How do you build a smartphone for a president? It’s a tricky question, made trickier by the man who’ll be using it. President Trump, after all, is really only the second president to come into office during the era of omnipresent smartphones. President Obama was forced to give up his Blackberry for a severely curtailed device, and was none too happy about it. While President Trump was issued a similarly locked-down device when he took office, both a New York Times report from inside the White House and Trump’s own Twitter timeline seem to indicate that he continues to use his personal Android phone — thought to be either a Samsung S3 or S4.
Let’s be generous and assume Trump is using the more modern Samsung S4. That means the newest version of Android he could be running is 5.0.1, released in 2015, which is still vulnerable to things like Stagefright 2.0 — a truly nasty Android exploit that allows malicious users to embed a media file in webpage, which gives them near-complete control over a victim’s phone.
That makes it trivially easy to hack the phone of one of the most powerful people on the planet, says Nicholas Weaver, a computer-security researcher at the International Computer Science Institute at the University of Berkeley, California. “You tweet at POTUS, ‘Proof that lying press distorts crowd size,’” says Weaver. “Something that gets his attention. It is literally a matter of enticing him to click on a link or visit a page that you’ve already compromised the advertisement on, and that’s it. It’s no longer his phone — it’s yours. You can turn on the microphone. You can turn on the GPS and track his movement. You can do all sorts of things.”
Weaver has been co-teaching a course on advanced networking at Berkeley this semester, where one of the topics in class was how to make a “Trump-proof” phone. Here’s what Weaver recommends.
Split his phone in two
In order for this to work, President Trump would need to be able to carry out his job. “We have to still allow him to conduct his workflow,” says Weaver. “And for him, his workflow is sending tweets and receiving phone calls from people off the books. And we need to be able to preserve that functionality while removing the functionality that could make a compromised phone a bug sending all the data to the Kremlin.”
For Weaver, that ideally means that Trump would have one device for making calls, and another for issuing tweets. “Ideally, it might be like a Nokia candy-bar,” says Weaver. You want a device without everything that makes a smartphone “smart” — no web browser, no camera, no GPS, and no ability to tweet. “It has a microphone, has the speaker, but it’s hopefully hard to compromise and turn into a bug,” says Weaver. With a phone that’s effectively walled off from the internet, the number of potential exploits is greatly reduced.
(Trump has reportedly been issued a Boeing Black, a phone developed for handling information classified as top secret, but it’s unclear whether he’s actually using it. Boeing declined to comment on who is using the phone and whether the phone is capable of sending tweets.)
Create a locked-down Twitter machine
Up next would be making sure the president can tweet in safety. “We can build him a device that would allow him to tweet to his heart’s content, but would mitigate the damage” if the device were compromised, says Weaver. “Hell, we can use something horribly insecure like his Galaxy.”
You would take this second device and, again, remove much of its functionality. You’d take out the microphone, the speaker, the GPS device, and the cellular connection, forcing the device to only connect to Twitter via Wi-Fi. “A student in the class suggested removing the camera, which is a brilliant idea,” says Weaver.
“By removing the microphone, camera, cell phone, etc., I’ve eliminated a bugging potential, and now he’s limited to a tweeting-and-web-surfing device,” says Weaver. “Now, I need to start thinking about how to make it so that he can still tweet, but make it more secure.”
The real threat of Twitter for the president, after all, is not Twitter itself, but the links Trump could click while using the service. Exploits like Stagefright 2.0 still require the president to leave Twitter.
The solution? “We remove the web browser from the phone,” says Weaver. Trump’s tweeting device would have no actual web browser on it; instead, it would display web pages that were actually being loaded by a remote machine. “The phone, rather than browsing the web, is actually connected to a separate computer, a virtual machine, that does the web browsing. So if you compromise that, you don’t gain control over his Twitter account. You only gain control over the web browser.”
Weaver envisions that a separate, remote virtual machine for Trump’s Twitter client as well. In both cases, the idea is to limit the damage if someone manages to worm their way into somewhere they’re not supposed to be. Get at the president’s web browser, you can’t get at his Twitter account — and vice versa.
“At first, I just want to limit it so that if a bad dude takes over his phone, the only thing he can do is irate tweet,” says Weaver. “Because if a bad dude tweets as the president, they can do a fair amount of damage, but that is dwarfed in comparison to the damage that you can do with a bug in the president’s pocket.”
Two-step tweeting process
Still, there’s the small matter that someone could gain access to Trump’s Twitter account, whether through social engineering or someone close to the administration, purely hypothetically, tweeting out the password to Trump’s Twitter account. (Trump likely has two-factor authentication turned on for this Twitter account, but Twitter’s two-factor authentication relies on SMS, and therefore is easily bypassed.)
Trump seems much more comfortable speaking to the public via Twitter than via press conferences. Someone gaining control of Trump’s Twitter account, even for the few minutes before Twitter locked everything down, could be disastrous.
Which is why Weaver recommends essentially creating a holding queue for Trump’s tweets. “This would make the White House staff so ecstatic. You modify his Twitter client so when he tweets, it doesn’t tweet. Instead, it forwards the tweet to the press secretary, who has five minutes to review it before it goes live. This mitigates the problem of someone compromising his Twitter client to tweet as him,” says Weaver. “And the problem of his tweets,” he adds.
The limits of Trump-proofing
And that, in sum, is how you allow Trump to continue to make phone calls and tweet, while instilling a modicum of cybersecurity on the commander-in-chief’s devices. In Weaver’s estimation, there’s only one possible flaw in the plan: Trump himself. “Unfortunately, proper information security sometimes means saying, ‘No, thou shalt not do that,’” says Weaver. “[With Trump], you have somebody who will not listen. What can you do?”
And this doesn’t get into the information-security nightmare of having open strategy sessions in unsecured Mar-a-Lago dining rooms, or having staffers point flashlights (and their phones’ cameras) at confidential documents. (“The Russians would certainly tip a Mar-a-Lago waiter better than Trump does,” cracks Weaver.)
But still, say that Trump (perhaps spurred by Senate Democrats, who are calling for an investigation into his use of a personal smartphone) decides to adopt something like Weaver’s plan. You still have to reckon with Trump’s continued use of that unsecured Samsung.
“It’s so easy to exploit, that you have to operate under the assumption that it has already been compromised — and has been compromised for months,” says Weaver. “There needs to be a damage assessment. People need to go back in time and go, ‘Huh, was he tweeting while I had conversations with him that would be important?’ What was said in the president’s presence when you could meaningfully expect him to have his phone in his hands?”