Security expert: Trump should throw his unsecured Android phone into an incinerator

Impact

During the 2016 presidential campaign, Donald Trump relentlessly bashed Hillary Clinton over her use of a private email server. This week, Trump's team was caught using their own private email system — the same one that was hacked during the 2016 race and, in the 2000s, mysteriously "lost" 22 million of George W. Bush's messages. As for Trump himself, he's still reportedly using an unsecured personal device to reach 22 million people as @realDonaldTrump on Twitter — and until Thursday afternoon, his @POTUS account was connected to a personal Gmail address.

Mic/Twitter

It's not just outrageously hypocritical, it's also a major security risk — a national "security disaster waiting to happen," according to BuzzFeed's Joe Bernstein

As the Intercept's Sam Biddle explains, "This signals to hackers that all they need to do to illicitly broadcast to [@POTUS'] 14 million online followers is get into said Gmail account."

The old Android may be the biggest problem: Trump is still using his old personal phone "to the protest of some of his aides," the New York Times reported on Wednesday. Android Central investigated what phone Trump is likely using, and determined it is "more than likely" a Samsung Galaxy S3, which released in 2012. 

The latest operating system available on this device, Android 4.4, is vulnerable to a "whole raft" of remote exploitation attacks one could execute for free, said Nicholas Weaver, a researcher at the International Computer Science Institute at UC Berkeley.

"The president is vulnerable to hackers in ways that could threaten himself and our national security," said John Michelson, chief product officer at Zimperium. "The surveillance, data exfiltration, weaponizing of the phone [and] assets on the phone like emails are all accessible."

"Taking over a Galaxy S3 is not just the stuff of intelligence agencies but the sort of project I would assign for homework to advanced security students," Weaver said in an email. "The question ... is not whether his phone is compromised, but by how many different intelligence agencies."

One potential security threat: The unsecured device can be hacked and turned into an active live microphone, Weaver mentioned. If anyone is bringing this phone into important government meetings, the consequences could be catastrophic. 

"Mobile devices inherently carry a microphone and several different radios inside," explained Tom Patterson, chief trust officer at Unisys.

Another problem: Trump is "absolutely" vulnerable to a phishing scam, said cybersecurity expert Calvin Liu at Ventura ERM. 

"Would it be possible to use Twitter to implant malware on the phone or the PC? The answer is absolutely yes," Liu said.

"Let's just say in a normally sane White House, there would be absolute panic over his continued insistence on using a horribly insecure, out-of-date Android device to continuously tweet and presumably read web pages posted to him in tweets," Weaver added.

We know Trump has a tendency to retweet flattering articles about himself. All it takes is one malicious link sent from one of the millions of Twitter users interacting with him on a daily basis, and someone could gain access to his accounts, passwords, photos, videos and more.

"If the Twitter account is compromised then theoretically you can use it to reach all kinds of people," Liu said. "Everyone following that Twitter account, if they lateral from the Twitter to contacts they could then start sending to the contacts. If they lateral from Twitter to email, then they could start sending to all the emails. So that would not be good."

What the White House should do: The NSA is able to provide Trump with a more restricted device, one akin to the secured Blackberry Barack Obama used during his presidency, one that would allow Trump to continue to tweet ("but not click on links," Weaver added). But that device should still be kept outside the walls of any important meetings. 

Trump should also refrain from taking the unsecured phone into rooms where sensitive information is discussed. If he must, he should turn off the phone and take the battery out.

Michelson, of Zimperium, said Trump "should consider adding an on-device security solution, or consider not using a smartphone at all for official business."

"I don't think there's any platform where he can tweet that is going to be perfectly secure," said Liu. "As a general best practice, yeah, I would prefer to see him using something the professionals would recommend in terms of security."

As for the unsecured Android disaster machine Trump continues to coddle?

"My advice to Trump is take your phone and throw it in an incinerator," Weaver said.