The border danger
For certain types of people, crossing a border can be very problematic. The last few years have seen more and more attacks happening when crossing borders, and for people that care about the security of their information this is a huge risk. It doesn't really matter why you need to protect your information (there are many legitimate reasons) - the risk is the same. So in this post I wanted to explore the different kinds of risks that can be relevant for someone with these kinds of issues. In the next post I will talk about possible mitigations, although these are all incomplete at best.
I will first do an overview of the different kinds of assets you might want to protect, and then talk about the different types of common border crossings and what we know can happen at each one. Be warned that the news in general is not good. There are minor variations between different borders, but in general you can expect to get in trouble unless you completely comply with border crossing agents.
When thinking about borders it's useful to divide up the kinds of things you can lose. I call all of these things assets - and the way I do my analysis, there are three broad categories of threat. Notable is that I don't actually consider physical loss of devices as a problem in itself. That might be different for others, however when thinking about it from an informational security standpoint the loss of the physical device is purely incidental and only important in so far it implies the loss of content or integrity.
When it comes to physical devices, the largest risk you face at different kinds of border crossings is the lack of integrity of these devices. Simply put, you won't be able to trust them anymore. In general there are three different categories of devices that I think about from this perspective - computers, USB drives and phones/tablets. In general there is nothing you can do to protect your devices if they are taken from you. If someone takes away your computer there is a range of things that can happen to it - from physical backdoors put on the motherboard or replaced connectors, to reflashed firmware in any of the hundreds of places where you can have firmware. It is basically impossible to figure out if these things have happen to a computer, so in the most extreme case you can't really trust such a computer afterwards. It is also risky to put in USB drives in them, since the possibility of a BADBIOS attack is not at all impossible in these situations.
That leads us to USB drives. In general, a USB drive that is out of your control can be reflashed with a BADBIOS firmware. If your computer system is well protected, it is possible for you to protect against these kinds of attacks, but it's better to not take the risk.
The final part is mobile phones and tables. The risks are very similar - additions of physical or firmware backdoors are very likely and impossible to detect after the fact in most cases.
The situation is pretty grim here - there is really no way to completely protect the integrity of computational devices if they are out of your control and in the hands of a sophisticated adversary.
In terms of content, I'm talking about the actual data that you have on different devices. When crossing borders you can have data in a bunch of different places: on computers, USB drives, phones and tables of course. I also have Yubikeys that contain password information. Some people also carry around USB sticks that specifically contain the boot partition for their computers. Finally, it might be the case that you have knowledge about different things in your head. Obviously that kind of content is harder to extract, but remember it's dangerous to lie at a border crossing.
Depending on how your information is stored it can be hard or easy to extract. Most information on phones and tables are very easy for law enforcement agencies to extract, for example - thus storing encryption keys or sensitive data in your smart phone is generally not a good idea. Depending on what kind of Yubikey model you use, it can be hard or easy to extract the information. When it comes to boot partition, they are in general not extremely sensitive - except if the border crossing agents can write back to it - since a boot partition is unencrypted it's very hard to protect the integrity of it.
Passwords should maybe be under the heading of content, but it turns out that they are quite different in type. We also have a lot of them to different things, and there has been a worrying trend the last few years of border crossing agents requiring passwords to email, social networks and many other things when crossing the border. In the case of some countries it is actually illegal to not comply with a password request, and you can end up in prison for contempt. In the case of many countries it is unclear if it's a crime or not, but refusing to enter or give up passwords can definitely get you denied entry. It is important to not that at least for now, biometric authentication doesn't currently have as much protection as regular passwords - something to think about before using Touch ID for your iPhone.
The kinds of passwords that will most often be in danger when crossing a border are the logins to your computer (both BIOS and account passwords), the pin code for your phone and tables, the pass phrases for your encrypted harddrives, pass phrases for PGP encryption keys and similar things. Being asked for passwords for mail accounts and social networking accounts is also possible. Obviously any of those compromises is problematic, and even if you can change those passwords quickly afterwards, it might be too late in some cases.
Types of border crossing
There are a few types of border interactions that have different styles. I'm calling all of them border crossings, even though not all of them are. What is true in general for most of these interactions all around the world is that it is not a good idea to lie. In some legislations it's OK to not answering questions - but that can involve being denied entry or being denied entry to flight terminals. However, in some classes even failing to answer questions truthfully is a crime. You should investigate these kinds of issues before going somewhere.
This is likely the most common place you will encounter some of these problems. The security check is what you have to do in order to enter a flight terminal, thus it happens before your flight. Some legislations (the US among others) have started asking for stricter controls of computers at security checks. In some cases you will have to turn on your computer, login and move the mouse around to prove that it is actually a real computer. More and more areas are putting in these kinds of random checks, however it currently doesn't happen to everyone. Instead, it will happen to random samples of individuals, plus the kinds of individuals that are considered suspicious in one way or another. So far I haven't heard any indication of people being asked to turn on phones or tables, although that might happen as well.
Currently this is an issue, but there are possible mitigations for it as well.
The actual border crossing usually happens when you go through immigration. In different countries this looks slightly different, but most of the time you talk to an immigration officer in a booth. Most of the time there won't be any problems at this point - the issue comes up if the immigration officer decides to refer you to secondary screening. In that case you will be taken to a secluded room with several officers who will likely separate you from your devices and potentially ask for your passwords. This is also where interrogation of other kinds will happen, and if you have any sensitive knowledge it could be at risk. If you are separate from your devices it is likely that they will be completely copied, and there is a possibility they will also be completely seized - this is more likely if you do not provide the passwords.
Secondary screening usually is done for a reason, but there is some randomness in choice, so you might just get unlucky.
A targeted pickup is like the regular secondary screening, except it happens quite soon after you get off your plane - the officers will know you are arriving and have decided to immediately take you to the secondary screening area. In this circumstance, the degree of seriousness is higher, since this only happen when you are on some kind of watchlist. That means the officers will be more serious about the interrogation and investigation of your devices, but in general the kind of threats you face are similar to the ones at the regular secondary screening.
Customs and border control
The fourth type of control that can happen is where you get stopped by customs for an inspection. This usually happens after you've already gone through immigration. It is generally either random sampling or you have triggered some suspicion with something in your luggage. It should be emphasized that if you have sensitive data you are traveling with, it is really stupid to also try to travel with things that might be illegal in some countries.
In most cases a customs control involves unpacking everything you have with you and showing it to the officers. In some cases you can be redirected to a similar secondary screening as the one for immigration, but this is not as common as when crossing the border. I have not heard of customs officers asking you to turn on computers etc when looking through luggage, although that might change as well.
You have many assets with you when crossing borders, and in general there are many ways that those assets can be taken from you. The only safe way of guarding those assets is to not have them with you - however this is not very practical for most people. In the next post I'll talk about some other possible mitigations - but the story is quite grim. Currently, traveling between countries is likely to be the most dangerous thing you can do for your information security needs.