“Last Friday, on my way home from 31c3, a funny thing happened on my way through Charles de Gaulle airport in Paris: I was required by a security agent to not only power up, but also type in my password to unlock my laptop in order to board my flight.”
Katie Moussouris, chief policy officer at HackerOne and former lead of Microsoft’s security community outreach and strategy team and its Blue Hat prize, published an interesting blog about her experience travelling through Europe. After tweeting about the incident, she said that she landed to “find that a lot of people interested in privacy and security had questions about the details of my adventure”.
Calling the incident “unsettling” and “a chilling reminder” to those who travel across borders and work under the title “hacker”, Moussouris said that her bag was asked to be searched at Paris Charles De Gaulle (CDG) airport after she had cleared security, before boarding the flight.
“The security agent at the gate had me pull out my laptop, turn it on and further asked me to type in my password, which decrypted the full disk encryption of the drive, even after she saw that it did boot up,” she said.
“It was clear there was a language barrier issue, but I was trying to show her that the login screen was there, the laptop did power up. I have had to power on my laptop and phone once before, in Brussels on my way back to the US, but I had never been required to unlock any devices, nor had I heard about friends having to do so – this was very unusual in my experience.”
She asked why she needed to enter her password, and was told it was “regulation” so she complied in order not to miss her flight, or suffer other consequences. “They did not make me turn on or unlock my phone, and waved me through after she saw my desktop pop up with a browser window open to my Twitter feed on top,” Moussouris said. “She didn’t touch my laptop after I unlocked it, and none of my devices left my sight during the search.”
There was some deliberation as to why Katie was treated in such a fashion. She is a well known security researcher, penetration tester and conference speaker, and has been dubbed the “queen of the bug bounty program”. She said in her blog that HackerOne employees don’t ever have access to our customers’ vulnerability reports, therefore there are no exploits stored on their devices, so no customer data was at risk.
“The speculation on Twitter that I was targeted due to my work at a company that hosts vulnerability coordination and bug bounty programs was amusing,” she said.
“While my occupation could have triggered me being on a list that caused the secondary search, I got an ‘Inspector Clouseau’ vibe from her more than anything else. This is funny now that I’m home, but a different story had she attempted any further access to my data.
“It was an unsettling experience due to the violation of my privacy, but I wasn’t concerned about the new exploit export controls or about sensitive customer data leakage, even if the security agent had confiscated my laptop and phone, which she didn’t.”
I got the opportunity to catch up with Katie and get he
r thoughts on what happened. Firstly I asked her the key question, was she wearing a T-shirt with “hack all the things” (or something similar) on it? Unsurprisingly she was not, instead she said she was dressed in a black sweatshirt but had her trademark blue streak in her hair, but she said “that has never caused me problems while travelling before”.
She admitted that she had been randomly selected for extra screening previously, but had never been asked to unlock a device before, which was what struck her as being unusual. “Since telling my story, colleagues have said it has happened to them as well, but they had never mentioned it before I noted it,” she said.
I wanted to know what she felt made her a target – her profile, a tip off or random selection? She said: “It’s anyone’s guess, but Occam’s Razor really points to random selection more than any other explanation. For years at my previous employer, I was part of the security response team that had many sensitive credentials and vulnerability information on my devices, and never felt targeted for special screening at airports because of it.
“Ironically, now that I work for a company where we don’t have access to sensitive vulnerability reports, the notion that I was somehow singled out for screening now seems farfetched to me.”
She admitted that she was not so willing to decrypt, but had limited time and did not want to risk missing her flight. “Plus, I was very curious as to what they might do next. That being said, I would have definitely made it known that any attempt to access my data itself was against my will, and that’s how I’d react in any situation where I was asked to unlock a device,” she said.
“Any potentially hostile network, anywhere in the world, whether at a hacker conference, in a hotel, an airport, or a coffee shop, should be treated as a potentially risky situation in terms of data security. The precautions that HackerOne takes with its operational security – including the fact that HackerOne employees never have access to our customers’ vulnerability reports – made decrypting my hard drive more of a personal privacy violation than anything else.
“The account that unlocked the device was a local account for that device only, with no privileges for my corporate information, and no associated cloud storage. Travelling with temporary devices may work if you are particularly concerned, but if that is not possible for whatever reason, then practicing good operational security is a baseline that everyone should be in the habit of doing.”
Finally, I asked her what advice would she give to those caught in a similar situation? She advised that if you are worried about sensitive data being accessed on a device in your possession in a similar situation, the best advice is to not bring that data at all, but instead bring completely clean devices, which you ideally only use for trips and never reconnect to your home network.
She said: “By reconnecting to your own network, you run the risk of bringing back some undetected malware from your travels. The extra paranoid will also wipe the travel devices between each trip, down to flashing the BIOS and reinstalling everything offline from write-only media, including updates that you have downloaded so you don’t have to connect an unpatched device to any network.
“This is more systems administration work than most are willing to do. If you have the cash and want to take a new Chromebook each time, that’s another way to wear your tinfoil hat.”
Katie Moussouris, chief policy officer at HackerOne was talking to Dan Raywood