A renowned U.S. security researcher has raised concerns about the chilling effect on their work after being detained at a U.S. airport, having their phone searched, and being summoned to testify to a grand jury. The researcher, Sam Curry, a security engineer at Yuga Labs, recounted the incident on X. He claimed that he was questioned by agents from the Internal Revenue Service’s Criminal Investigation (IRS-CI) unit and the Department of Homeland Security at Dulles International Airport in Washington DC, regarding a high-profile phishing campaign.
Key Takeaway
A security researcher’s detention and phone search at a U.S. airport, followed by being summoned to testify in a grand jury, highlights concerns about the potential chilling effect on security research. The incident raises questions about the authorities’ approach to engaging with the research community and the impact it may have on future collaboration.
The Detention and Subsequent Investigation
According to Curry, he was taken into secondary inspection upon his return from Japan. The agents searched his unlocked phone and served him with a grand jury subpoena to testify in New York. The subpoena was related to an investigation into wire fraud and money laundering. However, Curry later learned that the investigation was dropped after prosecutors realized he was actually investigating the theft of cryptocurrency, not involved in the crime.
Curry explained that he had discovered a phishing website that had stolen millions of dollars worth of crypto. In December 2022, he found that the scammers had inadvertently exposed their Ethereum private key in the source code of the website. Curry imported the key to his own crypto wallet to check if any assets were left, but they had already been taken.
Curry emphasized that he was not attempting to conceal his identity and was investigating the incident in his role as a security researcher. He accused the federal agents of using his arrival to the U.S. as an excuse to search his device and summon him to a grand jury instead of simply contacting him by email.
The Concerns and Impact on Research
The incident has raised concerns within the security research community. Curry is known for his work in discovering vulnerabilities in various systems, including airline rewards programs and connected vehicles. He questioned the approach taken by the authorities, stating that a brief review of his background and the nature of his work would have cleared up any misunderstandings.
Despite the resolution of the legal demand, Curry expressed feeling uneasy when his phone was returned to him after the search. U.S. authorities have the power to search a person’s phone at the border without a warrant, including for American citizens, although compliance is not mandatory. However, only U.S. citizens cannot be denied entry for refusing to comply, but their devices can be seized indefinitely.
The Impact on Security Research
This incident has the potential to weaken the trust built between U.S. authorities and the security research community. In recent years, efforts have been made to improve the relationship and recognize the important role of security researchers. However, situations like this may deter researchers from engaging in defense and remediation work if they fear legal consequences.