34

I am planning to visit a security conference in the U.S. and I am unsure about how to prepare myself and my devices for immigration. What are sensible technical measures to take and situations to expect?

On a personal level, I'm afraid that because of my infosec background and intention to visit a security conference, I might be singled out for interrogation or even denied entry if border officials decide that "hackers" can't be permitted. On a technical level, I'm afraid I will be asked to give access to my laptop and phone for which I want to prepare appropriately. What are things to consider for someone with an infosec background when passing U.S. immigration - especially regarding the technical setup?

(I'm not primarily asking for opinions but for founded advice on what (technical) measures are important when traveling to the U.S. as someone from the infosec field.)

  • 30
    Given current reports, if you can avoid taking your laptop/phone, and instead obtain one locally, and pull any data you might need once you're in, that might be a better option... – Matthew Feb 28 '17 at 17:24
  • 11
    I would highly advise reading the articles that [The Grugq](https://medium.com/@thegrugq/stop-fabricating-travel-security-advice-35259bf0e869#.ce6tf4jhp) has put out on the topic. – DKNUCKLES Feb 28 '17 at 17:48
  • I've found there is no rhyme or reason to who will give you a hard time or not, but I've never had anyone attempt to inspect my devices. Answer any questions that they ask respectively, and not overly ambiguous. I'm sure everything will work out just fine. – RoraΖ Feb 28 '17 at 18:50
  • 8
    you may consider travel.se too. –  Feb 28 '17 at 20:11
  • Any advice you get here will be subject to the [$5 wrench theory](https://xkcd.com/538/). If you're really concerned border control looking at a device, don't bring it. – Jon Mar 01 '17 at 07:30
  • 7
    Where I work, for such situations, the guidelines are pretty simple. 1. contact security/IT ask them for a laptop with no data on it, same for smartphone. 2. Go to the conference. 3. Download your data. 4. Before returning, wipe completely your laptop after saving online what needs to be saved. 5. Home sweet home. – Loufylouf Mar 01 '17 at 08:43
  • Depending on your age and race, you may be singled out too. I have jewish ancestry, while white look like middle eastern, was in USA in my late 20s for a security conference, and you can bet I was selected for a "random talk" with the FBI. A friend recently also traveled with his family and he looks like Pakistanese, despite having passports, they only released him after someone talking with him in the tongue that matched the passport. I have a couple old netbooks running Linux, might take one and an old phone of mine pre-smart phone. If they keep it any of them, it wont make any difference. – Rui F Ribeiro Mar 01 '17 at 09:57
  • ...and no, they did not give me much trouble. It was a pre-facebook, pre-smartphone world, and I only had with me a couple of change of clothes, a suit, my mobile phone and a travel iron. Last time I went to a Cisco conference in South Africa, I took with me a 200USD Linux netbook out of fear of getting my Macbook Pro stolen. – Rui F Ribeiro Mar 01 '17 at 09:59
  • 3
    Big brother is already waiting for your visit by now ! – elsadek Mar 01 '17 at 10:59
  • differently to what @Matthew suggests, I recommend taking your laptop ripped from all you sensitive and private data. An IT engineer without a laptop might be looked suspicious. – elsadek Mar 01 '17 at 11:03
  • I would take a throwaway laptop containing no sensitive information. Others have said it might raise suspicion, but if I am asked about it I'd simply answer it truthfully. Something along the lines of *I read online you guys do this and I don't want people going through my private documents and pictures so I brought this older laptop just for the trip*. Apply the same to other electronic devices. I'd be surprised if the ones doing these checks weren't aware that some people choose this approach. I don't know if you could be denied entry for it, in my case I wouldn't mind. – Daniel Mar 01 '17 at 18:42
  • @elsadek An IT engineer with a blank laptop would look equally suspicious. – Micheal Johnson Mar 01 '17 at 18:51

8 Answers8

31

I've travelled to several countries to give speeches at security conferences. IMHO, the right approach is not in lying, but in not saying more than necessary. When asked about the purpose of my trip at the border, I truthfully tell that I am on a business trip, going to an IT conference. Nobody ever asked me details of the conference, and nobody ever asked if I'm a visitor or a speaker. And if one day they interrogate me more deeply, everything I said was 100% true.

