Trump’s unsecure Android phone highlights common security dilemma

If President Donald Trump is still using his personal, unsecured Android smartphone, as reported, he is surely creating bucketsful of worry for White House communications security staff.

As CIOs and Chief Information Security Officers already know, any organization can install strong security technology into a network or a smartphone, only to be defeated if end users don't use it or follow safe cyber practices.

"The most vulnerable parts of communications are the people, and if they aren't taking precautions, problems exist," said Chris Perry, chief operating officer for Secured Communications, a provider of encrypted VPNs for mobile devices used by governments and companies.

"There is a White House communications group that does nothing but communications technology solutions for the president and his staff," Perry said Friday. "But the weakest link in any communication is the end user. You can have all kinds of end-to-end encryption, but in the end, if you aren't using that piece of equipment and related tools, you are very vulnerable. That's true in any environment, in government or the private sector."

White House officials didn't respond when asked repeatedly about Trump's reported use of his Android phone for tweets after he'd been in the White House for several days. The U.S. Secret Service referred questions on the matter to the White House.

Trump didn't turn over his Android phone when given a secure device just before his inauguration, according to the The New York Times.

Reports have indicated Trump is using an older Galaxy S3 or S4, which is "asking for a disaster," Nicholas Weaver, a computer security researcher at the Computer Science Institute, said in a blog post. "President Trump's continued use of a dangerously insecure, out-of-date Android device should cause real panic. A Galaxy S3 does not meet the security requirements of the average teenager, let alone the purported leader of the free world."

Weaver said if Trump were enticed to click on a link to a cyber exploit with his phone, the phone could become a bug that could record everything in audio or video around it and then transmit that information to an attacker. "Even a brand new, fully updated Android or iPhone is insufficient: The President of the United States is worth a great many multiples of expensive zero-day exploits."

Hackers could also learn where the phone is through GPS, which could also be an indication of where the president is located, said Jack Gold, a mobile security analyst at J. Gold Associates.

If a nation-state really wanted to attack Trump's phone or another device, it could rely on a brute force attack performed by supercomputers to break encryption on his password to gain access to files, applications and other material, Gold added.

"The working assumption should be that Trump's phone is compromised by at least one — probably multiple — hostile foreign intelligence services and is actively being exploited," Weaver added in his blog.

Some analysts have said that if Trump is merely using the Android device to send out tweets, he might not have created an internal security problem. But even then, it isn't clear that he, or someone else, has set up his Twitter account in secure ways to prevent someone from spoofing his @realDonaldTrump or @POTUS accounts and sending out false statements.

"We don't even know if the tweets are really from him," Gold said in an interview. "It's not an overblown concern, because if someone tweets 'I'm about to attack Russia' on his account, that could cause a war or a financial panic. That's why this is such a major issue. The implications are catastrophic."

The president's official account, @POTUS, already has revealed sensitive information that hackers might be able to exploit.

A hacker who uses the name WauchulaGhost found that @POTUS was secured to a Gmail address that could be guessed as belonging to a Trump aide in charge of social media. WauchulaGhost urged several White House officials in a tweet to change their emails and fix their security settings to stop a hacker from conducting a simple password reset on an account to figure out an email and try to compromise it.

Last year, Hillary Clinton's campaign chairman, John Podesta, was hacked by suspected Russian cyberspies through a spearphishing attack sent to his Gmail address. Later, his emails were stolen and then leaked publicly.

Security experts suggested that Twitter users can prevent exposure of their email addresses over Twitter by going to their account's security settings and clicking, "Require personal information to reset my password," which forces anyone trying to reset the password to enter the correct email address or phone number to continue.

Also, Twitter users can set up an option in security setting and checking "verify login requests," which secures the account with two-factor authentication. The user would then need to enter both a password and one-time code sent to a mobile phone or generated by an authenticator app.

It isn't clear whether Trump's Twitter accounts have any such protections.

"It's troubling to me to not know how well Trump is being protected or how protective he is of his profile or his whole electronic persona," Gold said in an interview.

"Trump's going to do what he is going to do," he added. "This is a man who has said he knows cyber better than anyone. I'm not sure he's an expert. I'm sure people are advising him. I'm sure they are whispering in his ear. The problem is if he's listening."