Canadian politician Pat Martin, he notoriously exclaimed that “only dope dealers, and Hell’s Angels, and Tony Soprano use burner cell phones.” Yet the world changed following the news, as reported by the Financial Times on November 23, 2023, that some of the largest financial and consulting firms, including Deloitte and KPMG, have made it corporate policy for their executives to not use their usual work phones while visiting Hong Kong. The move comes as China increases its control over Hong Kong, the Asia-Pacific headquarters of many global companies, the Financial Times said.
These new policies are most likely in response to the privacy and security threats of sophisticated spyware such as Pegasus, which was developed and designed by the Israeli cyber-arms company NSO Group to be covertly and remotely installed on mobile phones running iOS and Android.
While Pegasus has exploited vulnerabilities to mobile communications for nearly five years, it has now reached a critical point that has prompted the need for new and stricter mobile phone policies within regions – and more recently even related to non-nation states – where spyware threats are just too great for corporations to risk.
It is important to note that while Pegasus is marketed as a product for fighting crime and terrorism, governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists. Regions including China, Hong Kong, Mexico, Spain, Morocco and the United States are just some that have used Pegasus.
In fact, even popular messaging apps, which are heavily relied upon by executives for professional communications, are not immune to Pegasus. For example, in 2019, WhatsApp revealed that Pegasus had employed a vulnerability in its app to launch zero-click attacks, whereby the spyware could be installed onto a target’s phone by calling the target phone, whether the call was answered or not.
So what have these financial and consulting firms advised their executives to do? Well, one of the key recommendations is for their executives to use “burner phones” instead of their normal work phones.
In the past, burner phones (“burners”) referred to cheap devices that could be discarded so a user’s whereabouts or identity could not readily be discovered, and often purchased with cash in avoidance of a paper-trail. Corporations have – until now – seldom resorted to using anonymized devices, and instead relying on enterprise security settings and applications.
In the Asia Pacific region, such precarious precautionary tales come amid growing security concerns over China’s increasing control of the Hong Kong region. In 2020, Donald Trump issued an executive order declaring that Hong Kong was “no longer sufficiently autonomous” to be understood as separate from China, following the implementation of the national security law in Hong Kong – a firm move from Beijing in their agenda against pro-democracy activism.
The burner phone revival may look like a knee-jerk reaction, but we have actually seen similar implementation before. Last year, BBC News reported that athletes had been advised to use burner phones during the Winter Olympics. A report at the time stated that “China’s national data security laws are not designed with the Western values of privacy and liberty and do not offer the same level of protection”.
If not traveling with your corporate phone in certain areas of the world is now the market standard, companies need to decide how to protect their clients, employees and shareholders.
A resurgence like this feels like Groundhog Day in cyber-security. While the need for pro-active privacy measures continues to soar as state-related risk rockets, giants in international business are the latest to expose an unnecessary reliance on old tricks. In today’s world, there is no reason to expose your personnel to the risks and limitations of using a burner phone when there is an out-of-the-box solution currently available that completely protects your communications.
This solution is the Sotera SecurePhone, the world’s only mobile phone device offering completely secure point-to-point voice and text communications. It allows a company’s personnel to conduct business on a closed network, in real time – irrespective of where they are in the world. It’s impervious to spyware, without denying access to global and local connectivity. This means consistent coverage for crystal-clear voice and data connections. Indeed, the Sotera SecurePhone is the only ready-to-use, out-of-the-box solution available to keep your business running safely and smoothly in the new international corporate travel environment.
Many think “burners” protect a company’s information by denying access to it, but their slow and complicated reality takes them out of the spy novel and leaves them in the cyber stone-age. Single-trip use, “burners” need to be set up prior to travel, and then the new cell number needs to be distributed to coworkers and clients. The phones eventually need to be discarded upon return, and in some places, including Hong Kong, there are registration requirements for purchasing SIM cards.
Burner phones do nothing to allow your personnel to communicate efficiently and securely while traveling. Burners in this case effectively mean these are phones without legacy data or applications on them, many times a less expensive or out-of-date device. This leaves them vulnerable to known exploits, making their false sense of security a trap for freely spoken sensitive data. Riddled with user-experience flaws, dated devices like these prevent effective business conduct on the ground; both locally and with the home office.
Unfit for business, “burners” lack enterprise-level management options. Having noticed this theme among competitors, the Sotera SecurePhone was built from the ground-up by industry experts specifically for professionals and easy use and distribution at every level of your organization.
Without robust encryption, “burners” remain susceptible to eavesdropping. If an attack is attempted and despite a reliance on being wiped after use, they simply don’t have the advanced measures that would streamline this process, secure booting, and strong authentication.
Where others can’t, the Sotera SecurePhone offers end-to-end encryption (including data at rest), secured by the same operating system that is used to protect the United States nuclear arsenal and other critical Department of Defense infrastructure.