For technical measures, Gruqq's post on Medium is right, most of the advise given is bullshit and will only get you into trouble.

However, we all have things to hide. Be it trade secrets from our business, naked pictures of our girlfriends or our personal diary. The best way to hide the things you want to hide is, of course to not have them on the device you travel with. Store them encrypted in the cloud or on a file server.

At the same time, keep your not-very-secret-secrets on the device. Hide only what really needs to be hidden. If your device is checked, the best result for you is not that it appears blank or freshly installed or securely encrypted, but that it appears boring and ordinary.

Tom
  • 10,124
  • 18
  • 51
  • 3
    For info, Grugq's post is this one: https://medium.com/@thegrugq/stop-fabricating-travel-security-advice-35259bf0e869 – dr_ Mar 01 '17 at 16:29
19

Keep in mind that while it is entirely possible for this to happen, and that the number of incidents has been increasing, it is still very improbable. (impact X likelihood and all that)

An unnamed CBP spokesman told The New York Times on Tuesday that such electronic searches are extremely rare: he said that 4,444 cellphones and 320 other electronic devices were inspected in 2015, or 0.0012 percent of the 383 million arrivals (presuming that all those people had one device). (source)

Here is a guide to the mechanics of ensuring that should you be selected for extra attention, the impact will be minimized or lessened:

  • encrypt what you can
  • use passwords, not biometrics
  • alert a trusted contact when you enter customs to check on you if you don't get out after a certain time
  • sanitize devices completely
  • don't bring devices- mail them and download data once you arrive
  • deny yourself access- set up two factor auth, and remove your access to the token.
  • avoid steganography- it raises questions that you don't want asked

https://www.wired.com/2017/02/guide-getting-past-customs-digital-privacy-intact/

Anders
  • 64,406
  • 24
  • 178
  • 215
J Kimball
  • 2,137
  • 1
  • 13
  • 19
  • 2
    Mailed devices are subject to customs checks, by my understanding, so mailing may not be any better. – JAB Feb 28 '17 at 18:28
  • 16
    I'm wondering if "deny yourself access" could backfire and they simply seize the device if I can't give them access. –  Feb 28 '17 at 18:44
  • 3
    @Arminius yes, they can legally seize your device and keep it for months. So you get to weigh the risk of having to buy a new laptop because they keep it for months attempting to break into it, or you comply and give them access if requested. – Ryan Kelso Feb 28 '17 at 19:23
  • 1
    @Arminius Or you bring a 'throwaway' laptop. (not literally, depending on your paranoia level, but one you're willing to risk losing permanently) – user253751 Feb 28 '17 at 21:51
  • 2
    +1 Interesting thing about steganography, didn't know that. Any links for more reading on it? (Not on what it *is*, but on what happens if you do it.) – user541686 Mar 01 '17 at 05:50
  • 2
    The thing about raw statistics like % of all arrivals is that they neglect context. It may be 0.0012% of all arrivals, but what's that as a percentage of guests who described themselves as hackers or stated that they were going to an event known as a so-called hackers' conference? – anaximander Mar 01 '17 at 16:21
8

Courts have decided that you have zero privacy protections at the border. Not only can they inspect your equipment, but they can take it for examination, and even ship it to the NSA to crack your encryption, if they deem it worth the effort. All of this is legal. That being said, it is also very rare.

Here is a great article with a lot of tips: defending-privacy-us-border-guide-travelers-carrying-digital-devices.

Whether you get searched is 100% up to the border agent. They have complete discretion. It may help to have an official letter on your company letterhead explaining the purpose of your trip and the equipment you are carrying (example).

If you are very worried, you can always ship your laptop ahead of time.

Another option is to remove the hard disk and replace it with a clean one, and ship your hard disk, or make its files available for download once you reach your destination.

John Wu
  • 9,101
  • 1
  • 28
  • 39
7

It really depends on how likely you think it is that they're going to search you specifically.

Denying yourself access is only needed if your experience is that you are usually separated for extra scrutiny. Any drastic security measures will attract unwanted attention, that's only beneficial if you don't have your inconspicuousness to lose.

