Presented by FedTech
Security experts have warned that using a commercial smartphone without extra protections could entail major cybersecurity risks.
At the urging of security agencies, President Trump has reportedly given up his old Android smartphone in favor of a more secure mobile device, according to multiple reports. However, subsequent reports indicated that Trump is still using the old phone to access Twitter.
The New York Times and Associated Press had each reported, citing unnamed sources close the president, that he traded in his smartphone last week. Security experts had warned that continued use of a commercial smartphone without added security measures would pose a grave threat and potentially compromise national security.
The AP reported that on Jan. 19, a day before he was sworn in to office, Trump “told a friend that he had given up his phone, as security agencies had urged him to do.”
According to the AP: “It was unclear whether he was following the lead of President Barack Obama, the nation's first cellphone-toting president, who exchanged his personal device for a Blackberry heavily modified for security purposes.”
Meanwhile, the Times reported that, according to unnamed sources close to the transition, Trump “traded in his Android phone for a secure, encrypted device approved by the Secret Service with a new number that few people possess.”
However, subsequent to that report, the Times reported that Trump is still using the old, unsecured Android phone, "to the protests of some of his aides." The White House did not respond to a request for comment, according to the Times.
The Need for an Encrypted Phone
Trump is widely known to be a prolific Twitter user and, according to the AP, foreign leaders, U.S. politicians and reporters had his old phone number and could easily reach him on it. Trump has made clear he will continue to use Twitter regularly while serving as president.
According to the Times' Jan. 19 report, “the official rationale” for the smartphone switch was security. “But some of Mr. Trump’s new aides, who have often been blindsided when a reporter, outside adviser or officeseeker dialed the president-elect directly, expressed relief,” the report notes. “Several of them, however, expect the new president to satisfy his compulsion for continuous communication by calling outsiders and by tramping from office to office in search of gossip and sounding boards.”
Security experts warned that he needed a more secure personal device. As Recode notes, there are multiple reasons to worry about the security of the president’s smartphone. For one, the president’s tweets have had the effect of shifting the stock market.
“If someone were to read what he was preparing to tweet by breaking into his smartphone and using keylogging software, even with just a 30-second head start, it could make some people very rich and potentially cause serious damage to the national economy,” Recode observes.
Moreover, Recode adds, “there’s the matter of the president’s physical safety, as well as the risk of classified information being compromised and of someone trying to hack the phone to get the president’s account credentials.”
“First, there is the obvious risk of unencrypted calls, mobile messaging and web browsing being intercepted and logged by hostile actors at the carrier level. Next, there could easily be censorship and monitoring capabilities in place on local Wi-Fi networks,” Elad Yoran, executive chairman of mobile voice and messaging encryption firm KoolSpan, told FedScoop. “[The fact is that] there are corresponding defensive technologies and steps to mitigate all of these stages.”
Security experts agree that there are several measures the president and his team should take. Matthew Green, a cryptographer and professor of computer science at Johns Hopkins University, told Recode that the president’s phone should not be connected to the internet, because every connected device is potentially vulnerable to attack.
Tom Lowenthal, a digital security technologist at the Committee to Protect Journalists, told Recode that if Trump or his aides insist on using commercial-grade phones, they should never be taken into high-level meetings, because there are known hacks and malware that can power on and access smartphones’ microphones.
“During the Obama administration, there were boxes outside the rooms in the Old Executive Office Building where cell phones could be stored when even the most basic national security matters might be discussed,” Recode notes. “Cell phones were kept out of White House meetings when matters of national security were being discussed.”
The phone should also not be connected to classified data networks, including email servers and document-sharing platforms and should not have GPS activated, Green warned.
Writing on the website Fifth Domain, Anupam Joshi, a professor and chair of computer science and electrical engineering department at the University of Maryland, Baltimore County, laid out several steps that could be taken to secure Trump's smartphone. They include keeping information about unique identifiers like the phone's International Mobile Equipment Identity number a secret, ensuring the device was made by a trusted manufacturer, using trusted components, and adding a specialized computer known as a “Trusted Platform Module" for extra encryption. Joshi notes that hardware element "is required by the Defense Department in all new devices handling military information." The phone also might be configured to connect only with certain predetermined phone and data networks that are regularly screened against intrusions, and restricted to using "few and limited" apps that are verified in advance.
“The absolutely minimum Trump could do to protect our nation is to use a secure device to protect him from foreign spies and other threats,” Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, told the Times. “It would be irresponsible in the extreme for the commander in chief to use an unsecure device that could be easily hacked or intercepted.”
Following in Obama’s Footsteps
It’s unclear what security controls are in place on the new smartphone in Trump’s possession, or whether it will allow him to tweet. If the past is any prediction, there will be many restrictions placed on which apps are on the phone.
As The Verge notes, after former President Obama was elected in 2008 “he publicly lobbied to keep his BlackBerry in the White House, contrary to the advice of lawyers and the Secret Service.” Obama had been an avid user of his BlackBerry on the campaign trail.
Richard George, who spent 41 years at the National Security Agency before retiring in 2011 and for his last eight years was the technical director of the NSA’s Information Assurance Directorate, led a team at the agency to create a restricted version of the BlackBerry smartphone for Obama.
George, who is now a senior adviser for cybersecurity at the Johns Hopkins Applied Physics Lab, said in an interview last month with National Journal that he had a core team of about a dozen who worked on Obama’s phone, with up to 50 more who were involved with the project. After reconfiguring the BlackBerry’s algorithms and engineering, Obama got a new phone that could make and receive calls from only a handful of close friends — all of whom first had to be briefed by the White House counsel’s office and have their devices examined, the report notes. The phone could not open any attachments or send tweets.
Technology has changed significantly since 2008, and BlackBerry phones are no longer quite as popular. (Last September BlackBerry announced it would stop producing its own phone hardware.) In Obama’s last year in office, the NSA gave him a new smartphone, but it was severely restricted.
“I get the thing, and they’re all like, ‘Well, Mr. President, for security reasons ... it doesn’t take pictures, you can't text, the phone doesn't work, ... you can't play your music on it,’” Obama said during an appearance on The Tonight Show in June 2016. “Basically, it’s like, does your 3-year-old have one of those play phones?”
George told National Journal he was watching The Tonight Show that night and laughed along with Obama. “I thought his characterization was right on. In fact, I laughed with my wife and told her, ‘Boy, did he get that right.’”
The limitations are necessary to protect national security, George adds. “We are all targets,” told National Journal. “But he has got a much bigger bull’s-eye on his back than I do or anybody else.”
Hackers would try to conduct spear-phishing attacks against the president by sending links that appear to be legitimate. “If someone can get into the Secretary of Defense system and send a message to the president with a ‘You need to read this’ link, the chances are much better that he is going to click on that than if it comes from some person he’s never heard of,” George said.
This article was updated on Jan. 26 to include additional information.
This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.