Trump’s Personal iPhone Would Be a National Security Risk
Credit to Author: Lily Hay Newman| Date: Thu, 25 Oct 2018 15:58:46 +0000
It's no secret that President Donald Trump tweets at all hours, and calls friends and advisors late into the night. But a New York Times report indicates that, thanks in part to Trump's use of a personal iPhone, Chinese and Russian spies are listening in on his calls.
That other countries would want to spy on Trump should come as no surprise. The US certainly does its share of surveillance on world leaders. But Trump has developed a track record since entering the White House of using personal, under-secured mobile devices that make snooping on him that much easier.
The Times reports that Trump currently has three iPhones—an NSA-secured iPhone for calls, another secure iPhone that can't make calls but does have Twitter and other apps, and a personal, off-the-shelf iPhone, apparently with no added security, that he keeps handy because he can store his contacts on it. That last one is the main concern. But Trump also apparently still refuses to even swap out his official iPhones every 30 days, which would generally be required of such a high-profile government official, in order to purge any malware.
"The point appears to be that he is not listening to others' advice," says Will Strafach, an iOS security researcher and the president of Sudo Security Group. "The big question is whether this is due to not caring, or if it is because there are no immediately available better solutions."
A White House representative did not return a request from WIRED for comment, but Trump himself tweeted on Thursday morning that, "I only use Government Phones, and have only one seldom used government cell phone." Trump also wrote that the Times report "is so incorrect I do not have time here to correct it." He later found time to add, "I rarely use a cellphone, & when I do it’s government authorized. I like Hard Lines." Tweetdeck, which lets you view what platform a tweet originated from, shows that Trump sent both of Thursday morning's missives from an iPhone.
A combination of mobile network flaws and insecure telephony protocols makes establishing truly secure calls difficult under any circumstance. And as with end-to-end encrypted messaging apps, both the caller and receiver need to use the same secure platform or infrastructure to keep a call secure. But the government uses an array of precautions that help protect calls that Trump makes through the White House switchboard. By flouting best practices and holding on to unmodified personal devices, Trump unduly exposes himself.
If Russia and China really are surveilling Trump's mobile calls, one possibility would be that they're doing it by manipulating an insecure mobile telephony protocol known as SS7. These types of attacks have become an increasing concern around the world; in May, the Department of Homeland Security admitted that hackers may be actively exploiting SS7 against US cellphone users.
But Karsten Nohl, chief scientist at the German firm Security Research Labs, who researches cell network attacks, says the Times report may indicate that surveillance of Trump's mobile calls go even further. It "suggests a compromise of the telephone company infrastructure on a deeper level than just sending SS7 requests," Nohl says. He likens it to an incident when unknown parties compromised switches on the Vodafone Greece network without the carrier's knowledge, and used that access to tap the mobile calls of Greek government officials and other prominent citizens.
A foreign government having comparable access in the United States would be problematic, but unsurprising, given the cat and mouse game of international espionage. Needless to say, making calls on a stock iPhone greatly increases Trump's vulnerability to that sort of operation.
"The point appears to be that he is not listening to others' advice."
Will Strafach, Sudo Security Group
In addition to concerns about calling, keeping a personal iPhone around and failing to regularly swap out government phones creates the possibility that malware could lurk on Trump's devices for months. iOS does have an earned reputation for relatively strong security, and faces fewer threats from rogue apps and malware than Android. But vulnerabilities and threats definitely do exist. It's also possible that Trump is not fastidious about updating his personal iPhone to the latest version of iOS, in which case he'd miss out on patches for known bugs that hackers could exploit.
Since Trump doesn't use email, he's automatically protected from many of the most dangerous phishing threats. But Strafach says that malware could realistically sneak onto one of Trump's mobile devices with the click of a malicious link on Twitter or another app. "If he is sent a link that he clicks on which hosts a zero-day chain…that is absolutely a way the phone could become infected," Strafach says. "These are not terribly uncommon, although they are usually not made public for iOS too often. I am hoping that any replies sent to him are being scanned for this sort of thing, but it is technically possible."
Though Trump denies that he uses regular mobile calling enough for it to be a problem, a variety of reports now have painted a different picture. And other members of the administration have made concerning mobile security mistakes as well. China and Russia and any number of other nations would understandably try to listen in on Trump's calls, but by being so dismissive of protocol, Trump makes it far too easy to turn many of his phone conversations into a party line.
If there's one thing to be grateful for, though, it's that Trump at least seems to have gotten rid of his personal Android phone.