SAN FRANCISCO — Using your smartphone’s flashlight to read a menu in a dark restaurant isn’t out of the ordinary. Using it to read documents about missile launches over dinner could be a threat to national security.
Dinner at Mar-a-Lago turned into a public situation room on Saturday night when President Donald Trump, who spent the day at the private club with Japanese Prime Minister Shinzo Abe, received information that North Korea launched a new ballistic missile. As CNN reported, aides used flashlights on their mobile phones to help Trump and Abe read documents about the incident.
This raised a number of security concerns. If the phones were compromised, hackers would have had a direct — and well-lit — view of national security documents.
We don’t know the kind of phones that Trump’s aides use and whether they use security protocols beyond that of normal consumers — but anyone with a smartphone is potentially vulnerable to hacks.
“There’s no such thing as 100% security of any device,” said James Lyne, Global Head of Security Research at security firm Sophos.
Lyne said attackers have a few options for implementing spyware. A person could click on a malicious link and download a seemingly innocuous app that asks for permission to access parts of their phone, like the camera and microphone. Or hackers can exploit unknown bugs in a device’s code and run their own code, taking control of certain parts of the phone and its data.
“If we talk about the type of devices people use day to day, it is absolutely possible to compromise a phone, gain access to camera and recording facilities, and information on the device,” Lyne said. “That happens far more on Android than on iPhone.”
Mobile spy tools aren’t new. Edward Snowden told his lawyers in 2013 to put their phones in the fridge to prevent snooping. In 2014, mobile security firm Lookout discovered an Android malware toolkit for sale that let attackers take full control of Android devices. In 2016, researchers found security vulnerabilities that potentially affected 900 million Android phones.
It’s tougher to compromise iPhones, but not impossible. Last year, security researchers discovered a major iOS exploit that targeted journalists and human rights workers. On Saturday, the New York Times reported the invasive spyware also targeted organizations and public health workers in Mexico. (Apple released a patch to fix the vulnerabilities immediately after they were revealed.)
On Monday, two Senate Democrats sent the Secretary of Defense a letter asking for more information about the president’s mobile devices, and whether his Android has been secured.
It’s very hard to find a well-secured Android phone, according to Matthew Green, cryptographer and computer science professor at Johns Hopkins University. There are a variety of custom Android versions made by phone manufacturers, which each can introduce new vulnerabilities. You can ensure greater security by buying the newest phones directly from Google and regularly installing updates. There are malicious apps and activity all the time in existing systems, Green said, including apps that simply activate the microphone in the background and listen to what’s happening around your phone.
“Information security was a huge topic in the last election,” Green said. “I’d like to take people at their word that these kinds of security lapses were really a big concern, so to see people in this administration behaving so casually around classified information with consumer-grade devices is really shocking.”
Other incidents at Mar-a-Lago last weekend that have raised security questions include diners taking photos of Trump’s dinner strategy session and posting them to Facebook.