Travel
Industrial espionage while travelling: what your devices reveal
Business travel is when an organisation is most exposed, and least suspicious. Real attack vectors, documented cases, and proportionate preparation for executives and teams travelling with valuable information.
Last reviewed:
An executive tells me about his trip to Asia. Three days, a partnership to sign, his usual laptop in his bag. At the hotel, he leaves the computer in the room to go down for dinner. When he returns, nothing is missing, nothing seems out of place. He found that normal. That is exactly what should be alarming.
Industrial espionage does not look the way people imagine it. No briefcase, no microphone in the flower pot. It looks like an ordinary business trip, where the person carrying the value lets their guard down at the precise moment their exposure is at its maximum.
Business travel concentrates three factors that are rarely combined: devices that leave the company’s protected perimeter, a tired and rushed person who takes shortcuts, and a physical and network environment they do not control. For an actor seeking information, it is the ideal window.
The common trap
The received wisdom fits into one sentence: economic espionage is for large defence groups or CAC 40 multinationals. The SME negotiating a contract abroad, the firm accompanying an acquisition, the startup presenting its technology at a trade show — they all believe they are too small to interest anyone.
That is wrong, and it is wrong for a simple reason: value is not measured by company size, but by what it carries at a given moment. A forty-person SME holding a unique industrial process is worth more to a competitor than a large group whose everything is already public. A five-partner firm steering an €80 million transaction carries, for a few weeks, information whose value far exceeds its own size.
The attacker does not target a company. They target information, at the moment it is accessible. And that moment is often the business trip.
The real threat model
Three families of actors must be distinguished, because they have neither the same means nor the same targets.
The direct competitor, first. The least sophisticated, the most frequent. They do not have advanced technical capabilities, but they have a precise interest and sometimes a budget to buy intelligence from intermediaries. Their window is the trade show, the conference, the moment when your sales staff talk too loudly in a lobby, when your confidential slides remain displayed during the break.
The state actor, next. Present in certain countries where economic intelligence is an assumed policy, sometimes backed by a legal framework that authorises access to data on national territory. Their means are of a different order: access to local telecom infrastructures, border extraction capability, cooperative hotel staff, mass interception. When you enter that territory with a device containing value, you must assume that the content of that device is potentially readable.
The opportunistic intermediary, finally. Private intelligence agencies, former service members turned freelance, contractors who sell results without being asked about their methods. They operate in a grey zone, and they work for whoever pays.
Concrete attack vectors, in order of frequency
Hotel and conference Wi-Fi comes first. An uncontrolled network, often poorly configured, sometimes operated by a third party you know nothing about. The threat is no longer so much the interception of encrypted traffic — made difficult by widespread HTTPSSecure HTTP encrypting browser-server communication via TLS. — as the capture of metadata: which services you contact, how often, to which domains. And malicious captive portals, which remain an active injection vector.
Physical access to an unattended device comes next. Hotel room, room safe, checked luggage, a device handed to a third party during an inspection. A few minutes are enough for a prepared actor to clone an unencrypted disk, install an implant, or simply photograph an unlocked screen.
Border extraction rounds out the picture, but it is growing. In several jurisdictions, border authorities have the right to seize and examine electronic devices, sometimes without a warrant. The traveller faces a choice: unlock, or refuse and accept the consequences. Compelled disclosureLegal obligation to provide passwords or decrypt devices under penalty. is a legal reality in countries one does not always expect.
The right approach
The structuring rule fits into one sentence: what is not on the device cannot be extracted from the device. All preparation flows from that.
The principle is not to turn every trip into a clandestine operation. It is to calibrate protection to the value being carried and the territory being visited. A return trip to Brussels for a European committee does not require the same preparation as a three-week negotiation in a country with active economic intelligence.
CompartmentationSeparating identities by usage (civil, public pro, sensitive pro, operational). is the central tool. A travel device is not your usual device. It is a machine with minimised data, without cache from your cloud accounts, without sensitive documents stored locally, on which a compromise gives access only to what was necessary for the trip, and nothing more.
Full disk encryptionMicrosoft disk encryption integrated into Windows Pro/Enterprise. with a pre-boot code — not the default transparent encryption — protects the powered-off machine. A VPNEncrypted tunnel between your device and a server, masking your IP and traffic from your ISP. activated from the moment of network connection protects transit on untrusted networks. Encrypted DNSProtocol encrypting DNS requests inside HTTPS, hiding them from the ISP. closes a surveillance channel that is often overlooked. These are known measures, whose effectiveness depends entirely on being set up before departure, not during.
