Burner phones: are they the right choice?

Good mobile device security and user training is essential wherever your users work in the world, but organizations should always consider tightening security controls when users travel to “high-risk” countries. A number of these countries aren't strongly regulated, and the rules and laws governing what can be done in the name of "law enforcement" or "domestic security" on devices entering the country is, at best, "morally gray."

More and more we hear and see stories of users getting attacked by nation states or malicious actors using a variety of different tools and techniques. If users are travelling to a country where there is a heightened risk of espionage, a burner phone — one that's erased and disposed of after one use — could be the right choice, but only if your organization takes the right steps to protect the device and the user experience.

In your home locations, users are likely using a VPN (virtual private network) to secure access to systems and servers, and devices should be set up so they are encrypted at rest. When travelling to high-risk countries, these measures alone may not guarantee security.

Defensive tooling on laptop devices is a very mature space, with strong endpoint detection and remediation capabilities in place. Most organizations already have substantial security and high visibility into these endpoints. A recent Verizon study showed that 46% of respondents agree that mobile devices have gone from a nice-to-have to a critical business tool, so it's becoming more imperative than ever that we treat these in a similar way to laptops, especially when users are on the move or working remotely.

Mobile Threat Defense (MTD) is a commodity that we see deployed across an ever-growing number of organizations. It provides great general coverage for mobile devices. But we also occasionally see organizations weighing the risk/reward for users traveling abroad with their day-to-day mobile device, and they change their approach. Would an organization want to risk the high-end device, bought for an executive or other traveler, becoming compromised? And in the event of a compromise, costs don't just include the purchase price of a new device — the value of the information the device holds has likely never been higher. The same Verizon survey suggested 50% of respondents believe mobile devices have greater access to sensitive information than a year ago. Devices often have access to company emails, documents and cloud-based apps, providing an attacker a pathway to patented or other sensitive materials. A burner phone might seem like the obvious answer.

Issues with burner phones

Think about it, the day-to-day device, with all the sensitive information and system access, stays safe at home. An inexpensive device with restricted access can be provided for a trip and then be disposed of when the user returns. But this throws up a whole host of other issues.

Reduced productivity and poor user experience

The first is an obvious one. There is a reason that organizations buy high-end smart phones; it is to provide staff with a great user experience while enabling them to be productive working from anywhere. By removing this phone, organizations greatly reduce what that person might be able to achieve when they are working remotely — possibly leading to frustration and perhaps, the risk users attempt to, or worse still, succeed, in accessing corporate systems from untrusted devices or untrusted networks somewhere else in the world.

This also begs another question, do users have a personal device as well as a work device? If so, does your organization have controls that stop them accessing work apps and services from that device? This could be a much softer target for an attack. Even if no work apps/services exist or are accessible on the device, if compromised, it could provide location data and the ability to record video and audio to an attacker — as it's likely the user is carrying it with them all the time.

A riskier device choice

The next is a more practical consideration — what type of burner do organizations purchase? IT teams worldwide probably have lots of old devices hiding in drawers, or perhaps an entry-level smartphone would cover requirements? However, in the case of an older phone, this is almost certainly going to have known exploitable vulnerabilities, and it's unlikely it's even able to run the latest version of the operating system (OS) or the most recent security patches. This means a user could be traveling with a device that's even more of a risk and a far softer target than the device they left behind.

Entry-level devices are also not likely to come running the latest version of the OS, so there is a consideration there around the time it will take to update — but it's likely to be possible and closes at least one gap. For both device options: did your organization take the time or remember to put MDM controls and mobile security in place before the user traveled? Often, we speak to organizations where these steps aren't taken, as the phone will just "be thrown away/factory reset afterwards." Generally speaking, a burner phone used more than once is not a burner phone — hard-coded device identifiers may already be recorded by malicious actors and can be used to identify the same device in the future.

Locating users and devices is simple in 2025

Another tactic that we see is that users will not just travel with a burner phone, but also a burner SIM — however, device triangulation could be possible in a couple of ways:

• If the users sign into their Apple ID on a device, it may be possible to locate them using Find My or similar features, if attackers have gained access to the users accounts.
• By physically following a user and keeping track of nearby Temporary Mobile Subscriber Identities (TMSI) on a cellular network, attackers (with the right levels of access) can potentially triangulate and isolate the device to learn the mobile number.

