Is all your phone data really siphoned at airports?

In the privacy sphere, it’s always assumed that you should switch off your phone at airports because they can get your phone data. However, is the assumption that they can basically hack in your phones with wireless methods true ? If so that would seem pretty concerning.

Nah, that is what you see at movies. They probably just collect and monitor your IMEI and IMSI aggressively.

They definetly monitor your communications if you are not encrypting them which can lead to some dicey situations if your not careful about what you say.

My assumption is that you are basically in one big IMSI catcher when you are at or near an airport.

1 Like

If you get “selected” by the (US) police for further questioning they might connect your phone to a machine that will hack into your phone and indeed download everything on it. If you were smart and turned it off they may simply persuade you to turn it on for them and enter your password too under threat of getting jailed under some obscure anti-terror laws.
Know your rights, don’t behave suspiciously in an airport and perhaps don’t have your main phone with you if there is really incriminating stuff on it.

1 Like

Never heard of this, but you do have less rights at the border (i.e. at airports) in the US for whatever reason, so it’s not the safest place to be. I don’t think you’ll be hacked remotely though.


I’ve crossed the US border somewhat recently. They don’t siphon data there. I think it happens when you apply for a visa. I got a weird ping where my phone lost signal repeatedly (GrapheneOS seems to make sound when cellular signals lost). This happened about an hour after I was done processing application within the US embassy to apply for a visa. Never has this happened before. Correlation is not causation, i know but, its still sort of weird.

There is also this moment when I’ve asked to submit information to my local immigration agency before I board the plane out.

Other than that no one has asked for my phone. I guess my background check was not as suspicious to warrant confiscation of my phone and further “random” inspection.

However, is the assumption that they can basically hack in your phones with wireless methods true ?

It depends on who you mean by “they”, but generally speaking, no, that’s not true. If you mean by the government or border agents, they won’t hack you remotely, they would just take your phone themselves. And if you mean attackers on airport public Wi-Fi, just make sure to follow @SkewedZeppelin’s recommendations below, since he basically covers all bases imo, and you should be fine.

I would recommend turning off your phone when you go through airport security though, as that will put it into BFU (Before first unlock), which means it’ll have stronger encryption, and will be harder to break into if it is lost/stolen or confiscated for whatever reason. Like @Valynor said though, this may only go so far, since they’ll probably compel you to unlock it anyways if you are “selected”. Related

Depending on your threat model, it may be worth it to not carry your main phone with you while you travel, but it depends. I’ll also add that with international travel, it’s a much higher risk that you will be “selected” or questioned than domestic travel, so you could factor that into it as well.

Which other countries have this requirements to open up your phone on request ?

Shame to see the BBC refer to Snapchat as an encrypted app.

1 Like

In some countries it’s a threat, not a request. Wikipedia and Crypto Law have some information about coercive key/plaintext disclosure, but these are not specific to borders or may require a warrant.

I might be wrong, but without any further context I would say that advice is more likely based on the threat of being searched and interrogated than on an assumption that people’s phones can get hacked wirelessly.

When an encryption-enabled device is off and secured with a key/password (not biometrics!) I imagine the only ways for border agents to get plaintext data off the device are:

  1. Coerce the owner to hand over the key/password or plaintext.
  2. Break the encryption in real time or in the future (by copying the ciphertext).

IANAL. The US has constitutional protections against coerced key/plaintext disclosure, although there may be fewer rights at the border. Conversely, some jurisdictions impose fines or jail time on people who refuse to disclose keys/plaintext at the border, making coercion much more effective there. Generally, coercing someone to disclose keys/plaintext when their device is encrypted and turned off increases the attack cost for the border agent in that it often requires some sort of legal justification. Keep in mind they could still copy ciphertext in the hope to decrypt it in the future. However, if a device is not encrypted or switched off, the legal and technical barriers faced by border agents are lower. They could easily snatch someone’s device and look through its data or connect it to a machine that will copy all its plaintext data, possibly with impunity.

Finally, the usual tips. It might be wise not to use the USB chargers provided at airports. Either attach a USB condom or carry your own charger. Also beware of malicious wifi hotspots and the possibility there are IMSI catchers in operation.

Further reading: