Cyber Safe Travel Tips

Many people travel for business or leisure purposes year-round to local destinations or around the globe. As people travel and access public networks, they are exposed to various cyber risks. The NJCCIC reminds users to be aware of the cyber risks associated with traveling and to employ best practices to stay safe while they are away. Users are encouraged to review the recommendations for the security of devices, accounts, networks, vehicles, and international travel.

Device Security

Devices are easy to lose or steal, so it is always important to start with physical security and be vigilant at all times about your surroundings and where and how you use your devices. Make sure to keep devices in sight or physically secured, and protect its contents by implementing a screen lock that requires a passcode, fingerprint, or face ID for access. Keeping devices physically secure will help prevent unauthorized access, physical theft, and potential data breaches. In addition, ensure no one is attempting to steal information from you by spying on your device screen while in use. Consider using a privacy screen to restrict visibility. Also, power off devices when they are not in use.

Staying informed about publicly-disclosed vulnerabilities and updating devices – including all device operating systems, applications, software, and anti-virus/anti-malware programs – ensures they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to devices and/or data. Other protective technologies include endpoint detection and response software, host-based firewalls, and device and file encryption. Important or sensitive data should be backed up regularly and kept offline by periodically moving or copying data onto a USB drive or other external storage device.

Travelers are advised not to insert unknown or “lost” USB devices into their devices as they may contain malware designed to corrupt files, steal information, and spread to other storage devices. In addition, refrain from using public USB power charging stations in airports, hotels, and other public locations because they are subjected to juice jacking attacks. Although these stations may seem like a convenient way to charge devices, these kiosks can contain concealed computers that attempt to extract data such as contact information, photos, and videos from connected devices, unbeknownst to the user. The USB connections also provide both data and power, with the ability to hide malware and deliver malicious payloads. Even if the charging station is not malicious, the manufacturer or owner of the kiosk may require users to input their email addresses or phone numbers in order to charge their devices, potentially exposing them to unwanted marketing campaigns, phishing emails, and scam calls. Recommendations to ensure a safer connection include bringing AC and car chargers for devices when traveling, utilizing an AC power outlet or portable charger for emergencies, and using a USB “no-data transfer” cable to allow only power transfer capabilities.

Account Security

Threat actors target account credentials, which are the keys to the kingdom. It is critical to use strong, unique passwords or PINs for each account to help prevent password reuse attacks, in which threat actors obtain the password for one account and use it to compromise an additional account using the same credentials. In addition, ensure multi-factor authentication (MFA) is enabled on every account that offers it, particularly for those that have access to banking and payment card information. The website twofactorauth.org retains a list of websites, whether they support multi-factor authentication, and which methods are offered. Enabling MFA will greatly reduce the risk of account compromise via credential theft in which a password has been exposed. Even if a cybercriminal obtains a user’s username and password, they will be unable to access that user’s account without their second factor. Users are encouraged to choose authentication apps, hardware tokens, or biometrics as a second factor over SMS-based authentication due to the risk of SIM-swapping, though using any form of MFA is beneficial.

Login credentials and other sensitive information should not be shared with anyone or saved on your computer in the event of unauthorized access. Furthermore, it is common to update professional or personal social media accounts with pictures, information, and locations, which can be an issue if threat actors have access to the same social media pages. They can track your location and use that information to break into hotel rooms or even your home to steal valuables while you are away. Implementing security and privacy controls for Facebook, Instagram, and Twitter, and configuring similar settings on all other accounts will help to prevent account compromise and the unintended sharing of sensitive information, including personally identifiable information (PII), photos, and videos. In addition, out-of-office email replies and outgoing voicemail messages could reveal enough information for threat actors to conduct malicious activity against you or your organization, such as impersonating the person who is out of the office. Instead, adjust your settings for separate out-of-office replies where available, include details for internal contacts within your organization, and turn off replies or keep messages generic for anyone else outside your organization. The smaller your digital footprint, the less publicly-accessible information is available for threat actors to more effectively target you. Therefore, it is important to exercise caution when sharing information on any platform.

