Some of the world’s largest consultancy firms (including the ‘Big 4’) are asking staff to use burner phones when they visit Hong Kong – but is this really the right solution?
A recent article in the Financial Times highlighted the growing concern about the risk to commercial data and the dangers of working in potentially unfriendly regimes. As Beijing continues to exert more control over the previously semi-autonomous international business centre of Hong Kong, more organisations are suggesting that company executives should take extra care when visiting the city, due to increased risks of hacking and unauthorised access to client data if work devices are used. In short, companies like Deloitte and KPMG are asking staff to use burner phones when in Hong Kong. And this is not being received well by some senior executives who prefer not to travel to the region due to the inconvenience of needing extra devices and leaving their usual phones and laptops at home.
This isn’t the first time that such an edict has hit the headlines. In January 2022 athletes from the US and UK were advised to use burner phones during the Beijing Winter Olympic Games due to concerns about an app provided by the Chinese government for use by all Olympics attendees that had significant security flaws.
This most recent example of organisations taking a stand against the dangers of state-sponsored hacking is equally applicable to many global organisations who have their Asia-Pacific headquarters in Hong Kong, or indeed any untrusted regime. Some of the firms affected have expressed concerns about the legal liability associated with leaks of client data, and the commercial implications should clients’ data be stolen or compromised.
Burner phones – a solution or a risk?
This all raises an important question: What are the pros and cons of burner phones? From the user’s viewpoint, it is inconvenient to have to use a temporary phone, possibly with only a subset of the apps they are used to using. Conversely, if the phone is bought in country, then it might be considered unsafe because its provenance cannot be certain. For cost reasons such phones are usually Androids, which makes them more susceptible to having been ‘jailbroken’ (modified to remove restrictions imposed by the manufacturer, to allow the installation of unauthorised software) or already contain potentially malicious apps from local carriers or distributors. While more secretive users might choose a burner phone because it helps their traffic blend in with the local phone communications, the primary purpose of using a burner phone is to be able to dispose of it when it is no longer required, such that whatever malware it contained, or picked up while in use, is not brought back into the user’s organisation. So, a burner phone is always a short-term solution to manage communications risks.
How Armour® helps
Armour Mobile™ and SigNet by Armour® can protect your mobile communications and data whether you choose to take your normal phone into a potentially hostile environment, or you need a secure communications solution that can be easily deployed on a burner phone.
Armour’s solutions completely isolate the communications and any associated data, metadata or files (attachments such as documents, images, video clips). In addition to end-to-end security over-the-air, all data is encrypted and secured at-rest within the app, protecting your contacts, messages and attachments from malware on the device or if the device is lost or stolen. The ultimate goal is to minimise your organisation’s risk by reducing the residual data held on the device. Armour’s products are ‘Secure by Design’, for example technology in the app requires sole use of the microphone ensuring rogue apps are not ‘listening’ into voice or video calls.
In addition, before the app can be used, the Armour software checks to see if the device has been jailbroken, if so, the user will not be able to use the Armour app.
Armour provides its own viewers for certain types of attachments, so as not to share information with the operating system or third-party viewers, and preventing the user from deliberately, or accidentally, sharing the attachment (and its sensitive information) outside of the Armour app, thus avoiding the potential for data leakage.
To minimise the use of the public internet and untrusted, insecure networks, the Armour apps can be installed in a variety of ways. Depending on the specific use case requirements this can include via SD card or via a completely closed VPN network (using additional technology from Armour technology partners).
Armour Mobile and SigNet also include many security features within the app to protect against data leakage. This includes the Message Burn and Disappearing Messages features, where the sender of a message can set it to automatically delete at a set time, either after it has been read, or after it has been sent. This feature can be deployed as a standard setting across chat groups or communities of users. In addition, if a phone is lost, stolen or compromised, all data held within the Armour platform can be wiped remotely.
For more information about how Armour can help your organisation protect corporate and client information while travelling in untrusted regimes, contact us today.
Or read our Buyer’s Guide to find out what you should be looking for: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/