In some countries it’s a threat, not a request. Wikipedia and Crypto Law have some information about coercive key/plaintext disclosure, but these are not specific to borders or may require a warrant.
I might be wrong, but without any further context I would say that advice is more likely based on the threat of being searched and interrogated than on an assumption that people’s phones can get hacked wirelessly.
When an encryption-enabled device is off and secured with a key/password (not biometrics!) I imagine the only ways for border agents to get plaintext data off the device are:
- Coerce the owner to hand over the key/password or plaintext.
- Break the encryption in real time or in the future (by copying the ciphertext).
IANAL. The US has constitutional protections against coerced key/plaintext disclosure, although there may be fewer rights at the border. Conversely, some jurisdictions impose fines or jail time on people who refuse to disclose keys/plaintext at the border, making coercion much more effective there. Generally, coercing someone to disclose keys/plaintext when their device is encrypted and turned off increases the attack cost for the border agent in that it often requires some sort of legal justification. Keep in mind they could still copy ciphertext in the hope to decrypt it in the future. However, if a device is not encrypted or switched off, the legal and technical barriers faced by border agents are lower. They could easily snatch someone’s device and look through its data or connect it to a machine that will copy all its plaintext data, possibly with impunity.
Finally, the usual tips. It might be wise not to use the USB chargers provided at airports. Either attach a USB condom or carry your own charger. Also beware of malicious wifi hotspots and the possibility there are IMSI catchers in operation.
Further reading: https://discuss.privacyguides.net/t/how-do-you-approach-travel-international-or-domestic/#16431