If triangulation can be achieved, and through this, a mobile number revealed, it could open a user up to more sophisticated attacks, like this one from 2023, where an Egyptian MP was targeted with an attack on his mobile. What made it interesting was that the report concluded it was highly likely to be a government-level attack, due to the access the attackers had to the cellular network of Vodafone in Egypt. All possible because the attacker had the MPs mobile number

Attacks still happen, they are just harder to detect

How is a successful trip measured? A burner phone was taken abroad, and once the user completed their trip, IT have factory reset the device and then perhaps destroyed it — is that success? How would your organization know if your users were a target, worse still, how would you know if an attacker had been successful in exfiltrating data from the device? What would you do if you feared you had been subjected to an attack or noticed odd behavior on the device while still abroad? Perhaps the battery was draining quickly, the device kept heating up or apps kept crashing — what are your next steps to identify any threat?

A manual investigation will take a lot of time and effort and can be very privacy invasive from a user's perspective. But if you never know that your users are a target, how would you know to take additional remediation steps for future travel?

Environmental impact

In a world of finite resources and organizations carefully watching their environmental impact, as well as taking steps to mitigate it, the act of buying and then destroying or permanently storing a device after it has traveled abroad, is one an organization should be keen to avoid. Potentially the financial impact is compounded by the actual cost of buying and then paying to ensure a device is destroyed properly by a trusted third party.

Final thoughts

If users are travelling to countries that are high-risk, it's worth considering whether strengthened security on their regular device vs a burner phone is the right option. If a burner phone is the right choice, ensure it's:

• Fully up to date with its OS and security patches
• Enrolled into MDM and your security software
• VPN is used to ensure traffic is encrypted.

Also think about whether a burner phone will offer the right experience, or might it push users to circumvent some of the protections in place, perhaps by using their personal device, which will increase organization risk regardless.

At Jamf our devices are enrolled into Jamf MDM, helping ensure devices are correctly patched and running latest versions of the OS, and in order to access internal services, devices are gated behind our identity provider — where users are strongly encouraged to use biometric auth rather than traditional passwords. On top of that, the devices need to have Jamf Trust installed, which provides both device protection (MTD) and Zero Trust Network Access (ZTNA) elements, ensuring only managed, secure and compliant devices can access company resources. We can then leverage Jamf Executive Threat Protection (read more below) to forensically scan devices both periodically using the mobile app and after users travel, to ensure no traces of spyware or attack are present, rather than providing users with burner devices.

Best practices when traveling

Good practice from users on their devices will also go a long way to help keep your organization safe, but some other important points to consider could be:

• As much as possible, encourage users to avoid joining unknown networks — use a VPN to encrypt traffic.
• Insist users bring and use their own cables and charger — do not use any others.
• Users should never plug their device into untrusted computers or devices.
• Encourage users to travel with electronics in hand luggage, so it never leaves their sight.
• Consider whether MDM or other OS-level controls could be used before users travel — e.g. USB connectivity restrictions, Lockdown Mode, disable Bluetooth and other connectivity options, disable Location services, automatic screen timeouts.
• Provide enhanced training for users who travel — extra vigilance in public spaces, more cautious of unknown or unsolicited links/messages.
• Consider setting up a hotline for users who travel in case of suspicious behavior/emergencies.

Conclusion

Don't forget that while MTD tools available today provide broad coverage, they are not designed to, and are highly unlikely to be able to spot complex nation state or spyware attacks on a device. If your organization has gone to lengths to provide a burner device or secure a regular device, you believe your users are a likely target for these types of sophisticated attacks. Therefore, at a minimum, after the user travels a forensic analysis of the device should be conducted. Not understanding the state in which the device has returned to its home county leaves organizations entirely in the dark of whether they have been attacked or even compromised.

If your organization wants to better understand the security landscape, we have our own blog covering security research on both mobile and laptops offering insight into the latest threats and techniques users might be subjected to. Perhaps your organization is looking for another way to manage this risk or understand if devices have been targeted; there are freely available tools such as Mobile Verification Toolkit from Amnesty International.

If your organization is already familiar with open-source tools (and even if you are not), but you were looking to simplify or scale your approach to mobile device forensics, then have a read about our Jamf Executive Threat Protection solution and talk to us about how we might help you. Jamf Executive Threat Protection uses proprietary behavioral techniques, based on the work of our mobile research team, to identify spyware and sophisticated attacks on mobile devices. It is used by governments and enterprise customers globally to protect and provide visibility for their most sensitive users.

Ultimately, using burner phones is based on your organization's assessment of risk. Regardless of whether you implement tools to improve security and visibility on your day-to-day devices, or you choose to stick with using burner devices, you should ensure users always follow best practices, especially when abroad. And if you believe your users are a target for attackers, you should perform validation on any phone that travels to and from a location you consider risky, to determine if it was attacked or compromised.