All that talk during the election about then-Secretary of State Hillary Clinton’s use of a private email server, and yet the President of the United States is using a private smartphone. Donald Trump refuses to give up his old, insecure Samsung Galaxy S3 which uses the Android 4.4 operating system. What else is Trump using the phone for besides Twitter?
Early last week the hacking group Anonymous declared war on Trump. On Friday, they attached a screenshot in a tweet explaining how Trump’s phone is vulnerable to hacking with software called Stagefright since the phone uses the out-of-date Android 4.4 OS:
A Galaxy S3 does not meet the security requirements of the average teenager, let alone the purported leader of the free world. The best available Android OS on this phone (4.4) is a woefully out-of-date and unsupported. The S4, running 5.0.1, is only marginally better. Without exaggerating, hacking a Galaxy S3 or S4 is the type of project I would assign as homework for my advanced undergraduate classes. It’d be as simple as downloading a suitable exploit—depending on the version, Stagefright will do—and then entice Trump to clicking on a link. Alternatively, one could advertise malware on Breitbart and just wait for Trump to visit.
Rishabh Jain of International Business Times explains how Stagefright works,
On phones running Android versions older than Android 5.0.1, background components, such as those used to play multimedia files, are implemented in the native C++ code instead of more secure languages such as Java. This leads to remote code execution vulnerabilities, which can be exploited using various hacking methods, one of which is Stagefright.
To run Stagefright, the hacker simply needs to know the person’s phone number, using which he could send a special MMS to the device containing a .MP4 file. Once the MMS containing the .MP4 is downloaded, the hacker will be able to execute malicious codes on the person’s smartphone and compromise sensitive data.
Since MMS files are automatically downloaded when an Android device is connected to the internet, this means the vulnerability doesn’t require any action on the part of the user to execute itself. The hacker will be able to send the MMS and delete it while the device is on standby mode.
Simply put, Trump’s phone could be hacked while he sleeps.
The screenshot in the Anonymous tweet is a paragraph from Lawfare. Further in the referenced blog post:
Based on the available information, the working assumption should be that Trump’s phone is compromised by at least one—probably multiple—hostile foreign intelligence services and is actively being exploited. This would be exponentially more dangerous if he were carrying this phone into especially secure places. Security experts were rightly aghast to learn that Secretary Clinton kept her BlackBerry in her secure office in the State Department. This is far worse.
So what can be done?
First, anyone around the President should presume they are being actively recorded by hostile powers, regardless of location, unless they are positive the phone is out of the room. One wonders how many secrets have already been lost through that abominable device as Trump and his team get up to speed on our most closely held national security matters.
Second, the NSA is going to need to compromise here. The campaign demonstrated that it will not be possible to pull the president away from his Twitter account and he will insist on a mobile device. Despite the dangerous security practice—and the substantively destabilizing effects of his tweets—if the President demands this then NSA will need to accommodate it.
The technical engineering will involve taking a locked-down Android phone and installing a customized Twitter client preconfigured for the President. It will need to tweet, but the web browser must be restricted so that Trump cannot click on links. If necessary the client should take any link that is “clicked” and instead redirect the request to a separate system which downloads the web page, renders it, and outputs it to a printer. Under no circumstances may the President’s device be able to visit web pages.
Even this is insufficient. The President is an incredibly high-value target, so high that his personal device cannot be trusted to take input from even the restricted Internet of Twitter. The phone itself needs to know where it is and, when it enters a dangerous area, start emitting a warning noise. Otherwise, it will almost certainly wind up in the Situation Room, with potentially disastrous results.
Does President Trump know his phone may expose himself, and thereby the entire nation, to cyber security threats?
Does he care?