From blaming the obese and homebound for hacking, to anointing his 10-year-old son Barron a computer savant, to enjoying the electoral benefits of WikiLeaks’ campaign against Hillary Clinton, President-elect Donald Trump’s relationship to cybersecurity has been much like his political career: Often confusing, at times amusing, and for some, absolutely terrifying.
But if there’s one thing Trump's staff — whose boss's addiction to tweeting is legend — can do immediately to improve the security of our nation, it is this: Secure his phone.
Yesterday, the president-elect met President Obama at the White House. The two are now privy to the exact same top-secret daily intelligence briefing. But while Obama communicates with a device built and configured with safety standards approved by the NSA, Trump is still firing away tweets from his personal account, from a device that may be an iPhone, may be an Android, or may — according to reports — be whatever device is closest at hand. And it is hardly a stretch of the imagination that Trump may be sending texts, emails, or any other conceivable type of electronic communication from this or these devices.
That means anyone who can hack whatever device Trump is using may be able to glean highly classified details about America's national security.
"Mobile security is one of the most urgent and challenging questions facing the security of senior members of government," said one NSA agent, who asked to be quoted off-record as he wasn't authorized to speak to the press. He said that while the NSA had been involved in building a "simple smartphone" for Obama earlier this year, it didn't look like the type of phone you would get in a BestBuy.
"These are phones with severe limitations. You wouldn't use it the way you would use a normal phone — you can't, for instance, take photos on it," said the agent.
Which normal device Trump has been using up to this point is something of a mystery. His tweets have been posted from Twitter apps for both iPhone and Android. Last October, the New York Times reported he used a Samsung Galaxy. In February, during the standoff between the FBI and Apple over the San Bernardino shooter’s iPhone, Trump tweeted that he used both Apple and Samsung devices, but that he would switch to Samsung full time if Apple didn’t cooperate. In June, Bloomberg reported that Trump doesn’t keep a device on him. And a text analysis of Trump’s tweets in August by the data scientist David Robinson found that Trump tweets from an iPhone were likely written by his staff, while tweets from the Android were likely written by Trump himself.
“God forbid he messages or emails someone from that device."
If Trump is indeed using an Android device, he’s using a phone that the cybersecurity world broadly regards as significantly less secure than the iPhone or iPad.
“Securing Android devices is very difficult,” said Jeff Zacuto, mobile security evangelist at Check Point, a security firm. “It is a highly vulnerable operating system, and if you don’t have a solution on that device to detect an advance attack you might not know that its happening.”
The main reason Android is so much more vulnerable than Apple products, said Zacuto, is fragmentation: There are dozens of variants of Androids out there, each with its own unique vulnerabilities. Such a vulnerability could be exploited through malware, through an insecure Wi-Fi connection, or even through the phone's firmware.
In August, Check Point reported the so-called QuadRooter vulnerability, a flaw in the code supplied by Android chipset manufacturer Qualcomm. QuadRooter, which had the potential to give hackers root access — total control — over Android phones affected at least 1.4 billion phones. While the QuadRooter vulnerability has since been patched, it illustrated just how devastating an Android attack could be.
And that’s not to say there isn't another huge, undisclosed vulnerability out there being taken advantage of at this minute.
“God forbid he messages or emails someone from that device,” said Zacuto.
Oh, and given Trump's habit of grabbing whichever phone is closest to him, the security of the devices used by his staff will also be critically important.
"Phones are such a pervasive devices — it's not just Trump's phone," said Mike Murray, vice president of security and research at Lookout, a mobile security company. "Someone bringing a phone into a room where a sensitive conversation is being had is just as bad if that phone has been compromised and has surveillance on it."
President Obama used a BlackBerry until earlier this year when he was given a new, but heavily customized, state-of-the-art "smartphone."
"I get the thing, and they're all like, 'Well, Mr. President, for security reasons ... it doesn't take pictures, you can't text, the phone doesn't work ... you can't play your music on it,'" Obama said during a June interview with Jimmy Fallon. "Basically, it's like, does your 3-year-old have one of those play phones?"