Impeachment Hearings Highlight More Trump Phone OPSEC Failures
from the ill-communication dept
Plenty has been made of the President’s unwillingness to adhere to anything close to reasonable security when using his mobile phones. Whereas the Defense Information Systems Agency (DISA) and the National Security Agency usually work in concert providing state leaders with “hardened” devices that are heavily encrypted, routinely updated, and frequently swapped out, Trump has refused to use these more secure DMCC-S devices (effectively a Samsung Galaxy S4 device utilizing Samsung’s Knox security architecture) because they apparently infringe on his ability to Tweet.
Just a few months ago, Senators sent a letter expressing concern that Trump’s mobile phone practices were leaving the President open to potential hacking by foreign entities:
“The President of the United States stands alone as the single-most valuable intelligence target on the planet. Given the apparent lack of progress the Administration has made since initial reports in 2016 of the President?s poor operational security, it appears the only thing standing between the Office of the President and the next national security nightmare is a combination of President Trump?s personal restraint and sheer luck.”
Eventually, the President was convinced to use two iPhones: one locked down specifically for Twitter, and the other specifically tasked with making phone calls. Even here reports have suggested that Trump has struggled to adhere to these restrictions, often making personal calls on his unsecured Samsung Galaxy III.
This week in testimony before the House Intel Committee, diplomat William Taylor testified he had recently learned of a call between US/EU ambassador Gordon Sondland and President Trump while at dinner at a restaurant in Kiev. The conversations regarded Trump’s efforts to pressure Ukraine to help him dig up dirt on Biden, though security experts were more concerned by another aspect of the revelation; namely the idea that the President was openly discussing sensitive issues — in public — on foreign cellular networks:
“There are a ton of risks there, but some of the biggest involve the fact that the call is traversing the foreign country’s telco,”said Jake Williams a former National Security Agency operator and founder of Rendition Infosec. “Even if you trust that country not to spy on their own telcos, others probably have. There’s a non-zero chance that some country (or multiple countries) are getting call data records (CDR). This definitely would have made for increased targeting on Sondland and his contacts. Honestly, if I saw that in CDR collection, my first thought would be, ‘That has to be a troll, right?’ That would be immediately followed by, ‘Get full voice coverage on his phone (and everyone around him). These guys don’t understand OPSEC.”
Needless to say, having phone calls in public restaurants over foreign cell networks is considered a no no in security circles:
“During that call with Gordon Sondland, the U.S. ambassador to the European Union, Trump spoke so loudly about ?the investigations? that someone in the restaurant who was not on the phone could hear his words, according to Bill Taylor, the senior American diplomat in Ukraine.
It is highly likely that others were listening too. Russia?s intelligence services have previously demonstrated the capability to intercept the phone calls of American diplomats in Ukraine and make recordings that can be used to compromise or embarrass those officials.”
Granted there’s a universe of other ways that foreign and US intelligence can and do spy on public officials even if you’re using an encrypted connection, from the use of IMSI catchers to the exploitation of the longstanding SS7 flaw we’ve long noted nobody seems interested in fixing:
This stunning revelation at the #ImpeachmentHearings shows the unacceptable lack of cybersecurity by the @realDonaldTrump Administration. Any foreign power can listen in on a cell phone by exploiting a flaw known as "SS7." Look it up. It will scare you. https://t.co/mZZ7B2IHK2 https://t.co/1J7PUd8yGK
— Ted Lieu (@tedlieu) November 13, 2019
Like so many tech issues, the stupidity will get lost in partisan fisticuffs, with the President’s supporters taking such deep offense at the idea the President is terrible at security that they’ll mindlessly discount this as just more unfair partisan criticism they don’t have to pay attention to. But reality doesn’t care, and report after report has made it pretty damn clear the President of the United States has garbage-level OPSEC that no level of hand holding appears capable of mitigating.