What this means in practice
Angle de lecture
For you, as an individual
You travel for work, you bring your usual laptop and phone, and you have never really thought about what that exposes. The right reflex does not require becoming paranoid, just treating travel as a particular moment.
Your three priorities, in order:
Verify that disk encryption is active with a pre-boot code, not just a session password unlock. On a recent Mac, FileVault is active by default, but check. On Windows, BitLocker with PIN.
Enable your VPN as soon as you connect to a network you do not control, and leave it active. Hotel, trade show, or café Wi-Fi is never trustworthy.
Never leave your device unlocked and unattended, even for a few minutes. The room safe is not secure. If you must leave the device, ensure it is powered off, not in sleep mode.
For travel to a high-risk country, the real answer is a dedicated device with minimal data. A secondary phone and laptop, clean, without access to your production data. That costs less than a compromise.
For you, CISO / CIO
You know all this. The difficulty is not technical, it is organisational: ensuring that the people who travel apply the preparation, without experiencing it as a punishment.
The first shift is to move the travel policy out of the forty-page document nobody reads, and make it a device integrated into the booking process. When a colleague books a trip to a country classified as at risk, the alert should fire automatically, the dedicated equipment should be provisioned, the briefing should be triggered. The friction must be in the system, not on the shoulders of the individual.
The second shift is the travel device pool. A pool of clean, pre-configured laptops and phones with minimal data, loaned for sensitive missions and wiped on return. The cost of a five-machine pool is negligible compared to what a single successful extraction can cost.
The third shift is the return. A device that has travelled in a country with active intelligence does not naively reconnect to the information system. Quarantine procedure, verification, ideally a full wipe. The compromise that matters is not the one that steals data on site — it is the one that brings an implant back into your network.
Your most telling indicator: what percentage of your high-risk-zone trips use dedicated equipment rather than production devices? If you cannot answer, the policy exists on paper but not in the field.
For you, as an executive
You are the person who carries the most value when travelling, and the least inclined to accept constraints. The negotiation you are about to sign, the transaction you are steering, the technology you are about to present: it is in your head and on your devices, at the precise moment you cross a border you do not control.
You do not need to understand encryption. You need to make three decisions that no one can make for you.
What do I bring? For a sensitive trip, the answer is not “my usual devices.” It is dedicated equipment, prepared by your team, containing only what is necessary for the trip. Your IT department provisions. You decide the scope.
What am I prepared to lose? If your devices are seized at a border, or compromised in a room, what is exposed? If the answer frightens you, you are carrying too much. Good preparation makes this question almost painless.
What do I do if things go wrong? A seized device, a request to unlock, abnormal behaviour on return. Having settled the protocol before departure changes everything. Improvising on site, tired and under pressure, never produces a good decision.
The test is not whether you are careful. It is whether your caution is prepared in advance, or improvised at the moment it is too late.
Mistakes we see all the time
Bringing your usual devices “because it’s more convenient” to a country where you know economic intelligence is active. Three days of comfort against the risk of a lasting compromise.
Believing the room safe protects anything. Staff have a master code, and a hotel safe has never resisted someone with the time to open it.
Reconnecting on return, without precaution, the device that travelled. The threat that matters did not stay abroad — it came back with you.
Confusing absence of evidence with absence of intrusion. A well-executed extraction leaves nothing visible. “Nothing was missing” is not reassuring information — it is the absence of information.
Preparing for a high-risk trip
- N1 Assess the risk level of the destination country before any equipment preparation
- N1 For high-risk countries: provision a dedicated device with minimal data rather than bringing production devices
- N1 Verify disk encryption with pre-boot code on every device being taken
- N2 Enable VPN and encrypted DNS, and test that they work before departure
- N2 Disconnect sensitive cloud accounts and clear local caches on the travel device
- N2 Establish in advance the protocol in case of seizure or unlock request at borders
- N2 Never leave a device unlocked or in sleep mode unattended, including in hotel safes
- N3 On return: quarantine the device before any reconnection to the information system
- N3 For organisations: integrate preparation triggers into the travel booking process
Further reading
This article is part of the Travel axis. For step-by-step preparation, see Pre-departure preparation. For the specific case of borders, Borders and customs. For the most demanding territory, Travelling to China. And for equipment, Travel laptop.
Sources and further reading
- NCSC UK — Travelling abroad with electronic devices [official]
- ANSSI — Partir en mission avec ses appareils [official]
- DGSI — L'ingérence économique (fiches thématiques) [official]
- FBI — Economic Espionage [official]
- ENISA Threat Landscape 2023 [report]