Earlier this week, Politico broke the news that President Donald Trump refuses to give up using off-the-shelf mobile phones, the imposition of better security being considered “too inconvenient.” While it would be difficult to hack these phones, it can be done, and there are few targets of a higher priority to potential hackers than the president of the United States.
According to the Politico report, Trump uses two phones: one that allows access only to Twitter and a small number of news outlets, and one for making phone calls. Both phones are periodically inspected and replaced, although the exact length of time that Trump keeps each phone is unclear. Politico reports that the president has gone as long as five months without having one of the phones reviewed by security personnel. In comparison, President Barack Obama’s secured mobile devices were inspected every 30 days.
Trump’s use of these phones, on this schedule, does keep things convenient for the president, but also carries significant security risks. Despite efforts by White House security staff to prevent or detect compromises, the phones could still be hacked. Fear of the political fallout if efforts are detected might deter attackers more than anything that could be done to secure the phones themselves, but not every attacker worries so much about that as to forgo possible direct access to the communications of the president of the United States.
Of the two devices, Trump’s Twitter-and-news phone is the easier to target. It is not clear if the pre-loaded news outlets are accessed through apps or bookmarked sites, but it doesn’t really matter which is the case. The goal for an attacker would likely be to get Trump to open a specific page in a browser that could deliver an exploit. If the president had already opened his browser, that makes things a little easier, but Twitter and news apps have in-app browsers and content that is only viewable on them. These links could be made to look like a trusted site, or even be on a news outlet favored by Trump that had itself been hacked.
All apps for iOS that browse the web must use Safari libraries, and Safari offers a substantial attack surface. The bigger challenge for an attacker is creating a link that Trump can’t resist clicking on. Preventing people clicking on risky links has been an uphill struggle for the IT security community for years, and Trump does not appear to be the kind of person to critically consider each thing he looks at, so this also may not be that difficult.
The actual hard part is hacking just Trump. If the link were in a news outlet, or tweeted publically at Trump so prominently that he would notice it, many more people would also see and click on it, and then be infected as well. One can reduce the number of inadvertent victims by restricting infections only to people in a certain geographical area or by other general criteria, but even so, an attacker will still be owning a lot more people than just the president.
This is noisy. It makes detection more likely and requires being able to pick out the president among the many victims. This can be done, but requires time and resources to do so, and in that time an attack could be detected by any of the victims.
An easier option would be to send Trump a direct message. This only works if Trump, or other people managing Trump’s phones, did not disable DMs, although a man who loves Twitter and disregards security obstacles as much as Trump may not have done so.
Assuming DMs work, the biggest obstacle to this approach is first compromising someone able to message Trump, as DMs can typically only be sent by someone that the recipient is following. Fortunately for an attacker, some of the 46 people currently followed by @realDonaldTrump are significantly softer targets than the president himself. It is far easier to hack media personalities and Trump supporters than the president of the United States, even this one.
There is still the risk that one of the staffers who sometimes tweet on Trump’s behalf might click on the link instead of him, but they are also attractive espionage targets themselves and could be used for further attacks on other White House resources, or even other Trump accounts. They could also be used in the first steps of an effort to socially engineer Trump himself to click on a link from a phone, or from an even more valuable computer.
In many ways, Trump’s trusted staffers are easier targets. Not only are they easier to hack, they are easier to reach in the real world. If such a staffer were so unlucky as to have a phone stolen while on an official trip or to even lose a record of their password, so much the better for an attacker.
Hacking the call-only phone requires better quality exploits than hacking a mobile browser, but it is quite doable. Such an attack would require knowing Trump’s phone number, but a motivated espionage program should have that. A phone that makes and receives calls could also receive SMS, and there is already public research on different ways for attacker to get control of a smartphone by sending an SMS, including one that does not appear in the phone’s inbox. World-class espionage programs certainly have this capability, and even second-tier nations can likely buy it. Such exploits are rare and expensive, but a target like the president of the United States is worth it.
Once an attacker is in the phone, they must then find a way to exfiltrate the stolen data. This is easier on the Twitter phone, as clicking on legitimate links and loading content creates enough traffic in which to hide illicit communication. On the phone-calls phone, this is a little harder. The president’s phones should have some serious network monitoring, meaning that any suspicious traffic would be identified as such, and without much data leaving that phone, the stolen information would stand out. Still, a sophisticated attacker could possibly evade this, particularly given the months-long periods between submitting phones for detailed inspection.
Hacking Trump’s phones would be expensive, and risky, but for many countries, it would be worth it. Even with the GPS turned off, an attacker could triangulate Trump’s location from when it connects to Wi-Fi or mobile towers, and therefore guess at his activities. The cameras and microphones are still on the phones—seeing what Trump looks at and listening to his conversations would have tremendous intelligence value. The call-only phone would allow an attacker to listen to the president’s calls, something that would always interest an intelligence program, but which is even more valuable with a president who is so often unclear about his intentions and frequently changes his mind. Even just knowing with whom Trump communicates, and how often, would be very interesting to most countries and would provide an attacker a new list of high-priority targets for future attacks.
All of this assumes that these phones are “on lockdown,” but the Politico report doesn’t make it clear exactly what that means. Does Trump connect to the White House network with these phones? What about Mar-a-Largo, where security is laxer? What about mobile services in other countries? Even with limited usability, there are different ways for an attacker to expand their access, or to find a way in. It is hard to say without further information, but theoretically attacks could go much further than described here.
Trump is not the first person to forgo security in favor of convenience. Hillary Clinton famously did so when she used a private server to send emails (something for which Trump wanted to “lock her up,”) as do quite a few less famous people every day. In many cases, this trade-off makes sense, as the absolute risk is low. In the case of the president of the United States, the risk is high. Obama called using a secure phone “no fun,” but he still used it. Trump could too. Unfortunately for this president, fun is apparently more important than protecting his own secrets, and the nation’s.