A well-known and respected computer security researcher was detained for several hours Wednesday night by border agents who searched his laptop and cell phones before returning them to him.
The researcher, who goes by the hacker
“I can’t trust any of these devices now,” says Marlinspike, who asked that Threat Level not report his real name. “They could have modified the hardware or installed new keyboard firmware.”
Marlinspike gained attention last year at the Black Hat security conference in Las Vegas when he revealed a serious vulnerability in the way internet browsers verify digital security certificates. The flaw would let a hacker create a fake web site for Bank of America or some other legitimate business, obtain a fake digital certificate and trick a browser into thinking the fake site was the legitimate one, allowing the hacker to conduct a phishing attack against unsuspecting users who entered their bank credentials into the fake site. He released two free tools that would help an attacker conduct such an attack.
Three months later, PayPal froze his account with $500 in it because the company objected to the use of its logo on his web site, where visitors could download the free tools. A PayPal spokeswoman said at the time that the company did not allow PayPal “to be used in the sale or dissemination of tools which have the sole purpose to attack customers and illegally obtain individual customer information.”
The border search comes on the heels of two similar incidents targeting other white hat hackers. In July, security researcher Jake Appelbaum was intercepted at a New Jersey airport and detained. And earlier this month MIT researcher David House had his laptop seized when he deplaned at Chicago’s O’Hare Airport on his way back from Mexico.
Under the “border search exception” of United States criminal law, international travelers can be searched as they enter the U.S. without a warrant. Under the Obama administration, law enforcement agents have aggressively used this power to search travelers’ laptops, sometimes copying the hard drive before returning the computer to its owner. Courts have ruled that such laptop searches can take place even in the absence of any reasonable suspicion of wrongdoing
Marlinspike first began experiencing increased scrutiny about two months ago during domestic flights.
He found he was unable to print out a boarding pass either from his computer or from airline kiosks at airports. And when he approached ticket agents, they were blocked from producing a boarding pass for him without first calling a Secure Flight number at the Department of Homeland Security. Secure Flight is a program that requires airlines to submit passenger names and birthdates to DHS in advance of a flight, to be checked against watchlists. Marlinspike said ticket agents told him he was on a federal watchlist.
The harassment took a more ominous tone last Saturday, when Marlinspike was on his way home to the San Francisco Bay Area from Abu Dhabi, where he’d given a presentation at the Black Hat security conference. He was snoozing on an airport chair during an extended layover at the airport in Frankfurt, Germany, when he was awakened.
“Some dude shows up with a picture of me on his cell phone,” Marlinspike said. “He’s going around looking at everyone and finally he finds me asleep with drool coming down my chin and he wakes me up.”
The agent said he was from the U.S. Consulate and told Marlinspike he’d have to answer a number of important questions. The questions, however, turned out to be routine customs question asking him where he’d been and why he’d gone there. The agent did not search his electronics, but after completing his questions told Marlinspike, “Now I have to call Washington.”
“I said, Washington, DC? He said yes. He goes to make a call and comes back after seven minutes and asks more questions,” Marlinspike said.
The agent didn’t seem to know why Marlinspike was being targeted but said, “When my boss’s boss tells me to come pick someone up, I know something’s really going on.”
This week’s incident was the first time his electronic devices were searched, and their contents potentially copied.
Marlinspike says the forensic investigator told him at one point that he wouldn’t get his devices back unless he disclosed his passwords. His list of contacts and phone numbers weren’t secured, he says, but other data on his laptop and phones was encrypted.
“At first he was like, You have a choice you can give me your password and we can just do this all here, or we can send them to the lab and you’re not going to have the equipment anyway and we’re going to get all the data,” Marlinspike said. “I said, It’s encrypted and you’re not going to get anything off of it.”
CBP spokeswoman Kelly Ivahnenko said that the federal Privacy Act prevented her from discussing any specific case involving a passenger, but said that laptop searches are rare occurrences. “Between October 1, 2008 and August 11, 2009 CBP encountered more than 221 million travelers and of these fewer than 1,050 searches were performed on laptops,” she said.
Marlinspike says he has no idea what would have interested the agents.
“If there’s some information that they think I have — I can’t speculate about what that might be — they can’t legally get that because they don’t have any reasonable suspicions,” he said. “But they can do whatever they want at the border. And it feels like that is possibly being abused.”
At one point, he asked a TSA airport supervisor what he could do about getting off the watchlist and relieving some of the hassles he’d experienced. The supervisor gave him a phone number but it went to a voice mailbox that was full and didn’t allow Marlinspike to leave a message.
He currently travels internationally between one and three times a month in connection with his company, Whisper Systems, which recently released two free encryption applications for Android phones that protect SMS messages and voice calls.
“They’re beginning to destroy my ability to run a business with international customers, ” he says. “I can’t travel internationally without assurances that I’m not going to spend 5 hours in a detention room and am not going to lose whatever electronic devices I have with me at the time.”
Like Marlinspike, Jake Appelbaum, was detained in July at a New Jersey airport, after arriving on a plane from Holland on his way to the DefCon hacker conference in Las Vegas. Appelbaum, who is a U.S. representative for the secret-spilling site WikiLeaks, was questioned by agents over a three-hour period about WikiLeaks, its founder Julian Assange and Appelbaum’s opinion about the wars in Iraq and Afghanistan. Agents seized his laptop and three mobile phones. They reportedly returned the laptop but have never returned his phones.
Earlier this month, another person associated with WikiLeaks, David House, was met by U.S. customs agents as he deplaned at Chicago’s O’Hare Airport on his way back from Mexico.
The agents searched House’s bags, then took him to a detention room and questioned him for 90 minutes about his relationship to 23-year-old Bradley Manning, the former Army intelligence analyst who is in custody for allegedly leaking classified documents to WikiLeaks. House helped set up the Bradley Manning Support Network, a grassroots group raising money for Manning’s defense, and has also visited Manning in custody at the Marine Corps’ Quantico brig where he’s being held. The customs agents confiscated House’s laptop computer, a thumb drive and a digital camera and reportedly demanded, but did not receive, his encryption keys.
A graduate of Boston University, House is a computer scientist who works at MIT’s Center for Digital Business as a research software engineer, according to his resume. At BU he founded the campus hacker space for student tinkerers.
Marlinspike, who knows Appelbaum, says he has no connection to WikiLeaks. But he believes his name and phone number would have been in the phone that authorities seized from Appelbaum in July.
Photo of Moxie Marlinspike by Dave Bullock
See also:
Authors: Kim Zetter