Executive Summary
Mobile devices have evolved to become the critical link between a remote user and their home office, providing travelers access to business applications and data they would otherwise lack.
Ensuring that this line of communication is private and secure is imperative. The security guidance herein applies to U.S. Government personnel, detailees, or contractors using Government-furnished commercial mobile devices (Government Furnished Equipment [GFE]) in a public network as they travel to, from, and within foreign countries. The purpose of this report is to minimize an adversary’s ability to obtain sensitive data through GFE mobile devices and limit damage should a device be compromised.
The mitigations address a range of threats that might be encountered in foreign countries along with best practice mitigations. Mobile devices have inherent vulnerabilities associated with their software and hardware. Foreign countries often leverage their security apparatus—especially airport security, customs, and connections to the tourism industry—to conduct physical attacks on mobile devices.
Also, in many foreign countries the government has direct or proxy control of the commercial cellular infrastructure, which gives them a remote conduit to attack connected mobile devices. Cellularborne attacks are particularly damaging, as most mobile devices—by design—trust the signaling/management communications from a cellular network.
