Despite being one of the most heavily targeted people on the planet, Donald Trump might still be using his old, personal Android cell phone, exposing himself and perhaps other parts of the US government to hackers.
In the evenings, Trump keeps himself company with television and his "old, unsecured Android phone," according to a recent The New York Times report, which contradicts an earlier report that said he had "traded in" his old Android phone for a more secure one. It's unclear exactly what type of phone he's using for his late-night White House tweeting, but it doesn't sound like it's a hardened, government-approved, Android phone such as the one supported by the Pentagon's Defense Information Systems Agency, which helps the White House with communications tools.
"[Trump] shouldn't have personal computers of any kind, they should be government controlled," said a former Samsung security employee who also did some work on Obama's Pentagon-supported modified Android device, but asked to remain anonymous due to having signed non disclosure agreements.
The source added that if they were to advise Trump on using cell phones, they'd tell him to use a highly customized one so hackers wouldn't have a comparable test device. But the best thing, they added, would be to simply tell Trump: "no more cell phones."
Using any kind of phone, according to the source and other security researchers, is a risk in and of itself for Trump. If someone were to hack Trump through his Twitter-phone (for lack of a better word), they might steal his password to other more important accounts, or, worse, they could jump to another device on the White House internal network, perhaps one that contains more sensitive information.
"[Trump] shouldn't have personal computers of any kind, they should be government controlled."
In 2014, hackers broke into the White House network. At the time, the Obama administration downplayed the intrusion, saying it only affected the unclassified networks, but former White House officials said that network can still hold sensitive information such as the president's schedule, staff member's emails and other information. In theory, this is the kind of data hackers could get if they could get into the network from Trump's personal Android phone and then get into another computer connected to the same network.
"He's at risk from everybody, ranging from lone hackers to the better-funded intelligence agencies of the world. And while the risk of a forged e-mail is real—it could easily move the stock market—the bigger risk is eavesdropping," security expert Bruce Schneier wrote in a blog post. "That Android has a microphone, which means that it can be turned into a room bug without anyone's knowledge."
Spokespeople for the the Trump administration did not answer to a request for comment via email.
It's not clear if any extra security precautions have been applied to Trump's personal Android, such as, say, removing the microphone. But there's nothing legally stopping Trump from continuing to use a beat-up, out of date Android device to tweet to his heart's content, and create an incredibly juicy target for hackers. Even if the phone is just a tweet-machine, attackers could likely pry something of value from targeting the president's personal device.
"No more cell phones."
On Wednesday, enthusiast website Android Central presented its case on what Trump's personal smartphone might be. Judging by old photos of Trump, it may be a Samsung Galaxy S3. Mark Wuergler, senior security researcher at Immunity Inc., pointed out that the S3 is not included on the Defense Department's list of secure devices.
"So this means that the US government doesn't deem the Galaxy S3 device to be secure enough to be approved," he told Motherboard in an email.
But regardless of what specific model Trump's personal Android phone is, using a stock device is certainly a terrible idea for someone as high profile as the president of the United States.
"You can buy a new way to break into an Android phone for $200,000," Ben Actis, a researcher who specializes in Android security for SynAck, said in an email, referring to exploit brokers who offer that figure for techniques to hack Androids remotely. "If I was a foreign state, who was concerned about Trumps economic policies, you'd bet I'd shell out north of 200k to spy on his phone."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.