things like the 15" laptop and the tablet? Into the safe they go.
That's the theory, anyway. The reality is a bit different.
Most hotels I stay in - and I stay in a lot - follow a particular pattern. Raise your hand if you recognise any of the following:
- Oh hey there's only like 6 hangers and none of them are removable from the rail and all of my stuff is now going in a pile on the floor
- Wow there's 15 lightbulbs and they have the combined power of a decade old torch with one of the batteries missing. Hopefully someone packed the night vision goggles
- Two plug sockets and they're nowhere near the bed or table? Good thing I really enjoy sitting on hard wooden floors
- As it turns out, the safe is the size of a pocket book of Zen quotes so I guess I'm just leaving that laptop on the table when I go out
You can fall victim to the so-called "Evil Maid" attack, which I believe was coined by Joanna Rutkowska back in 2009. Surprisingly, this isn't anything to do with poisoned donuts or not changing the towels - it's actually where someone creeps into your room and tampers with your device, placing something horrible and data theft-ish on it before retreating back into the shadows.
The "Evil Maid" doesn't have to be a literal maid, though the idea of someone dressing up, faking a badge and wandering round with a trolley full of Secret Spy Devices (TM) is an interesting one. Regardless of whether we're dealing with someone in comedy room service disguise, someone from a Government Agency or a random hacker out for a bit of fun, once the International Security Services Bedsheet Changer has come to town and had direct physical access to the device, you simply cannot trust it anymore and you should pack it on a one-way trip into the heart of the Sun.
Case in point:
That awkward moment when you leave a notebook in a hotelroom and when you come back it is turned off and claims its ram is defect— Stefan Esser (@i0n1c) October 26, 2015
Coming back to find your laptop tampered with is not a good feeling.
Looks like someone removed the harddisk and did not correctly slip it into holes when closing the notebook pic.twitter.com/KmOH5YVsOF— Stefan Esser (@i0n1c) October 26, 2015
I wonder what horrible things they did to the notebook because temporarily removing hard disk does not result in broken ram beeps— Stefan Esser (@i0n1c) October 26, 2015
Of course, whoever took this laptop to task may well have been a bumbling amateur given the fact that they left signs of tampering on the laptop visible from the moon and, er, this:
No comment. Lousy backdoor job resulting in broken notebook. pic.twitter.com/K38cSkA7Dr— Stefan Esser (@i0n1c) October 26, 2015
Maybe someone has been watching too many Inspector Clouseau movies (also from looking at the replies to that Tweet, the door handle is apparently screwed in the wrong way round because the screws should be on the inside. Not going well this, is it?) It appears the perpetrator may have been going for a Cold Boot attack (on the laptop, not the door).
My door right now pic.twitter.com/55F2k8pedo— Stefan Esser (@i0n1c) October 27, 2015
When travelling, many security people leave their main laptop at home and take a custom built travel machine which is smaller and lighter. The tradeoff here is the laptop's functionality, and depending on length of stay this might not be feasible - netbooks and notebooks are great, but if you're unable to perform specific tasks while on the move then it all becomes a touch self defeating. This is why a lot of Infosec folks use custom built gaming laptops, which pack quite a punch and yet remain reasonably lightweight while in transit.
There are many tricks you can try to make things difficult for would-be laptop tamperers, and here's just a few of the most well known ones:
1) Crushed powder in screw holes will reveal if someone has been poking around your laptop innards.
2) Making an inventory count of all screws both inside and outside the device is also a good way to check if a bit of prying and jimmying has been taking place.
3) You can put stickers over screw holes or the side joins of a machine, but people who know what they're doing can work around that. Depositing a random pattern over the screws and / or stickers with glitter nail polish, though? That's a lot more problematic to get around.
4) Super extreme "What are you even doing" method incoming: you open the laptop up, use epoxy (or solder) to wedge the RAM into place, seal the machine, remove the screwheads and fill the holes with glue. Good luck getting into the laptop undetected with that one (also, have fun buying a replacement machine should your internals ever break because you'll have a whale of a time at the repair shop with this technique).
5) On a related note, some people disable USB ports with software whereas others will jam them up with epoxy or superglue to prevent poisoned USB stick antics in your absence. Of course, this means you won't be using your USB mouse anytime soon.
6) Limit the amount of data on the laptop before you fly out. Do you really need to take 5 years worth of personal photos and the entirety of your organisation's tax returns along for the ride? If there's a way to securely store data you need (that is to say, in a more secure fashion than "laptop left alone for 3 hours") yet be able to access it online with the usual tricks of the trade such as 2-step authentication, then do so. The same goes for your USB sticks and external HDDs. Bring only what you need, and use strong encryption to keep things secure. The same goes for the laptop itself. The more hurdles you present the attacker, the more likely you are to send them packing.
The ultimate solution to Evil Maids is to just sigh loudly and take your devices with you everywhere. Yes, you can go down the "sealed envelope marked with pen and placed in the hotel safe" route, but it isn't like people can't get into hotel safes. As it turns out, door locks are no great shakes either, so if you can't see it, you can't guarantee device safety.
Has this laptop...
...been tampered with? Or did room service accidentally knock it off a shelf? Who knows? And not knowing is the worst part.
@i0n1c I had nearly same experience with hotel. And here is strange result, yet it works (MacBook Air) pic.twitter.com/TBbniQLYo4— Боря Розенштейн (@rznstn) October 27, 2015
Ultimately, it boils down to what the potential attacker wants. They could just steal the laptop, but your encryption will give them a bad hair day (you have looked into encrypting your device, right?) For the attacker, It's a lot easier to compromise the laptop with Malware then try to swipe your passwords and information once you're physically using the poisoned machine. As a result, the security of your data is all about delaying them as much as possible - the moment they're in the room, they have a timer bearing down on them and they want to be in and out of there as fast as they possibly can.
In the same way that a burglar will gravitate towards houses with no visible security alarms, poor lighting and open windows, our theoretical International Security Services Bedsheet Changer is going to take one look at an epoxy sealed, superglue filled, inaccessible RAM deathtrap laced with encryption and Fight the Power stickers covered in nail polish and jump back into their unmarked van, defeated.
They might need to send someone out to fix that door, mind you...