Credit: White House/IDGNS
If President Donald Trump is still using his personal, unsecured Android smartphone, as reported, he is surely creating bucketsful of worry for White House communications security staff.
As CIOs and Chief Information Security Officers already know, any organization can install strong security technology into a network or a smartphone, only to be defeated if end users don't use it or follow safe cyber practices.
"The most vulnerable parts of communications are the people, and if they aren't taking precautions, problems exist," said Chris Perry, chief operating officer for Secured Communications, a provider of encrypted VPNs for mobile devices used by governments and companies.
"There is a White House communications group that does nothing but communications technology solutions for the president and his staff," Perry said Friday. "But the weakest link in any communication is the end user. You can have all kinds of end-to-end encryption, but in the end, if you aren't using that piece of equipment and related tools, you are very vulnerable. That's true in any environment, in government or the private sector."
White House officials didn't respond when asked repeatedly about Trump's reported use of his Android phone for tweets after he'd been in the White House for several days. The U.S. Secret Service referred questions on the matter to the White House.
Trump didn't turn over his Android phone when given a secure device just before his inauguration, according to the The New York Times.
Reports have indicated Trump is using an older Galaxy S3 or S4, which is "asking for a disaster," Nicholas Weaver, a computer security researcher at the Computer Science Institute, said in a blog post. "President Trump's continued use of a dangerously insecure, out-of-date Android device should cause real panic. A Galaxy S3 does not meet the security requirements of the average teenager, let alone the purported leader of the free world."
Weaver said if Trump were enticed to click on a link to a cyber exploit with his phone, the phone could become a bug that could record everything in audio or video around it and then transmit that information to an attacker. "Even a brand new, fully updated Android or iPhone is insufficient: The President of the United States is worth a great many multiples of expensive zero-day exploits."
Hackers could also learn where the phone is through GPS, which could also be an indication of where the president is located, said Jack Gold, a mobile security analyst at J. Gold Associates.
If a nation-state really wanted to attack Trump's phone or another device, it could rely on a brute force attack performed by supercomputers to break encryption on his password to gain access to files, applications and other material, Gold added.
Sign up for CIO Asia eNewsletters.