Stick It To The Man

October 9th, 2020 by Kevin Mitnick
Category: «General», «Mobile», «Tips & Tricks»

The year was 2008, and I had been staying at a hotel in Bogota. This trip was just one of many to Columbia that year. Before my trip, I’d had my former girlfriend, Darci, stop by and help me swap out the hard drive in my MacBook Pro laptop. Remember, this is 2008, and at the time, replacing a drive in a MacBook Pro wasn’t nearly as easy as replacing hard drives these days. Darci swapped out my original hard drive with a brand-new drive, which I then formatted and installed macOS.  I had her swap the drive out for security reasons. I didn’t want to cross the border into a foreign country with all of my client data. Especially not after what happened to me in Atlanta! But we’ll get to that later.

It’s worth mentioning that the hotel I had chosen wasn’t some seedy motel in the questionable part of town. No, it was a very reputable hotel in which even the Bogota military officials regularly stayed. Looking back, perhaps that is where I went wrong.

My then-girlfriend and I had gone out for dinner, and my MacBook Pro was stored safely (or so I thought) in the hotel room. Upon returning to the hotel room, I found that my keycard wasn’t working to unlock the door. I’d swipe the card, and a yellow light would appear. Not red, not green, but yellow. Strange.

I didn’t think much of it at the time; I just thought it was a faulty card. We made our way down to the lobby and requested a new card. I swiped the new card, and to my dismay, it still didn’t work. Back at the lobby desk, I explained my frustrations. They apologized and gave me another card—the same issue. At this point, I’m not thinking anything suspicious is happening; I’m just annoyed. They had provided me three new cards, all of which didn’t work before they finally agreed to send someone up.

The hotel employee came up to the room, swiped their card, a green light appeared, and we were able to enter the room finally.

Again, I wasn’t thinking that anything nefarious had been going on. I simply attributed the situation to a faulty door lock.

When I returned home, I had Darci come back over to swap out the MacBook Pro drive again. She questioned me as to why I had opened up the MacBook Pro myself. Puzzled, I told her that I hadn’t. She was adamant that the device was opened. She intentionally barely tightened the screws holding in the hard drive but now they were screwed in very tight.

And that is when it hit me; someone had been in my hotel room in Bogota and probably imaged my hard drive.

This incident was a wake-up call for me, but it wasn’t the first time my privacy was intruded upon while traveling.

The year before, on another trip to Columbia, I was detained at the Atlanta airport on my way back home. The airport officials couldn’t tell me why I was being detained, but they made sure to go through all of my items. I had several laptops and plenty of other computer-related equipment that I had used for speaking engagements. At the same time, I received a call from my then-girlfriend. She said to me that Columbian police called her and ask for permission to search a package I was mailing back to the U.S.  The package contained an encrypted hard drive I was shipping back to the states. Police in Bogota claimed they were looking for cocaine inside the small laptop hard drive. Of course, they ultimately found no evidence of cocaine. Obviously, it was a ruse to take my hard drive which was encrypted with PGP’s Whole Disk Encryption back in the day. Back in Atlanta, Customs and ICE  cleared me of any wrongdoing and sent me on my way.

These two incidents made me realize that I need to be extremely careful with my data when I’m traveling abroad. Although I’m not doing anything illegal, I have plenty of confidential information from penetration tests I’ve performed for my clients. This data would be detrimental if it fell into the wrong hands such as foreign governments, and it could also lead to lawsuits against myself for breach of non-disclosure agreements.

As such, here are the steps I take when traveling internationally.

First, I create an encrypted backup of my hard drive. Next, I put the backup in an encrypted container using a tool such as VeraCrypt. I’ll then ship an external hard drive with my data to the hotel where I’ll be staying.  My reason for doing this is that if I’m required to hand over my laptop at the border or entering a country where they can force travelers to provide their password, I don’t have to worry about any confidential data being seen or ending up in the wrong hands. Before I leave, I’ll wipe all confidential data and hacking tools from my computer. Once I arrive at the hotel, I’ll restore my data from the encrypted drive I had shipped to the hotel prior. Since I’m past the border, there is no legitimate authorization to search my computing devices.

For mobile devices, such as my iPhone, the process is similar.

First, I make a full encrypted backup of my phone and store that backup in an encrypted container. Since a phone typically has much less data than a computer hard drive, I can upload the encrypted image of the phone to AWS or Azure. Once at my destination, I can download and restore the full backup to my phone. It’s important to keep in mind that some items, such as saved Signal messages, will be lost. Aa small price to pay to protect one’s privacy.

Unfortunately, this doesn’t stop someone from going into your room and imaging your drive like my Bogota experience. My advice to avoid that type of situation is always to keep your devices with you at all times. Don’t leave your laptop or mobile devices unattended. Take them with you, even if you are just going to dinner. In certain countries, you may want to actually take your devices into the bathroom as you take a shower!

These processes may seem like overkill, and they are undoubtedly time-consuming, but they are the necessary steps to protect legitimate confidential business information when crossing international borders.

About the author: Kevin Mitnick is an American computer security consultant (running Mitnick Security), author, and convicted hacker. In 1995, he’s been arrested and spent five years in prison for various computer crimes. Mitnick’s arrest and the series of consequent events were all highly controversial. Kevin is a personal friend of Vladimir Katalov. Kevin and Vladimir regularly meet in Moscow and exchange opinions on things they find important or entertaining. On the photo: one of the first meetings with Kevin, trying to break his iPhone.