Traveling with a Laptop / Surviving a Laptop Ban: How to Let Go of "Precious"
Last Updated: 2017-06-25 16:41:51 UTC
by Johannes Ullrich (Version: 1)
For a few months now, passengers on flights from certain countries are no longer allowed to carry laptops and other larger electronic devices into the cabin. Many news media reported over the last weeks that this policy may be expanded to flight from Europe, or to all flights entering the US. But even if you get to keep your laptop with you during your flight, it is difficult to keep it at your site when you travel. So regardless if this ban materializes or not (right now it looks like it will not happen), this is your regular reminder on how to keep your electronics secure while traveling.
Checking a laptop is considered inadvisable for a number of reasons:
- Your laptop is out of your control and could be manipulated. It is pretty much impossible to secure a laptop if an adversary has control of it for a substantial amount of time. These attacks are called sometimes called "evil maid attacks" in reference to having the laptop manipulated while it is stored in a hotel room.
- Laptops often are stolen from checked luggage. Countless cases have been reported of airport workers, and in some cases, TSA employees, stealing valuables like laptops from checked luggage.
- Laptops contain lithium batteries which are usually not allowed to be checked as there have been instances of them exploding (and this fact may very likely block the "laptop ban")
You are typically not allowed to lock your checked luggage. And even if you lock it, most luggage locks are easily defeated. The main purpose of a lock should be to identify tampering, not to prevent tampering or theft.
Here are a couple of things that you should consider when traveling with your laptop, regardless of where you keep it during your flight:
- Full disk encryption with pre-boot authentication. This is a must of any portable device, no matter where you are flying. You will never be able to fully control your device. Larger devices like laptops are often left unattended in a hotel room, and hotel safes provide minimal security.
- Power your device down. Do not just put it to sleep. For checked luggage, this may even prevent other accidents like overheating if the laptop happens to "wake up". But powering the laptop down will also make sure encryption keys can not be recovered from memory.
- Some researchers suggest covering the screws on your laptop in glitter nail polish. Take a picture before departure and use it to detect tampering.
- Take a "blank" machine, and restore it after arrival from a network backup. This may not be practical, in particular for international travel. But you could do the same with a disk backup, and so far, USB disks are still allowed as carry-on and they are easier to keep with you. Encrypt the backups.
- Take a "blank" machine and use a remote desktop over the network. Again, this may not work in all locations due to slow network speeds and high costs. But this is probably the most secure solution.
- If you are lucky enough to own a laptop with removable hard drive, then remove it before checking your luggage.
- Before departure, setup a VPN endpoint that allows connections on various ports and via HTTP proxies (e.g. OpenVPN has a mode allowing this). You never know what restrictions you run into. Test the VPN before you leave!
Have a plan for what happens if your laptop is lost or stolen. How will you be able to function? Even if you do not have a complete backup of your laptop with you, a USB stick with important documents that you will need during your trip is helpful, as well as a cloud-based backup. You may want to add VPN configuration details and certificates to the USB stick so you can connect to one if needed. Be ready to use a "loaner" system for a while with unknown history and configuration to give a presentation, or even to use for webmail access. This is a very dangerous solution, and you should reset any passwords that you used on the loaner system as soon as possible. But sometimes you have to keep going under less than ideal circumstances. Of course, right now, you can still bring your phone onboard, which should be sufficient for e-mail in most cases.
In general, this advice should be obeyed anyway when traveling. It is very hard to stay not leave your laptop unsupervised over a long trip. If you don't trust hotel safes (and you should not trust them), then it may make sense to bring your own lockable container like a Pelikan case with solid locks (Pelikan also makes a backpack that works reasonably well but is a bit bulky and heavy). Don't forget a cable to attach the case to something. Just don't skimp on the locks and again: The goal is to detect tampering/theft, not to prevent it. Any case that you can carry on an airplane can be defeated quickly with a hacksaw or a crowbar, and usually, it takes much less.
Also, see this Ouch! Newsletter about staying secure while "on the road":
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
With encrypted data, you can still be held at customs (potentially indefinitely) until you divulge the passphrase or otherwise unlock the device, if they do get curious. You can legitimately claim to not know if you generate a random lengthy passphrase and mail it (certified) to your destination separately from your own travel.
A surprising omission from the list: keep mobile devices in airplane mode aboard plane, but also ensure they do not connect any free WiFi from the airport, airline, or onboard service. You're going to want a real firewall, at a minimum, when connecting to such networks. (Fun way to pass time when waiting to board: drop "<name>, here's how to secure yourself" documents on people's desktops and watch them prairie-dog from a distance; watch the IPTV Sky News stream multicast in many airports; also, in the non-SSL Wild West of the past, Firesheep.)
An alternative to the "bring a blank machine" item, since hardware implants are a thing and you have no idea what customs or TSA or whoever might be doing to the machine. (And, thanks Intel, APTs can be injected via USB CPU debugger interface now.) Instead, buy a machine upon arrival at your destination, use an encrypted thumb drive with profile / configuration / VPN data. Do not bring the machine home with you. Myself and several others I know/work with have the policy of bringing no complex computational devices that leave physical contact across borders. Just not worth the risk, even with cost of a cheap disposable laptop on the other side. Prior to this ban, the rule was "if it was taken out of sight, it's an active threat, toss it", also covering things like cellular phones, smartwatches, etc. If you can't risk tossing it, don't bring it.
Of course, where possible, avoiding travel to the "big three" (Russia, China, USA) can help mitigate risk, but as recent airline news indicates, even non-stops might stop in countries you'd rather not be in. ;P
Jun 25th 2017
5 years ago
Aug 11th 2017
5 years ago