Digital security 101 for protesters
In part 1 of this series we tackled securing your phone from unlawful search. Having read that piece, your phone should have a lock screen and be encrypted. If you're using a fingerprint reader for convenience, you should also be prepared to promptly power the whole phone down in the event of immanent arrest.
In this part we'll talk about threats to your phone and other devices over networks. Primarily these take the form of "man-in-the-middle attacks." This is when a bad actor gets a machine somewhere in the lines of communication between your device and the server it wants to talk to. Without proper security protocols, this can allow them to steal your passwords, personally identify you, or surreptitiously alter the content of your communications.
The good news is that we have excellent tools at our disposal to prevent these kinds of attacks.
Primary threat: honeypot WiFi hotspots
The primary threat to your security will be honeypot WiFi. Honeypots are wifi hotspots with innocuous names, but which are designed to compromise the security of devices that connect to them. Your best defense is simply not using WiFi if at all possible. Suck it up and pay the data charges to use the cellular network. It's a lot more secure.
Even well-meaning non-honeypot hotspots are a dangerous proposition at the best of times. A WiFi network without a password is a gold mine for hackers, and you should generally avoid them if possible. Newer versions of Android have a feature called "WiFi Assistant" that will automatically connect you to unsecured networks, but will establish an encrypted tunnel to Google, through which all of your traffic will be routed. This is one of the best things Android has done for security in recent memory. It's denoted by a key icon in your status bar, and is quite secure. You can trust a WiFi Assistant connection about as much as you trust Google. That might not be very much, but it's certainly more than you should trust a random network. If you're using an Android phone and don't trust Google, you probably need to rethink your security model.
Generally though, if you have cellular data to spare just use that. If you're at a protest just turn off WiFi, because very little good can come of having it on.
Scary and rare threat: "Dirtbox" cell site simulators
Unless you're at a very large, high profile protest you probably don't need to worry too much about these. A lot of federal agencies have these gadgets called "DRT cell site simulators," which have been nicknamed "dirtboxes." They pretend to be a cell tower, and your phone tries to talk to them, and then they do all kinds of nasty stuff.
They're a lot like Stingrays, the machines that smaller law enforcement agencies have, but much much more advanced. Stingrays can really only identify the cell phones that are broadly present, and track their general locations. A dirtbox in a Cessna can locate all the phones in the area to within 10 feet (purportedly 2 feet in some cases), steal the encryption keys they use to communicate with the real cell towers, and jam communications either for an entire area or just for specific phones.
If they steal your phone's encryption keys, they can start doing all kinds of nasty things. They can watch a good amount of the network traffic between your phone and the tower. They can listen to your calls, read your incoming and outgoing text messages, and watch a fair bit of your internet browsing.
Solution: encrypt everything
Luckily there's a fairly simple solution to man-in-the-middle attacks: Encrypt everything.
Modern encryption is capable of negotiating a secure connection between two computers, even if somebody is watching. During this process, called a "key exchange," two computers can do some mathematical trickery to agree on a very large number that they both know at the end, but is impossible for anyone else to know by watching their communication.
This means that it's possible to do certain things on the internet using protocols that are essentially impossible to spy on. It requires that the other end cooperate though, and not all websites and services are set up to participate in secure connections.
There are several easy wins you can get when it comes to communicating securely, even over a potentially compromised connection.
- Avoid using any apps you don't need. If you don't know about an app's security, avoid using it. The sign in process is quite possibly insecure, and if you re-use passwords anywhere losing one of them is kind of like losing all of them
- Encrypted messaging apps. iMessage, WhatsApp, and Ello all have strong security if you're messaging somebody else who uses them. For well-vetted security that has been endorsed by the EFF, you should really use Signal.
VPNs: the nuclear option
If you want to be as secure as possible against man-in-the-middle attacks, you'll want to use what's known as a "virtual private network," or VPN. A VPN is a system that allows your device to establish a cryptographically secure tunnel across the internet to another computer somewhere else, and then route all of your internet traffic through that tunnel.
Thanks to modern cryptography, a secure connection can be established over an insecure channel. VPN software is capable of doing the sorts of mathematical tricks that allow you to know with absolute certainty that no one is spying on or tampering with the traffic between you and your VPN server. No matter how many bad guys have tapped the lines in between.
If you would like to use a VPN, you may have to shell out a bit of actual money. Rolling your own is possible, but generally not an afternoon project for regular people. Luckily, there are excellent options available for not very much cash.
I've personally been using Private Internet Access for several years now. They cost $40/year and are really great. If you're extra paranoid they allow you to pay in Bitcoin and not even give them your name. They keep no logs, and have servers all over the world. They also have software and guides for setting up their service on pretty much every device and operating system you can think of.
Other good practices
For maximum security you should also make sure to do two important things: use a password manager, and enable two-factor authentication. Both of these are easy to set up, and they will go a really long way toward making you safe on the internet. Without them you're the low-hanging fruit, and it's only a matter of time until somebody hacks you.
A password manager is a piece of software that runs in your browser and keeps track of all your passwords. It lets you automatically generate long, random, unique passwords for every site you sign into. That means that if your password on one site gets leaked or hacked, that same password doesn't also let bad guys into every single other account you own. I personally have used LastPass for years and have nothing but praise. There's also an excellent Lifehacker tutorial on getting up and running with LastPass.
Two-factor authentication (2FA) is an additional layer of security many sites offer. If you enable 2FA on a site, you can't sign in from a new computer with just your password. The first time you sign in from an unrecognized computer, the site will ask for an additional code. The code might be sent to you in a text message, or it might be generated by an app on your phone. Many also support offline codes, where you print out a bunch of one-time-use codes ahead of time that you can keep in your wallet.
The idea is that you are now safe from password theft, as just stealing your password is no longer sufficient to access your accounts. The bad guys would also have to steal your phone, or otherwise get access to wherever the codes come from. That buys you extra security, and extra time in the event that your password does get compromised.
2FA is vital to good security, and you should turn it on everywhere you possibly can. There's even a handy website that with a searchable list of sites that support 2FA and what features they offer.
Response to compromise
If you're connecting over a VPN, using a password manager, have 2FA on your important accounts, and are not connecting to strange WiFi, you're about as safe as you're going to get. Things to watch out for are:
- Security warnings in your web browser -- warnings about the validity of security certificates are generally just a mistake on the part of the website owner, but if you're seeing them on major sites there's a good chance your device and/or internet connection is compromised.
- WiFi with no internet access -- again, this could just be a broken router. It could also be a honeypot watching your device's attempts to connect to servers so it can infer or steal information about you.
- Unusual battery drain -- in a phone, unusual battery drain may indicate that your device is having a hard time connecting to a tower, or is hopping back and forth between an actual tower and a cell site simulator.
- Sign in alert emails -- watch out for phishing attacks, but most major websites are vigilantly watching for unusual sign-in attempts. They will generally email you if they see something suspicious. If you start seeing these, it may mean that someone is trying to hack your accounts.
If you suspect an account has been compromised, immediately get to a safe internet connection or connect to your VPN and change every password you can think of. If they got into something like your email account a huge amount of damage will already be done -- things like your entire email history and contact lists can be downloaded in minutes. You can keep them out going forward, though, by promptly changing your password. Many sites also have tools for viewing other signed-in sessions for your account, and forcing anyone else on your account to sign out. Look for a section labeled something like "security settings" to find these sorts of tools.
Mostly, though, you just have to be vigilant.