As we emerge from the pandemic, organizations will confront a new world of business travel and a new world of cybersecurity tips for travelers. What has changed? What hasn’t changed? 

The particular cybersecurity risks and threats that might face business travelers are, of course, always evolving. But during 2020 and 2021, most of our business travel was replaced by video calls and other alternatives. We stopped traveling. And yet, the landscape kept changing. Here’s what you need to know about what’s new in cybersecurity for travelers. 

Airport Smartphone Searches

The biggest change for U.S. business travelers is the legal status of smartphones. The U.S. Constitution’s Fourth Amendment says citizens have the right to be “secure in their persons, houses, papers and effects, against unreasonable searches and seizures”.

It’s still uncertain whether smartphones are covered under the “papers and effects” part of that clause. Specifically, can U.S. Customs and Border Protection agents search American citizens’ smartphones? 

The answer used to be no. Then the answer became ‘well, sort of’. But late last year, a U.S. appeals court ruled that Customs and Border Protection agents are allowed by law to search phones and laptops, including so-called “advanced searches”. They can legally do so without a warrant or even the burden of reasonable suspicion. Phone data is now fair game at the airport. 

The case stems from a lawsuit by a group of citizens including a NASA employee. Customs agents pressured scientist Sidd Bikkannavar to unlock a secure, government-issued phone.

It’s possible that this ruling may be overturned in future court cases. But, as we stand now, smartphone data is subject to search at border crossings and airports. All the previous airport cybersecurity threats still exist. Plus, now customs agents can search phones.

The law didn’t protect a NASA scientist. So it doesn’t protect your company’s business secrets or your personal privacy. 

The Travel Cybersecurity Angle on Vaccine Passports

The newest change that didn’t exist before the lockdowns, but does now, is the so-called vaccine passport or health certificate required for travel. These exist to show that travelers have gotten the COVID-19 vaccine, have recovered from the disease or have received a negative test result within the past two or three days.

The European Union, for example, is working on something called a Digital Green Certificate. The ‘certificate’ would be required for travel within the European Union, as well as to non-EU countries like Norway, Iceland and Switzerland. Foreign visitors to Europe will need to show acceptable proof that a traveler won’t infect others with COVID-19. And this concept will no doubt go global as countries open up to foreign travelers.

Other countries and regions have been working on similar programs, and there is a strong desire for these systems to work together. It’s likely that these schemes will be mostly electronic, displayable on smartphones as QR codes or barcodes.

Health passes that demonstrate the likelihood that the bearer is disease-free are likely to remain a permanent part of travel. They could also include certification of immunity to other diseases, including future pandemic viruses.

The Problem With QR Codes

The electronic versions of these passports will use QR codes, which are potentially problematic from a security point of view. They are trivially easy to copy — attackers can share or use a simple screenshot of a legitimate QR code. So, it will be imperative for these systems to be secure and user-authenticated. The digital versions of these health passes will also need to securely access medical records, as the immunity conveyed by vaccines is often temporary. 

For all these reasons, health passes represent a non-trivial security challenge for both the official bodies that issue them and for travelers and the businesses they work for. Border agents in some countries, for example, may use smartphone-based health apps as a pretext to take possession of unlocked smartphones. Then, they could bring the phones out of sight of the owners and possibly download their data.

Tomorrow’s Travel Involves New Documents

New documents require new cybersecurity tips, but some haven’t been in place long enough yet for good advice to come through. Another change in the world of business travel is the DTC, or digital travel credential. In late 2020, the United Nations International Civil Aviation Organization, the body that sets the global standards for passports, published a new standard. This DTC standard is a system for carrying the equivalent of a passport on one’s smartphone. (Notably, the standard uses blockchain as well as biometrics.) 

In the near future, it’s likely that business travelers (and tourists) will use smartphones, rather than passports. They may use the passport only as a backup document in case of questions or loss of the smartphone. 

In the short term, frequent travelers will use the DTC first — business travelers, mostly — as part of a seamless travel system. It will operate like today’s Global Entry, where the traveler fills out a questionnaire, goes to an interview and receives a background check. Then, in the future, they can sail past the lines and checkpoints that non-members have to suffer through.

New Doorway to Access Smartphone Data

A recent report found that the U.S. Customs and Border Protection agency purchased vehicle forensics kits for accessing data from cars. As car dashboards get smarter, more people are connecting their smartphones through Bluetooth or direct cable connection, and data flows between the car and the phone. Privacy advocates are concerned that this news represents a trend in which border agencies use these tools to circumvent legal restrictions on smartphone searches. 

Customs agents, spies and threat actors all have new tools that access smartphone data through cars. That means business travelers need new training, awareness and precautions in response. Keep this in mind when you rent cars or otherwise connect smartphones to smart car dashboard systems. 

Cybersecurity Tips to Match New Developments

We’re confronting a future in which business travelers’ smartphones will contain new categories of sensitive personal and business information. They can hold or provide access to contact lists, credit cards, business emails, chat histories, photos and more. They now could also contain access to passport information, health histories and other important data. 

Cyber attackers will understand that breaching a smartphone is the key to a universe of cyber crimes. It can open someone up to anything from social engineering attacks to blackmail to identity theft to embezzlement. State-sponsored spies will have new incentives to target the smartphones of business travelers. And customs agents will have new incentives to download or search the content of smartphones. New rules will allow them to do so globally more and more.

For this new world, we need new cybersecurity tips. On the outside, you should travel with a wiped second phone containing the minimum apps you need. Other travel cybersecurity practices will be evolving quickly over the next few years as we adjust to the new environment. 

So as we re-engage with the practice of business travel, it’s important to understand the new risks and threats and respond accordingly. From there, we can build new assumptions and cybersecurity tips into how our mobile security tools operate and how business travelers should behave while traveling.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…