Spring is here in the northern hemisphere. A lot of people go on vacation and travel in the Spring and Summer, and after a solid 2 years into a global pandemic many people are ready for it. For the hacker community, there is also the summer conferences in Las Vegas, which at the time of this writing are scheduled for in-person attendance. So I thought I’d pull together a few travel tips for the security-minded. I’m not going to cover things I’ve talked about in other blog posts, but I will link to them where appropriate.

I’ve written travel OPSEC guides for previous employers, some with fairly demanding security requirements, and I’ve included a few pointers based upon those guides. You might not be traveling to a hostile environment, but a few tips could be adapted to your situation.

Will this apply to everyone? Of course not! The vast majority of people out there will not have problems. For some though, just the fact that some extra planning has been put in place will help ease some pre-travel fears.

Some Basics

Here are a few items to review that I’ve covered previously:

• I’ve covered things like Las Vegas’ hacker summer camp in a previous blog post (particularly note not leaving anything of value or importance in your hotel room), but I’d like to add this link as a resource from Circuit Swan. She stays way more up to date on current things (especially Vegas) than I do. Now for the non-security folks reading these links about Vegas, there are still some good gems in there (some of the tech stuff for example) that you can apply to your own travels to non-security events.

• I’ve covered the concept of trying not to stand out and blend in when you’re in urban environments. This works great at conferences - I’ve “hid” from people I don’t want to interact with while still making my way around to where I want to go.

• Wear a mask. There are several reasons for this besides protecting yourself from COVID-19. It plays into that “blending in” thing, as you will be less identifiable. This includes being less identifiable to facial recognition systems tied to video surveillance. It can prevent other health-related issues like dreaded “con crud” or “con flu”. More than once I’ve caught a bad cold at a conference, and one year in Vegas I spent half of DEF CON in my hotel room with a fever.

Burner Phone

If you’ve read my blog post on a hacker burner phone, seen my conference talk on how bad phone OPSEC is, here are a few tips if you’re going to be bringing a burner phone.

• Charge your burner phone to 100% before leaving. Deactivate any biometrics, ensure the phone is encrypted with a passcode. If it has a removable battery, remove it before heading to the airport, as this will lessen the potential OPSEC problems of the burner being out at your point of departure as you go through airport security. Try to keep it in its small faraday bag and powered off at least. If it is powered on, it might be searching for connections (WiFi, cellular, depending on the phone’s configuration) and this will drain the battery. Do this before every border check and airport security checkpoint. Not perfect as any phone’s security can be bypassed using rubber hose cryptanalysis, but this will help.

• Have a good faraday bag for your burner, as well as for your regular phone if you bring one. Work out your routine for which phone is used where. For example if you personally do not want to be associated with a particular conference, only get the burner out of its faraday bag at the conference, and place your regular phone in its faraday bag before leaving for the conference. Never have the phones out at the same place at the same time, even for a second. This will make charging a challenge, but not impossible, especially if you throw a fully-charged portable charger in the faraday bag with the phone.

• If you have friends or colleagues that are going to contact you at potentially any time, I’d recommend email. On your regular phone access email the same way you always do, but for the burner use something like ProtonMail, and only access your ProtonMail account via a personal VPN. You can still check your ProtonMail from your regular phone via a personal VPN as well, but I strongly recommend not checking your regular mail from your burner.

Hotel Tips

Here are a few specific hotel “features” to take advantage of. Cheap hotels may not have some of these options (or any of them), and they are typically found in western countries. Any hotel on the Vegas strip should have these “features”.

• If you are worried about someone tracking you down via your name at a hotel (maybe to try and break into your room specifically), make sure when you check in, you ask for a change of rooms. Something simple as being asked to be further or nearer the elevator or away from the ice machine, or on a different floor. This way if the adversary social engineered your room number before you arrived, they no longer have the right room.

• Ask to be listed as a Non-Registered Guest (NRG). If an adversary from outside the hotel calls the hotel operator and asks to be connected to your room, your name will either indicate your NRG status or you simply will not show up on a search by the hotel operator. Therefore they will not get the information from the operator, and it will appear you’re not even registered there! Of course if your adversary has compromised the hotel’s database, then it might not matter. Don’t forget to explain your situation, that you’ve had problems in the past and would like to avoid them, otherwise they might think you’re up to something illegal and decide to give your room random surprise visits.

• Ask for your phone to only receive calls from hotel staff and hotel services - no outside calls and no calls from other rooms. If someone does figure out your room number, if they call the room it will most likely state via an automated response that the room is unoccupied.

Odds and Ends

Here are a few random items.

• While out and about, if you are worried about needing some quick privacy, use one of those small “family” restrooms. This gives you an opportunity to access valuable assets like moving cash around on your body or readying your burner phone. This is probably most easily done at the airport. And if anyone (like airport security) asks you why you’re going into a family bathroom when you’re alone, say you have a medical condition. You will not be bothered at that point, trust me.

• Have some travel credit cards (like you purchased cards to get your burner phone). Use those while out and about. Once used out of town, don’t use them again at home as a part of your regular day-to-day. Use it up while traveling, and supplement with cash. Note that you can use your ProtonMail account to sign up for Lyft or Uber, and call for a ride “anonymously” via your burner! If the card supports cash withdrawals, wear your mask and withdraw cash from an ATM anonymously, even if surveilled via the ATM’s video.

• Research your destination before you go. Get a layout of the city around your hotel, map out your destinations, and note the "bad" parts of town. If possible, add pins on a map on your phone to everyplace you wish to visit. GPS should work fine, even with no cellular or Wi-Fi service, and those pins will help with navigation.

• Have hardcopy backups of hotel and flight reservations, emergency contacts, medications you normally take, and so on. If a bag is lost or left at the hotel, or the phone dies and you’re without your battery charger, this could come in handy.

In Closing

No plan is ever perfect, but having some type of plan is a decent starting place. Unfortunately for me, a good number of these tips are the direct result of issues I've encountered while traveling, so hopefully this helps you avoid potential issues.