16

There have been a number of cases when border security officials have requested passwords to mobile data devices as indicated in the questions US and Canada border crossing and computer privacy: What do I need to know? and Do I need to provide PIN or password for my digital accessories, when entering Canada? .

I am wondering even if you have nothing on your device to hide (clean install with innocent activity logs), your user account is a restricted account, your WiFi switch is off and the network drivers are incompatible and the firewall blocks all network ports, the battery is flat and your charger is checked in and the USB ports deliver excessive voltage when the unit is working.

Assuming that officials have your password and have the machine out of your view for some moments how easy would it be for them to leave some residual compromise on your system that would be a pain to detect?

EDIT:
In response to answers and comments. I am hoping to determine if it is worth owning a device after it has had the 'greasy' hands of border security on it. I tried exclude the external data vectors, assume you have dropped super-glue in the USB connectors on phone and laptop USB connectors generate 350V spikes on the data lines.

My worry was more in the line of can they simply try and connect it to a local WiFi sniffer to determine the MAC address or some other meta-data and say track you later on now that the device ID is positively linked to your passport (identity) for future data aggregation. I suppose the real question is how much damage can they do by seemingly doing nothing?

Personally I may not get chance to travel to US or Canada but would possibly use a sacrificial phone and junk it after my visit to such countries, I'm just wondering what advice to offer friends who travel that are not quite as security concious.

I suppose for my friends and I there should be an alternate question that does not include physical hacks to our daily devices just to harass border guards but might simply include a software/firmware tidy up check-list.

SECOND EDIT:

It looks like I should add Australia to the list of countries that one needs to be wary of. In this case it looks like it took 90 minutes for the officials to work their way through a phone and laptop that had been unlocked and it looks like the phone was tampered with.

KalleMP
  • 263
  • 1
  • 9
  • 3
    American Border security procedures != Canadian Border security procedures. – DKNUCKLES Mar 13 '17 at 19:32
  • 2
    "the battery is flat": That might not be the smartest thing to do. If they want to inspect your device and you can't comply because your battery is flat, do you think they'll really care about your excuses? Best case scenario, they say oh well and let you go. Possible other scenario: You're stuck in a very boring place waiting for someone to organize a charger and charge the device. Worst case scenario: Since you can't comply with their instructions, they turn you back at the border. – Out of Band Mar 14 '17 at 00:09
  • 1
    Yes, you can very easily get a MAC address from the device by connecting it to a WiFi. But it would be easier to just unlock it and find the MAC address in settings. Not sure what really help them. – MikeSchem Mar 14 '17 at 02:34
  • 2
    You're going to be so disappointed when they don't bother to ask you for your phone, so be sure to act as suspicious as possible when at immigration. :) – Michael Hampton Mar 14 '17 at 02:34

2 Answers2

14

If you gave me your phone and password for 30 seconds I could install a Remote Access Trojan completely undetectable to the common user that would give me remote access to the phone just like I had it in my hand unlocked (ie. listen to the microphone, access all files, pictures, text messages, calls, ect). If I can do that I'm sure any government is capable of the same.

So if they did that to your brand new phone, they could access any new information on it as you entered their country.

So yea, I'd consider that a bit of a security issue.

MikeSchem
  • 2,266
  • 1
  • 13
  • 33
  • 1
    What mechanism would you use in 30 seconds to be able to upload information? I just dreamed up a handful of pitfalls to prevent uploading of data without some effort. I expect the border security might have USB attack devices that have good over voltage protection and can handle a burnout port but perhaps the device USB ports are not even connected. – KalleMP Mar 13 '17 at 18:40
  • 8
    If you could install a rootkit / RAT on an un-jailbroken iPhone in under 30 seconds I would be *veeeeeeery* impressed. – DKNUCKLES Mar 13 '17 at 18:44
  • 3
    @KalleMP I'm sure you could find some way to dismantle the usb cable on the bottom of the device, but on android for instance you can upload over WiFi.. so if they have you code to the device they can just turn wifi on, enable developer mode adb install the rat and hand it back to you. But there are also many other ways to compromise the device. For instance they could install their own cert and intercept your traffic later. – MikeSchem Mar 13 '17 at 19:01
  • 3
    @DKNUCKLES on the iPhone you wouldn't need to jailbreak it to install another app that acts as a rat. You could hook it up to your computer and install over usb. You could also use an enterprise license to get an app on the device just by downloading it from a webpage. Admittedly, 30 secs might be an exaggeration.. – MikeSchem Mar 13 '17 at 19:05
  • 1
    define "completely undetectable to the common user" – njzk2 Mar 14 '17 at 03:24
  • 1
    meaning there would be no way to tell if the RAT was on the device without the use of any forensic or developer tools – MikeSchem Mar 14 '17 at 03:29
3

Admittedly these border officials could compromise your system.

BUT:

  1. These are border officials. How likely is it that they will engage in illegal activity such as this? Things like this won't go unnoticed for long.

  2. What other choice do you have? Again, they are border officials and have a legal right to inspect your devices. Not complying probably isn't a very smart thing to do.

Edit in response to comments:

Do I believe governments are above doing something illegal? Not necessarily, in the general case, but if we're talking about a working democracy, then yes, I'd suggest government, law enforcement etc is trying to stay within the limits of the law, even if there certainly are individuals who exceed their authority. I think that's a pretty healthy position to take. A bit of distrust in official statements etc is well and good. Assuming the worst about someone's (or some institution's) motives without reason strikes me as rather paranoid. I'm really having trouble imagining a secret standing order for all border personnel to infect travelers phones with spyware. If we're talking about the US border, I guess that doing this to the phones of non-US-citizens would even be legal for the CIA and the NSA, but it still sounds like a movie plot, and such a policy probably wouldn't survive discovery. And I haven't even launched into motive - what exactly would they hope to accomplish?

Also, immibis suggested to just leave your devices at home. Sure, you can do that if you don't need them. But I for one prefer to have my phone with me. It won't do me much good sitting at home.

Out of Band
  • 9,150
  • 1
  • 21
  • 30
  • I cannot see much purpose in the checks after the first two weeks, all bad actors are prepared and the rest of the people are merely future dissidents that are being tracked in preparation I suppose. If they have all sorts of legal loopholes then this is not really illegal and if it cannot be detected then it will go unnoticed by definition. I have made a small edit to the question to try and add my thoughts. – KalleMP Mar 13 '17 at 19:29
  • 4
    1) Are you suggesting the government wouldn't stoop to illegal activity? 2) Your other choice is to not bring the devices with you. – user253751 Mar 13 '17 at 23:15
  • 1
    @KalleMP - I cannot see any purpose in these checks at all. I also can't see any purpose in the rest of the security circus. I remember having to open and taste every one of my one-year-old's baby food containers at airport security, and I'm pretty sure that's not an effective way to find bombs and discover terrorists and the like. But for some reason societies are stupid enough to produce and/or tolerate such rules. That doesn't mean these rules are there for nefarious purposes; they might just be there because people want to cover their asses and don't know what else to do. – Out of Band Mar 14 '17 at 00:04
  • You have explained pretty well why there is little likelihood of nefarious activity, I am interested in what sort of thing they could do if there is no data for them to look at or if this was never their goal. The lack of benefit from inspecting phone makes me wonder if they are planning to do other stuff and I am curious what other stuff could they do and how. – KalleMP Mar 14 '17 at 19:05
  • Fair enough, I guess. I can't really add anything relevant here because, as I said, my best guess is that they are NOT planning to do anything - it's just more security circus. And all I can offer is conjecture - I don't know how any of this could be fact-checked. – Out of Band Mar 14 '17 at 21:12