If not, just carry your (I presume FDE'd) hardware like normal. If you want to be safe, do a somewhat clean, civil looking unencrypted install and transfer your files when you're there.

I have heard traveling experiences from a few dozen international travelers, and if the odds of getting searched are 0.0012%, I can tell you that people who are 'noteworthy' online (bloggers/activists, outspoken technical experts) experience a few orders of magnitude increase in those odds.

If your online presence hasn't been too openly critical about US government projects, you don't parttake in legally dubious activities and don't travel from a high-risk country, the chances of being disturbed carrying normal hardware are negligible.

J.A.K.
  • 4,793
  • 13
  • 30
  • 5
    important addition — if anyone touches your unencrypted installation, consider it trojaned — wipe drive completely and install fresh OS afterwards – Display Name Mar 01 '17 at 12:40
  • I originally typed "wipe it with an image you made back home" but I realised downloading a few gigs over holiday wifi would suck – J.A.K. Mar 01 '17 at 18:39
4

That's an interesting question. I don't think, travelling with a laptop would be a problem, as many "regular" people do travel with them. You can travel with cash, and you can use internet when you get there, so it would be nonsense as what difference does it make if you set up the same config in the US?

Laptop encryption is kind of triviality, I would exclude any chance of accusation because of having my laptop seized and investigated. I think it's way easier to get your seized digital devices back via delegations rather than proving US legislation that you are not a security risk based on the contents found on your devices.

If you ever need to describe yourself or the reason of your trip in an official way, label yourself as a security consultant rather than a hacker.

Rápli András
  • 2,124
  • 11
  • 24
  • 5
    I think this misses the point. The asker fears that they'll be singled out for extra security checks because they're going to a computer security conference, not because of any particular devices they're carrying or because of any particular configuration of those devices. – David Richerby Mar 01 '17 at 00:06
3

Bring a disposable devices with you that you wont mind to be kept by security and/or stolen.

When I went to a Cisco conference in South Africa, I left my Macbook Pro at home, and only took with me a 200USD netbook to keep me connected, get some facebook, chats, check email, or the odd skype/system maintenance. Nowadays 200-300 USD machines are much more potent...

I also took with me my work phone, however left my personal phone at home. Had not been for the work phone, which I was required to always carry, I would had probably only take a 10-20USD dumb phone.

As for social network passwords...honestly I do not know them. They have been computer generated for years, and have 2FA authentication. Without both my home phone and my personal netbook...

Rui F Ribeiro
  • 1,736
  • 8
  • 15
1

You can create an image of your laptop, encrypt it and upload to some network storage (Drop Box, Google Drive etc). Bring a laptop with hard drive that you would be willing to surrender for searches. The installed system can be clean OS install or to lower suspicion -- with some data on it. Once in a location, download the image and overwrite the hard drive with your system, tools and data that you want to have for the needs of the conference.

Instead of uploading to network storage, you can have few SD cards with encrypted image data. The cards are small and can be put next to your camera for example. Chances are that you don't want to bring tens, hundreds of gigabytes of data with you.

Something similar applies to mobile devices.

Vladislavs Dovgalecs
  • 191
  • 5
  • Is there anything wrong with the approach of remoting in to your real computer from a dummy laptop? – Honinbo Shusaku Mar 01 '17 at 18:21
  • Good idea with the SD cards. Unless you look *very* suspicious, your camera SD cards probably won't be checked. As an extra precaution, put some photos on the cards and then use the free space for your encrypted image. If everything goes well, even if your cards are inspected the encrypted image won't be found or overwritten. – Micheal Johnson Mar 01 '17 at 18:58
1

Either bring your data/code openly, as in you can access it with password etc. if required, or don't bring it, as in download it after arrival (or not at all).

Of course that is if it is legal to import the data/code into the US.

Don't ever hide something. First claiming that there aren't any hidden data/code and then it is found out that there actually is, is not the way forward.

As for using a password/two factor authorization you will only get later then there is a simple device called a phone that can break it in the time it takes for the immigration officer to say: "Oh you only get the access code later? Here's a phone, please call and get the access code now!".

Bent
  • 174
  • 6