In recent years, burner phones have become an obligatory part of the international business traveler’s toolkit. But though these devices are designed to minimize the amount of stored data available for capture by malicious actors in a foreign country, burner phones actually give attackers an opening to another, potentially more valuable, form of data: conversations that occur during key meetings in the vicinity of the device.
In this article, I’ll explore the threat of mobile eavesdropping targeting the burner phones of executives and other corporate employees traveling to high-risk countries and look at some mitigations for this emerging risk.
The evolution of technical eavesdropping
Though videoconferencing has made it possible for corporate executives to instantly traverse the globe, face-to-face meetings are still preferable for critical tasks like partnership discussions, sales and business development, corporate or legal negotiations, strategic planning, research-oriented conversations with colleagues, political meetings and more.
In fact, these types of discussions are usually the main reason executives travel overseas in the first place. After all, the vast majority of people would spare themselves the time, money and hassle of international travel if they could get the same results with a video chat or even a phone call or email.
Within these sensitive, face-to-face meetings and conversations on foreign soil, an enterprise’s most important information is often revealed, including information that hasn’t yet been committed to writing. And corporate spies know this. In China, the epicenter of state-sponsored spying on foreign-owned businesses, spies have been known to bug conference rooms, hotel rooms, restaurants and even taxis. It’s been alleged that Chinese spies have gone so far as to secretly plant listening devices inside the electronic key cards used to open travelers’ hotel rooms.
Given that foreign spies have both the propensity to eavesdrop on conversations and the capability to do so via mobile spyware that remotely activates smartphone cameras and microphones, it’s easy to understand why it happens – hacking the phone eliminates the need to use other techniques since executives voluntarily carry the spying device everywhere they go.
Since burner phones are intended to provide a minimal data footprint in the likely event of compromise, they generally do nothing to mitigate the capture of data in vicinity of the device, including the sensitive conversations that occur in the closed-door meetings that brought the executive to the country in the first place.
Burner phones eavesdropping toolkit
Foreign security services have various means of screening incoming visitors and flagging CEOs and other corporate targets. Once targets are in country, there are a number of possible methods that intelligence agencies or sophisticated corporate competitors can take to install spyware on burner phones for the purposes of eavesdropping, including examples such as these:
- Malicious carrier updates: In many countries, the entire telecommunications infrastructure is state-owned. The first time a targeted burner phone attempts to connect to a cellular network, spies can install spyware on that phone via a malicious carrier-level update.
- Radio frequency (RF) hacking: Airports, by design, have many chokepoints. In such close proximity to a user and their phone, it’s possible to exploit Bluetooth and other RF vulnerabilities to install spyware.
- Physical installation by customs agents: If a traveler is chosen for secondary screening, their phone is often confiscated and examined. Physical access to a device opens up yet another avenue for device compromise and malware installation.
- Fake cell towers: It’s also possible for spies to set up an IMSI catcher to simulate a cellphone base station. Once the burner phone connects to this fake cell tower, spies can perform spyware installations from the spoofed tower.
- Infections via hotel WiFi: As we saw with the DarkHotel spyware campaign, targeted business travelers can be infected through a hotel’s WiFi network, typically via bogus software updates.
- Evil maid attacks: Hotel staff and government officials in China can access hotel rooms, including safes, to either install spyware directly onto the burner phone or use other techniques to compromise the phone.
Keeping private conversations private
Unfortunately, even savvy travelers who do the right things – disabling Bluetooth, not connecting to unknown networks, never leaving their phone out of sight – are still at risk of conversations being eavesdropped on through their burner phones. But instead of choosing a “dumb” phone or asking users to not bring their phones into critical meetings, security teams have the following options at their disposal for mitigating the risk of high-level conversations being captured.
- Invest in an anti-surveillance case for the burner phone that masks the surrounding audio in the vicinity of the phone, preventing spies listening on the other end from gaining any meaningful information.
- Purchase a burner phone that features a hardware kill switch for shutting off the microphones when not needed.
- If telephone calls aren’t necessary, physically disconnect the microphones within the burner phone.
The theft of files and emails at the hands of foreign spies gets all the attention, but face-to-face conversations in the presence of a compromised smartphone can reveal information that’s just as valuable. It’s important for security teams to recognize this emerging threat and take the proper precautions.