June 11, 2021 By Mike Elgan 4 min read

As we emerge from the pandemic, organizations will confront a new world of business travel and a new world of cybersecurity tips for travelers. What has changed? What hasn’t changed? 

The particular cybersecurity risks and threats that might face business travelers are, of course, always evolving. But during 2020 and 2021, most of our business travel was replaced by video calls and other alternatives. We stopped traveling. And yet, the landscape kept changing. Here’s what you need to know about what’s new in cybersecurity for travelers. 

Airport Smartphone Searches

The biggest change for U.S. business travelers is the legal status of smartphones. The U.S. Constitution’s Fourth Amendment says citizens have the right to be “secure in their persons, houses, papers and effects, against unreasonable searches and seizures”.

It’s still uncertain whether smartphones are covered under the “papers and effects” part of that clause. Specifically, can U.S. Customs and Border Protection agents search American citizens’ smartphones? 

The answer used to be no. Then the answer became ‘well, sort of’. But late last year, a U.S. appeals court ruled that Customs and Border Protection agents are allowed by law to search phones and laptops, including so-called “advanced searches”. They can legally do so without a warrant or even the burden of reasonable suspicion. Phone data is now fair game at the airport. 

The case stems from a lawsuit by a group of citizens including a NASA employee. Customs agents pressured scientist Sidd Bikkannavar to unlock a secure, government-issued phone.

It’s possible that this ruling may be overturned in future court cases. But, as we stand now, smartphone data is subject to search at border crossings and airports. All the previous airport cybersecurity threats still exist. Plus, now customs agents can search phones.

The law didn’t protect a NASA scientist. So it doesn’t protect your company’s business secrets or your personal privacy. 

The Travel Cybersecurity Angle on Vaccine Passports

The newest change that didn’t exist before the lockdowns, but does now, is the so-called vaccine passport or health certificate required for travel. These exist to show that travelers have gotten the COVID-19 vaccine, have recovered from the disease or have received a negative test result within the past two or three days.

The European Union, for example, is working on something called a Digital Green Certificate. The ‘certificate’ would be required for travel within the European Union, as well as to non-EU countries like Norway, Iceland and Switzerland. Foreign visitors to Europe will need to show acceptable proof that a traveler won’t infect others with COVID-19. And this concept will no doubt go global as countries open up to foreign travelers.

Other countries and regions have been working on similar programs, and there is a strong desire for these systems to work together. It’s likely that these schemes will be mostly electronic, displayable on smartphones as QR codes or barcodes.

Health passes that demonstrate the likelihood that the bearer is disease-free are likely to remain a permanent part of travel. They could also include certification of immunity to other diseases, including future pandemic viruses.

The Problem With QR Codes

The electronic versions of these passports will use QR codes, which are potentially problematic from a security point of view. They are trivially easy to copy — attackers can share or use a simple screenshot of a legitimate QR code. So, it will be imperative for these systems to be secure and user-authenticated. The digital versions of these health passes will also need to securely access medical records, as the immunity conveyed by vaccines is often temporary. 

For all these reasons, health passes represent a non-trivial security challenge for both the official bodies that issue them and for travelers and the businesses they work for. Border agents in some countries, for example, may use smartphone-based health apps as a pretext to take possession of unlocked smartphones. Then, they could bring the phones out of sight of the owners and possibly download their data.

Tomorrow’s Travel Involves New Documents

New documents require new cybersecurity tips, but some haven’t been in place long enough yet for good advice to come through. Another change in the world of business travel is the DTC, or digital travel credential. In late 2020, the United Nations International Civil Aviation Organization, the body that sets the global standards for passports, published a new standard. This DTC standard is a system for carrying the equivalent of a passport on one’s smartphone. (Notably, the standard uses blockchain as well as biometrics.) 

In the near future, it’s likely that business travelers (and tourists) will use smartphones, rather than passports. They may use the passport only as a backup document in case of questions or loss of the smartphone. 

In the short term, frequent travelers will use the DTC first — business travelers, mostly — as part of a seamless travel system. It will operate like today’s Global Entry, where the traveler fills out a questionnaire, goes to an interview and receives a background check. Then, in the future, they can sail past the lines and checkpoints that non-members have to suffer through.

New Doorway to Access Smartphone Data

A recent report found that the U.S. Customs and Border Protection agency purchased vehicle forensics kits for accessing data from cars. As car dashboards get smarter, more people are connecting their smartphones through Bluetooth or direct cable connection, and data flows between the car and the phone. Privacy advocates are concerned that this news represents a trend in which border agencies use these tools to circumvent legal restrictions on smartphone searches. 

Customs agents, spies and threat actors all have new tools that access smartphone data through cars. That means business travelers need new training, awareness and precautions in response. Keep this in mind when you rent cars or otherwise connect smartphones to smart car dashboard systems. 

Cybersecurity Tips to Match New Developments

We’re confronting a future in which business travelers’ smartphones will contain new categories of sensitive personal and business information. They can hold or provide access to contact lists, credit cards, business emails, chat histories, photos and more. They now could also contain access to passport information, health histories and other important data. 

Cyber attackers will understand that breaching a smartphone is the key to a universe of cyber crimes. It can open someone up to anything from social engineering attacks to blackmail to identity theft to embezzlement. State-sponsored spies will have new incentives to target the smartphones of business travelers. And customs agents will have new incentives to download or search the content of smartphones. New rules will allow them to do so globally more and more.

For this new world, we need new cybersecurity tips. On the outside, you should travel with a wiped second phone containing the minimum apps you need. Other travel cybersecurity practices will be evolving quickly over the next few years as we adjust to the new environment. 

So as we re-engage with the practice of business travel, it’s important to understand the new risks and threats and respond accordingly. From there, we can build new assumptions and cybersecurity tips into how our mobile security tools operate and how business travelers should behave while traveling.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today