New guidance from the Federal CIO Council’s Federal Mobility Group provides best practices for mobile phone security for Federal employees when they travel outside of the continental United States and its territories.
The International Travel Guidance for Government Mobile Devices warns Federal employees that many foreign countries can “leverage their security apparatus” to conduct attacks on mobile devices.
“In many foreign countries the government has direct or proxy control of the commercial cellular infrastructure, which gives them a remote conduit to attack connected mobile devices,” the guidance says. “Cellular-borne attacks are particularly damaging, as most mobile devices – by design – trust the signaling/management communications from a cellular network.”
The guidance notes that successful attacks can allow adversaries to remotely gain access to the phone’s microphone, camera, and geolocation. The adversary can then track specific devices, access information stored or processed by the device, and use the phone as a vector to hack connected enterprise networks.
The council advises high-profile government personnel to leave their government-furnished mobile devices at home when traveling and to take a burner phone with them instead.
“High-profile U.S. government personnel are top targets and if a mobile device is required while they are traveling overseas, they should carry or employ a disposable or loaner commercial mobile device for travel in high-threat environments,” the guidance says.
The guidance also instructs Federal employees to avoid connecting to public WiFi networks when abroad and to use a virtual private network (VPN) to connect to government networks.