Consumer technology and world leaders don’t typically mix all that well. The world’s most powerful men and women have a responsibility to national security and this means sacrificing small comforts, including the use of personal devices for official government purposes. The use of mobile phones by politicians has been a point of national security concern for decades, with Trump’s personal phone use being the most current. Trump’s aides reportedly warned him that his mobile calls are not secure and that Russian spies are routinely eavesdropping on the calls.
Governments are implementing a myriad of solutions to mitigate risk; from limiting communication to landline phones to issuing hardened devices. While these practices have done well to combat older forms of phone-related espionage, they largely do nothing to combat emerging threats targeting consumer-centric mobile devices. These devices are becoming the de facto tool for not just verbal communication but computing as well. In the current environment where politicians are using their personal devices, and email and social accounts, practicality has begun to trump (pun very much intended) security.
Leading by bad example
There have been a number of security blunders and examples of intentional misuse of communication tools in the White House.
John Kelly’s personal cell phone was compromised months before the White House’s tech support staff discovered the breach, raising concerns that hackers may have had access to Kelly’s data while he was secretary of Homeland Security.
Homeland Security Adviser Tom Bossert was fooled by a prankster pretending to be Jared Kushner in an email spear phishing attack. In his response, Bossert even offered the prankster his personal email address.
Personal email use has also become a concern in the White House with more senior officials, including Jared Kushner and Ivanka Trump, reportedly using their personal email accounts for government business.
To make matters worse, recent reports confirm unauthorized surveillance equipment has been detected within snooping distance of the White House and greater DC area. The Stingray devices (also known as IMSI-catchers) pose as cell towers to gather data from victim’s devices and eavesdrop on conversations. While hardened devices with extra encryption might be protected from this kind of interception, your average consumer device will not.
Probably the most concerning is Trump giving out his personal device number to world leaders and using that unsecured device for sensitive, undocumented calls. According to officials, China is seeking to use what it is learning from the calls to keep a trade war with the United States from escalating further. Similarly, Russia is trying to influence American policy by cultivating an informal network of prominent businesspeople who can be sold on favorable ideas and then carry them to the White House.
Encryption and hardened devices
Over the years, many presidents have been required to only use landline telephones for communications. This is probably still the most secure form of phone communication since the call is transmitted via physical wires so physical intervention is, in most cases, required to eavesdrop on a conversation and additional encryption can be layered on top. Former presidents George W. Bush and Bill Clinton did not use email while in office but in today’s world, limiting a president to only landline communication is simply not practical.
To combat this, Obama was the first president to receive a Blackberry before being upgraded to a heavily-modified smartphone which he joked to Jimmy Fallon was like a toddler phone. The phone allowed him to email and take calls but not much else. Every communication on the device was considered official presidential communication and therefore subject to the Presidential Records Act. Obama reportedly handed over his phone every 30 days to be examined for hacking and other suspicious activity.
While some forms of smartphone communication can be encrypted in transit, such as calls, messages, and emails, most default encryption is weak and easily compromised. For this reason, many governments issue “hardened” devices. This means certain features on the device are physically removed or disabled such as Bluetooth transmitters, location sensors, and cameras.
According to Defense One, the US president receives a modified Android-based Boeing Black smartphone, an encrypted device certified to handle top secret data. DISA developed the phone in partnership with Boeing and others. Two of these devices were apparently issued to President Obama and Cyber Command leader Mike Rogers. There are mixed reports on whether or not Trump is using this specially modified device.
According to officials cited in this article, Trump uses two iPhones – one capable only of making calls, the other equipped only with the Twitter app and a number of news sites. But this doesn’t necessarily mean it’s secure. According to our Mobile Data Leak Report, the category that poses the most risk is news and sports accounting for 28.9% of data leaks detected in our network at the time of research.
Consumer-centric mobile devices, such as Trump’s personal phone, introduce increased risk because they are inherently more vulnerable to hacking. Trump’s call-capable cell phone has the camera and microphone enabled, unlike the phones issued to Obama. While aides have urged the president to swap out the Twitter phone on a monthly basis, Trump has resisted, telling them it was “too inconvenient”.
