Dog in doghouse

White House chief in the security doghouse: Personal-tech lockboxes for all?

Retired Gen. John Kelly, President Trump’s current chief of staff, is said to have had his phone hacked last year, while he was secretary of Homeland Security. Oops.

Furthermore, he didn’t realize it for eight months—well into his tenure at the White House. Double-oops.

Still, it was only his “personal phone.” So that’s okay, right? In this week’s Security Blogwatch, we model the threats, while avoiding the politics.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  The Mummy's sins 

What’s the craic? Josh Dawsey, Emily Stephenson, and Andrea Peterson tag-team with the Project on Government Oversight—John Kelly's personal cellphone was compromised:

White House officials believe that chief of staff John Kelly’s personal cellphone was compromised, potentially as long ago as December. … Hackers or foreign governments may have had access to data on Kelly’s phone while he was secretary of Homeland Security and after he joined the West Wing.

Several government officials said it is unclear when—or where—Kelly’s phone was first compromised. … Kelly’s travel schedule prior to joining the administration in January is under review.

The IT department concluded the phone had been compromised [triggering] concern throughout the West Wing about what information might have been exposed.
The State of Security Operations 2017

And there’s more. Josh Dawsey has this update—Kelly's personal phone possibly compromised at transition office:

White House officials have homed in on … Trump’s Washington transition headquarters as a likely location where [the] cellphone could have been compromised in late 2016. … Much of his transition staff worked out of the office space, about three blocks from the White House.

Officials have tried to determine whether Kelly signed onto an insecure wireless network there or whether a hacker, foreign government or some other outside force could have accessed the phone there. … Officials have not ruled out other possibilities, such as foreign trips before Kelly joined the administration.

The White House has weighed new rules for personal devices, including banning them from the president’s residence and the West Wing. … It remains unclear why Kelly hung onto his personal phone … until August. Staffers in the White House questioned Department of Homeland Security officials … about why it took so long for the problem to be caught.

What can we learn? Bruce Schneier tries to avoid the political angles:

I know this is news because of who he is, but I hope every major government official of any country assumes that their commercial off-the-shelf cell phone is compromised.

Even allies spy on allies; remember the reports that the NSA tapped the cell phone of German Chancellor Angela Merkel?

So the horse has bolted? Andrew Blake brings reports of some recently shut stable doors: [You’re fired—Ed.]

Secret Service personnel were notified last week … of a new White House policy prohibiting the use of all personal mobile devices, including cell phones, tablets and smart watches, within the entirety of the West Wing.

A leaked document [said,] “All personal devices will either be secured in provided lockboxes … or turned off completely prior to entering the West Wing.”

And Lily Hay Newman spoons some sauce for the goose:

When evidence suggested President Trump was still using his personal Android phone in the White House earlier this year, security experts expressed both alarm and dismay.

The [Kelly] breach was apparently discovered over the summer, when Kelly gave the smartphone to White House tech support after having problems with it and struggling to successfully run software updates.

There's … a whole gray market of security firms, like Zerodium and NSO Group, that sell mobile operating system exploits and espionage tools to governments around the world. Any attacker … could have used more sophisticated exploits to burrow deep into the device and start reconnaissance and data-gathering, even potentially masquerading as Kelly.

Hackers could have tracked his every move … through GPS and cell ID data. … Even if he simply used it to play Candy Crush, it still would have posed a major threat.

There are some protections against that sort of snooping, like device lockers in the West Wing where staffers are encouraged to leave their phones, and Sensitive Compartmented Information Facilities, where officials shed all their devices before discussing truly secret issues. [But] we'll never know just how worried we should be.

Cue the inevitable, incessant speculation about which smartphone platform Kelly used. Ben Lovejoy has bad news for Apple fans:

Kelly is seen using an iPhone in a number of photos. … iPhones tend to be more secure than Android devices … but are not immune to compromise.

Turing_Machine gives Kelly the benefit of the doubt:

My money is based on the fact that iOS 11 just came out. "Hmm... I see that there's a new iOS. ... Better update my personal phone even though I'm not using it at the moment. ... Wow! This phone is acting weird! Better take it to the security people at work."

I don't know that's what happened, but … if it is, it speaks well for Kelly's powers of observation (noticing that the phone was behaving in an unusual way) and ability to choose a proper course of action (taking it to the security professionals at the White House, rather than … Geek Squad or whatever minimum wage clerk was manning the counter at the Verizon store).

And rl3 looks on the bright side:

It's not likely that an APT/nation state actor was responsible. Breaking things is pretty amateur hour.

I'm pretty sure that when nation state actors compromise a high-level target's phone, they avoid breaking things in such obvious fashion.

But burtosis can’t help but use the “M” word:

Explain to me how he isn't a moron when you can't walk into half the companies in the US with one, but what the hell, why not have them in national security meetings.

So what could an attacker learn from a personal phone? Cat pictures? This Anonymous Coward thinks deeper:

People at this level are routinely asked to give up their personal phones and use secure ones.

This man's location alone should be confidential. He doesn't have to say a word. … A hack of a smartphone could be used for many purposes. Heck, you don't even have to hack it. Just having it on your person makes it useful as a convenient homing beacon for a weapon or as the activation signal for a proximity switch.

And another Anonymous Coward is similarly horrified:

His phone—that device with a microphone and camera that he has with him wherever he goes … was hacked. … It has to be assumed that every conversation he had in the presence of his phone was compromised. These people talk secret stuff all over the place.

Meanwhile, albert offers some light relief:

A Russian hacker and a Chinese hacker are sitting in a bar:
CH: We hacked into Kellys phone and guess what we found?
RH: What?
CH: You guys were already there!
RH: Well, guess what we found?
CH: What?
RH: The NSA was already there!

The moral of the story? How safe is your intellectual property? Should you consider lockboxes for employees’ personal devices?

And finally …

Everything Wrong With The Mummy (2017)


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

The State of Security Operations 2017
Topics: Security