Officials at the departments of Justice and Homeland Security typically expect employees’ smartphones will be bugged when they travel overseas. So, they are experimenting with various ways to neutralize foreign spy gear.
For years, the FBI has warned government and corporate executives not to use hotel Wi-Fi connections, because of reports that foreign travelers were unknowingly downloading spyware.
When DHS personnel travel, “we understand you go there, you go to Ukraine, you come back, there’s a good chance that the BlackBerry or any other device, Androids, iOS, whatever, is probably owned. We get that,” said Vincent Sritapan, a cybersecurity division program manager at the DHS Science and Technology Directorate.
To contain the damage, Homeland Security limits what employees can see on their mobile device overseas, and “when it comes back, it’s usually quarantined,” he added.
These are not precautions. There’s a good chance malicious software really is on the phone or tablet.
In May 2012, the FBI identified malware on U.S. travelers’ laptops and issued an alert to government, private industry and academic personnel. The worm had been installed when the employees downloaded what purported to be widely used software updates through hotel Internet connections.
More recently, in the fall, threat intelligence firm Kaspersky Lab discovered the “DarkHotel” cyberspy campaign attacking top U.S. and Asian business executives who had stayed in luxury hotels.
Most of the incidents seemed to take place in Japan, Taiwan, China, Russia and South Korea. The intruders “wait until, after check-in, the victim connects to the hotel Wi-Fi network, submitting his room number and surname at the login,” according to the researchers. “The attackers see him in the compromised network and trick him into downloading and installing” spyware that, as in the 2012 case, “pretends to be an update for legitimate software — Google Toolbar, Adobe Flash or Windows Messenger.”
Both DHS and Justice want to reach a level of security where not only can they decontaminate phones but also dissect the contaminants placed inside.
“When you come back, we want to do the analysis,” Sritapan said. “We want to see what happened, what’s there.”
At Justice, officials plan to try before-and-after bug checks of gadgets. “You take that scan before the trip, they go on the trip, they come back, you take a scan afterward and you compare it,” said Kennet Ake, Justice’s acting assistant director for end-user devices.
“Burner” single-use tablets and personal, encrypted Wi-Fi hotspots also are recommended, he said.
Separately, Justice recently launched an app store containing pre-vetted, ready-to-download productivity tools.
Technologists are focusing on the security aspects of the apps and next plan to screen the legal terms and conditions, privacy aspects and accommodations for individuals with disabilities, Ake said.
The two men spoke Wednesday at the Federal Mobile Computing Summit in Washington.
Current store inventory includes a few weather and news apps, secure login tools, office suites, as well as some personal downloads like a flashlight and calculator, Ake told Nextgov outside the conference hall.
“If you give somebody their phones, they don’t have to look through 3.5 million apps and guess which ones are safe,” he said.