Donald Trump’s personal phone – the risks outlined
Hardening of a device’s hardware comes with limitations. It’s often not possible to remove the USB port as this is used for charging. Removing the microphone would remove the ability to make phone calls, and making the camera unusable would render many applications worthless.
Other hardware items of concern that may be present on Trump’s personal phone:
- Wi-Fi connectivity
- Heart rate and activity monitors
Despite a significant coverage and concern around Malware (spyware more specifically) infecting the phone, it’s important to note that the chance of getting malware onto a device and turning it into a spy gadget is low, especially on iPhones. The latest Android Malware such as RedDrop is much riskier; this particular strain can drop a further seven APKs on the device including spyware to silently exfiltrate data. While there might be targeted efforts coming from your average garage hacker to active criminal networks and well-funded intelligence agencies around the world, malware is unlikely to be the biggest threat to Trump’s personal phone, or his government-issued phone. The chance of human error is much more concerning. According to Wandera research, the average iPhone user is 18 times more likely to be phished than encounter malware.
The real threat: human error
No amount of physical hardening can reduce the exposure to social engineering and phishing that might be targeting Trump’s personal phone. There is more at stake than just a few embarrassing, misdirected emails. The Verizon Data Breach Report states that 90% of breaches start with a phishing attack. Having a device with a similar form-factor to a personal phone can heighten the likelihood of successful phishing attacks.
Even when devices are hardened with extra encryption and limited to only use approved apps, users of hardened devices must be trained in techniques to identify and avoid social engineering. These days, hackers are easily bypassing endpoint defense and bypassing 2FA (two-factor authentication) by using social engineering. Additional network-based security is the only way to stop these attacks that might be targeting Trump’s personal phone.
But what about protection? Most people falsely assume that their mobile device and the applications have some sort of phishing protection built in, or that their email client is secure, but Wandera’s recent research revealed that 81% of mobile phishing attacks occur outside of email with apps, messaging services, and websites being the most attractive targets. As political figures expand their communications outside of rallies and speaking events and engage increasingly on social media, phishing has found fertile waters in direct messaging. It’s scary to think, that anyone with a twitter account could send a phishing link directly to Trump’s personal phone. A phone, which reports have confirmed, he uses to conduct direct communication with other world leaders, including the likes of Kim Jong Un.
Even outside concerns that sensitive credentials might be phished, the President having his personal account information or credit card info stolen aren’t the only items at risk here. As shown by comedian Stuttering John, it’s entirely possible to be routed directly to the president himself, simply by masquerading as a Senator and calling the White House switchboard.
Combine this lackadaisical approach to call screening with the Call Me Maybe exploit Wandera recently uncovered affecting the iOS suggested contacts feature, which allows scammers to spoof a fake caller ID (i.e. Maybe: John Kelly), and you have a recipe for disaster.
The President of the United States could unwittingly divulge highly classified information to a hostile foreign actor, thinking he’s on the phone with a trusted advisor. Trump has already unwittingly divulged highly classified information while sitting in the oval office with Russian Foreign Minister Sergei Lavrov and Ambassador Sergey Kislyak, so it’s not outside the realm of possibility.
Combating the real threat
While cyber espionage isn’t exactly a new problem, it’s become an expectation for politicians, CEOs, and other leaders to engage with people in real-time, which means using a smartphone and social media and creating new avenues of attack for hackers going after high-value targets.
As many companies and government institutions begin replicating desktop compliance and security policies on mobile devices, employees in highly-regulated industries (whether healthcare, financial services, legal, government, etc.) are now expected make some sacrifices to their privacy and/or the functionality of their work device, in order to limit risk and exposure to mobile malware, phishing, data leaks, and more.
A network-level security solution allows threats to be stopped before they reach the device and is absolutely required to make mobile communication secure. Protecting customer, employee, or constituent data is a tremendous responsibility and one that deserves the highest level of scrutiny. The people need to demand more from their leaders, Trump et al.
Gartner Market Guide to Mobile Threat Defense Solutions
The signs are clear that mobile threats can no longer be ignored. Security and risk management leaders must familiarize themselves with mobile threat defense solutions and plan to gradually integrate them to mitigate mobile risks.