Network Security

Wireless network and Bluetooth connections can automatically connect to available networks and devices, which can create issues if they are malicious. Turning off your devices' auto and remote connect features while traveling will allow you to only connect to networks and devices when you want to connect.

Threat actors use public networks to gather sensitive information. Connecting to public hotspots or wireless networks that are available in hotels, planes, cafes, and transportation can be risky, so it is important to confirm with the staff the exact procedures and networks to connect. If possible, always use your own data network connection, such as a mobile hotspot. If you are connected to a public network, ensure only "https" sites are used and refrain from online shopping or accessing any sensitive data to avoid a data breach. If you travel often or frequently find yourself with only public Wi-Fi as an option, use encrypted connections such as a Virtual Private Network (VPN) to secure all data communications, as feasible and permissible by local laws. Additionally, users are advised to refrain from using business computers for personal purposes as cyber threats could endanger company and/or customer information.

More and more public places, such as libraries, internet cafes, hotels, and restaurants, are allowing internet access through public computers. These public devices cannot be trusted because they may not be up to date with the latest software and security patches required to secure the device. They may contain malware and keyloggers, which threat actors can use to steal account credentials, financial information, and other sensitive information. Threat actors can also intercept network traffic traveling over unencrypted wireless connections.

Vehicle Security

Technology has encompassed many areas of our lives, including Internet-connected vehicles. Modern vehicles not only offer many benefits and conveniences when traveling, but they also have potential security risks. As integrated computers and Internet-connected add-ons are becoming more susceptible to vulnerabilities; it is critical to ensure entertainment systems, telematics, and critical functions are separated by firewalls and communications between these components are encrypted. Therefore, manufacturers and operators should be aware of the potential threats to Internet-connected vehicles.

Computer systems contain personal data including text messages, contacts, call histories, and emails. In addition to sensitive personal information, systems contain GPS coordinates, including a list of locations marked as “favorites” by the driver, user voice profiles, and vehicle status information. Vulnerabilities may exist and can be exploited to expose this information, for example, after a user synchronizes a mobile device with the vehicle’s infotainment system via Bluetooth. Once connected, data transferred from the mobile device to the vehicle is stored unencrypted and in plain text and can reside there indefinitely. To fix any issues and patch vulnerabilities, computer systems in vehicles require software updates or may be recalled. Updates can be delivered over the air or by connecting a device to the vehicle. Owners of Internet-connected vehicles are recommended to update their vehicle’s software system, and operators of Internet-connected vehicles are advised to consider the risk of connecting personal mobile devices to rented or borrowed vehicles when traveling as that data could later be accessed by unauthorized parties.

Threat actors can utilize other entry points, such as Application Programming Interfaces (APIs) that are used to access third-party applications and software. Drivers should ensure these interfaces have proper security features, including multi-factor authentication and VPNs. Vehicles also connect to services such as Bluetooth, mobile systems, and music players. Turning off these services when they are not in use ensures threat actors cannot easily intercept signals to these services and potentially access information and/or deliver malware.

International Travel

While all travelers are subject to cybersecurity risks when traveling internationally, business travelers and government officials are considered high value targets due to their roles and the sensitivity of the information they may store or transmit. Travelers and their organizations are advised to assess cyber risks based on the threats and vulnerabilities posed by the trip, the host jurisdiction, the traveler, and the traveler’s equipment and devices.

As feasible, it is recommended for travelers to use electronic devices that their organization has procured and configured specifically for international travel. If you must take your electronic devices, it is important to make backup copies of all sensitive data and travel with only the absolute minimum necessary for your trip. Other recommendations include disabling your devices’ WiFi, Bluetooth, Near-Field Communications (NFC), and Location Services; disabling automatic logins, automatic network connections, auto-download features, and your devices’ USB ports; and ensuring your devices' firewalls and all technical security controls are enabled. It is also important to familiarize yourself with your destination’s laws as the use of encryption and some online behaviors are illegal in certain countries. Consult the US State Department website for information about particular destinations.

Travelers are advised to report any suspicious activity or unexplained technical issues experienced while traveling to their organization’s information technology or security staff. Upon return, refrain from connecting electronic devices to your personal or organization’s network until information technology staff have scanned and/or reimaged them. Lastly, change all passwords used while traveling.