Physical Security: The Forgotten Side of Internet Privacy

It’s not just about software anymore.

With all this talk about VPNs, encryption, Tor, proxies, firewalls, and more, you’d be forgiven for believing that internet security is exclusively about using advanced software and protocols to deter attackers and avoid privacy snoopers.

But security is much more than that. In particular, if your devices are physically compromised, all software solutions become worthless—and you can kiss your privacy and security goodbye.

Physical Security Matters

Physical security is rarely discussed because, on a superficial level, it’s quite an obvious matter. Don’t hand your laptop over to complete strangers. Don’t write down your passwords on a post-it note near your desk where anyone can find them. And if someone calls and asks for your bank account number and home address, tell them as much as you can.

Just kidding! Who would ever do something like that, right?

But you would be surprised to know how much your daily habits may be putting your privacy and security at risk, even if you’d never do anything egregiously insecure, like handing over your passwords to a stranger.

Eavesdroppers and Shoulder-Surfers

Have you ever considered that when you log in to your internet accounts in a public setting, a nearby security camera (or a stranger behind you) might be recording your every keystroke, putting your security at risk?

Most people wouldn’t even consider this because we’ve grown so used to seeing cameras in public. And why would you be looking for cameras or snoopers if you’re not doing anything wrong?

But you can never be sure who may be watching when you’re out in public, and you’re always open to targeted and opportunistic attacks from anyone who observes and records your keystrokes, or views whatever sensitive data you happen to be accessing on your computer.

Worried? You shouldn’t be. There are several methods you can use to stay safe from these kinds of “shoulder-surfing” attacks (where someone spies on you as you use your devices)

Secure Your Accounts

First, you should use two-factor authentication (2FA) on all of your internet accounts. By enabling 2FA authentication, access to your accounts requires entering your password and a one-time code sent to you via SMS or generated by an app on your phone. This makes it impossible for someone to log in to your accounts if they only know your password.

Second, consider investing in a phone or laptop privacy screen protector. These protective filters attach directly to your device, and will make it difficult for anyone to see what’s on your screen unless they’re directly in front of it.

Admittedly, a filter won’t help if someone is shoulder-surfing directly behind you, and it may even attract attention by signaling that there’s valuable data on your device. But if used in combination with other methods, it may deter opportunistic attacks and make it easier to notice if someone is trying to look at your screen.

Third, avoid accessing important accounts or data in public. While this may sound like a non-solution, you should consider that some data might simply be too sensitive to display in public. For example, if you have access to confidential business information, allowing it to fall into the wrong hands might prove fatal for your business.

Stay Alert

Personal data privacy isn’t just about your laptop and your other personal devices. Shoulder surfing attacks are also possible when you’re entering your bank PIN at the ATM or at the cashier at the supermarket.

When possible, use your free hand to cover the keypad as you enter your PIN, and don’t leave your receipts by the machine or throw them away in public—the information there can be used to compromise your bank account. (And don’t leave without taking your card!)

You should keep your surroundings in mind at all times, and consider that anything you do in public may be recorded or observed. There’s no reason to be paranoid—but just as you would watch out for your physical safety when you’re on the move, you should keep your device safety in mind as well.

Evil Maids and Physical Security

Suppose you’re staying at a hotel, and you’re about to go down to the lobby for a quick bite to eat at the cafe. Would you leave your laptop in your room or would you take it with you?

Most people might decide, simply out of convenience, to leave their laptop in their room. While this isn’t necessarily a dangerous option, you should always consider that the moment your devices are outside of your physical control, you forfeit most of your expectations to privacy and security.

Information security specialists like to talk about what’s known as the (somewhat crudely-named) Evil Maid Attack, which can occur when someone gains physical access to your devices without your knowledge.

Once that happens, it’s game over—no VPNs or firewalls will save you there. Even if you have a strong password and multiple layers of encryption set up on your devices, you have no idea if the attacker tampered with the software or hardware on your device in order to observe what you do, record your voice, or track your location.

While the maids at your hotel are probably honest and law-abiding people, you should still strive to keep your devices under your control at all times. If you travel extensively, especially for business purposes, this becomes even more critical, as competitors and state actors may target you for attacks.

Secure Your Devices

To stay safe from these kinds of physical attacks, your first priority should be to keep your electronic devices under your physical control at all time.

If that’s not possible, you should consider investing in a computer lock, which will keep your laptop from being moved without your permission.

Block Device Inputs

For even more security, you could install physical port blockers to make it difficult for an attacker to use the ports on your machine to carry out an attack.

While these aren’t perfect solutions (anyone with a bit of know-how can remove them if they have the right tools), they provide an additional barrier for a potential attacker to overcome.

If your laptop has a webcam, it may a good idea to keep it covered when not in use (a purpose-made flap can come in handy, but a piece of aluminum foil and some tape might be all you need). The same goes for your laptop’s microphone.

Are webcam and microphone attacks at all possible or even that dangerous? It’s debatable—but most information security specialists agree that a determined attacker could probably enable your webcam or microphone remotely without your knowledge. But don’t take it from us: even Mark Zuckerberg has been known to keep the webcam on his laptop covered!

Keep Your Passwords Safe

Finally, while it may sound obvious, remember that you should never keep your passwords out in the open or hand them to anyone, no matter how much authority they have.

For instance, avoid giving your passwords to computer repair technicians (as they should have alternative ways to repair your laptop without accessing your personal account), and remember that no website or company will ever ask you for your internet account password.

Conclusion

Strong passwords, file encryption and VPNS are all excellent (and probably indispensable) for maintaining your internet privacy. But physical security is just as important—and maybe more so.

It’s easy to fall prey to a false sense of security if you have the proper software and settings set up on your devices, when in fact the nearest threat might be that shady-looking guy in the trench coat who’s looking over your shoulder (it’s always the trench coat that gives them away!)

Again, there’s no reason to be paranoid, but remember that software solutions work only when your physical privacy remains intact.

Looking for safe VPN recommendations? Check out our curated list.

Justin Uther

Writer, BestSafeVPN.com (justin@bestsafevpn.com)

Comments are welcome

Leave a reply

BestSafeVPN.com