Physical Device Security
Keep your device in your control
The easiest way to attack someone’s devices is to gain physical control of them. Consequently, the most important practice you can follow to protect them is to keep them in your control at all times. This means that you know where they are and can ensure that nobody is accessing them without your permission. When working in a public place, don’t leave any device alone even for a couple of minutes. Aways take your phone with you, and do the same for a laptop. If you have to leave a device someplace, ask someone you trust (not the stranger at the next table!) to supervise it for you to ensure nobody tries to log in or insert any devices into it. This can be inconvenient but ensures nobody can surreptitiously install software on or hardware in your device without your knowledge.
Note: There is a difference between keeping a device safe from theft and in your control. For example, keeping your devices in your locked office building may keep them safe from theft but does leave them accessible to any cleaners who come after hours. Even a hotel room safe can be accessed by the hotel staff. It is impractical to keep your device on your person as all times. (Devices become quite unreliable after being taken into the shower.) So, you should focus on reasonable controls to prevent bad actors from having physical access to your devices. Keeping your device at your home if it is properly secured, or locked in a drawer at night, can provide you a level of security that will force your adversaries to take more extreme means in order to compromise your devices.
Don’t plug it in
Carefully source your USB and memory card devices, only plugging trusted and personally sourced ones into your computer.
Don’t plug other people’s USB devices and memory cards such as flash drives, hard drives, and phones into your computer, or any such devices that came to you in anything other than verifiable original packaging. This recommendation is especially important with regard to devices from unknown or untrusted sources (leaving USB sticks around an office is a classic intrusion technique), but it also applies devices owned by trusted people, as trusting a person is not the same as trusting all the devices they use, the software they run, or the other devices they have plugged their USB device into into. USB and memory card devices can silently infect your computer in ways that are very hard to detect.
While never plugging USB devices into your computer is ideal, it is not always possible to do so. If you have to plug something into your computer, make sure that computer is running antivirus software that is up to date, and consider logging into a guest account that doesn’t have access to your files or systems and then passing the files on it through an additional virus scan before opening or using. Certain Internet-based services, including Google Drive and Box (but not Dropbox) automatically scan uploaded files (under 25MB for Google Drive) for viruses and will alert you if your files are infected, so you can use that as an additional layer of protection. However, there is still risk associated with USB devices and after using a USB device you don’t trust, be on the lookout for odd behavior such as error messages, extra network traffic, or rapid battery usage and report any of those things to your technical support provider immediately.
Use charge-only cables
Use either a charge-only cable or what is known as a USB condom to charge your device from anything other than a wall charger or a computer that you know to be free of infection. Carry a backup battery to ensure you never have to charge your device from an untrusted source.
Almost all modern professionals have been there: your mobile phone or tablet is dead and the only place to charge it a friend’s laptop, an internet connected device, or a public computer. Unfortunately that computer or device can become a route for a virus or other malicious software to infect your device.
For use in these situations, you can purchase a USB condom (a device that goes in between the USB cable and the port you are plugging into and prevents a connection between the data pins in the unknown port and the USB cable, allowing only the power pins to connect) or charge-only USB cable (which does not contain the wires that are used for data transfer in the first place). Either option will enable you to safely connect your device to any USB port you come across.
Another option, which has the added advantage of being useful even if you can’t find a random port, is to purchase and carry a USB-enabled backup battery so you can always charge your device on the go. Although it has been shown to be possible, there have been no reports of backup batteries spreading malware. However, if charging from an unknown, you may want to use a USB condom or charge-only cable the way you would with an untrusted port to ensure that any software on the battery cannot affect your device.*