Last Friday, on my way home from 31c3, a funny thing happened on my way through Charles de Gaulle airport in Paris: I was required by a security agent to not only power up, but also type in my password to unlock my laptop in order to board my flight.
One tweet, and about 12 hours of no Wi-Fi later, I landed to find that a lot of people interested in privacy and security had questions about the details of my adventure, so here it is.
First of all, HackerOne employees don't ever have access to our customers' vulnerability reports, therefore there are no exploits stored on my devices, so no customer data was at risk. For more about how we protect vulnerability data, see our own bounty and security page.
CDG airport personnel asked to search my bag, after I had cleared security, when I was about to board the flight. I had in fact already had my boarding pass checked by the gate attendant when a uniformed security agent diverted me to a small table, right before I was to enter the boarding tunnel. The security agent at the gate had me pull out my laptop, turn it on, & further asked me to type in my password, which decrypted the full disk encryption of the drive, even after she saw that it did boot up.
It was clear there was a language barrier issue, but I was trying to show her that the login screen was there, the laptop did power up. I have had to power on my laptop and phone once before, in Brussels on my way back to the US, but I had never been required to unlock any devices, nor had I heard about friends having to do so - this was very unusual in my experience.
When it was clear she wanted me to type in my password, I asked her why. The agent said it was "regulation" & I complied so I would not miss my flight, or suffer other consequences, given that it was in the middle of boarding. She did not make me turn on or unlock my phone, and waved me through after she saw my desktop pop up with a browser window open to my Twitter feed on top. She didn't touch my laptop after I unlocked it, and none of my devices left my sight during the search.
The speculation on Twitter that I was targeted due to my work at a company that hosts vulnerability coordination and bug bounty programs was amusing. At HackerOne we provide organizations with the tools they need to successfully run their own vulnerability coordination program. As such, HackerOne employees do not have access to organizations' confidential vulnerability reports or their sensitive data. While my occupation could have triggered me being on a list that caused the secondary search, I got an 'Inspector Clouseau' vibe from her more than anything else. This is funny now that I'm home, but a different story had she attempted any further access to my data, which I imagine going something like this.
In all seriousness, had she made a move to start typing on my keyboard, I would have certainly missed my flight to find out what happens when one refuses to have their data taken from them against their will.
It was an unsettling experience due to the violation of my privacy, but I wasn't concerned about the new exploit export controls or about sensitive customer data leakage, even if the security agent had confiscated my laptop and phone, which she didn't.
For my hacker friends who travel across borders, it serves as a chilling reminder to have multiple encrypted drives, or to just travel with clean devices.
Happy hacking, and safe travels, everyone.
‐ Katie Moussouris, Chief Policy Officer
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.