Burner Phones: Building a Case for Corporate Use
For most individuals, the phrase “burner phone” probably triggers thoughts of drug dealers, the mafia, or at least an episode of your favorite crime drama. However, there are circumstances in which the “good guys” should use a variant of the burner phone. Specifically, when executives or individuals with sensitive information travel to international locations that would be deemed high risk for corporate espionage. In such a case, it may be prudent to physically change devices before and/or after the travel.
Are Burner Phones Risky Business?
The perceived threat is that third parties could compromise the device with malicious software, alternate firmware, key loggers, and other means. Their objective would typically be eavesdropping on voice and data communication. While it may seem far-fetched, for many large organizations and government agencies, such a threat is real and becoming increasingly severe. Back in 2019, the US Justice Department filed criminal charges against Huawei, the Chinese behemoth with annual revenue exceeding USD $92 billion. Among those charges were accusations that Huawei attempted to steal trade secrets from T-Mobile and that they have bonuses for employees who collect confidential information on competitors. Such a high-profile accusation has shed light on these practices and emphasizes that perhaps they are not isolated.
Corporate Burner Phones for Data Security
We first came across the burner phone use case during a consulting engagement with a large oil and gas company in 2013. At the time, international travelers to China or Russia were required to swap their basic cell phones for temporary devices, primarily due to concerns around espionage within those two countries in particular. Due to the complexities at the time, such a procedure was not really feasible for smartphones such as iPhones, Android, or BlackBerry. As the years progressed, the feasibility actually decreased due to increasing use of mobile applications and personalized settings. Effectively, an individual’s mobile device became so customized and individual that rapid transition was no longer possible.
But in some organizations, with some segments of users, the practice of burner devices is now a necessity, regardless of logistical and technological difficulty. So, how can it be done?
Firstly, the applicable segment of users and the high-risk destinations need to be identified.
Next, if the segment is permitted to use a personal device for corporate communication, also known as Bring Your Own Device (BYOD), they must not be permitted to take that device with them when they travel. Such an action would entirely defeat the purpose of this endeavor.
How to Implement Enterprise Mobile Burner Program
Obviously, an endpoint management solution would be required. The solution would need robust implementation of advanced features such as automatic installation of corporate applications, WiFi/VPN/certificate profiles, passcode/restriction profiles, per-app-VPN tunneling capability, and, of course, the email client and configuration. Preferably, the corporate data would be contained further within the device. However, since the devices are going to be corporate-owned, underlying containerization is not as critical.
The most critical part of the operation would be extremely robust depot/swap capabilities. SIM-unlocked cold standby devices will be required, and rapid turnaround will be needed from the moment a travel request is made. The user’s permanent device could be maintained in-country and onsite, which would allow for a rapid return to full productivity when they are back in-country. When the user returns, the burner device will not necessarily be destroyed but could be “scrubbed” in compliance with top security standards such as those outlined by NIST Special Publication 800-124. Of course, details and processes would have to be precisely determined and service levels established. If this procedure can also be augmented with the swapping of regional SIM card or the addition of carrier “travel packs,” then this whole exercise would also have the added bonus of significantly reducing roaming changes.
Establish Standard Operating Procedures
Communication and training of the end-users will be essential. Fortunately, the designated user segment should be fairly small and will likely be equipped with specialized support personnel and perhaps executive assistants. This should allow for more consistent adherence to the new procedure.
Finally, auditability of the new procedure would be necessary. Again, the EMM solution could be an essential tool in this case. A geo-fence could be established for any travel outside of the country. If a device lands in a high-risk country unexpectedly, then remediating action can be taken.
Clearly, the above is only a high-level overview of a particularly niche requirement, but it may still be a requirement nonetheless. As is the case with many of these use cases, it can only be executed effectively with very high maturity across the breadth of your mobility program. Endpoint management tools must be in place and configured effectively, mobility lifecycle management must be exceptional, and effective governance must be in place.