When evidence suggested President Trump was still using his personal Android phone in the White House earlier this year, security experts expressed both alarm and dismay at what might happen if hackers broke into that device. Now, Politico reports that former Department of Homeland Security head and current chief of staff John Kelly used a personal smartphone, possibly for months, that was compromised. That is bad. Don’t do that.
The breach was apparently discovered over the summer, when Kelly gave the smartphone to White House tech support after having problems with it and struggling to successfully run software updates. Several questions remain unanswered, as to what type of phone Kelly was using, and what sort of access hackers may have had. The possibilities run the gamut—and have potentially serious consequences.
“Having a phone compromised for several months definitely is not good,” says David Kennedy, the CEO of TrustedSec, who formerly worked at the NSA and with the Marine Corps’ signal intelligence unit. “To what extent and who compromised it is important. If it was just [run of the mill] malware it’s probably not a big deal, but if it was a nation state, monitoring phone communications, emails, and other data is all possible.”
How Kelly’s phone was compromised matters a lot. There are myriad ways it could have happened, and some are relatively benign. If Kelly had an Android phone he may have gotten tricked into downloading a malicious app. Phishing links and attachments also pose a constant threat no matter what device you’re on. From there, a petty criminal might have done something small, like secretly charging Kelly in-app fees or mining some relatively innocuous data. Nothing too alarming there.
‘If he’s in classified meetings and the phone is in his pocket, hackers could eavesdrop and listen to planning.’
David Kennedy, Former NSA Analyst
But there’s also a whole gray market of security firms, like Zerodium and NSO Group, that sell mobile operating system exploits and espionage tools to governments around the world. Any attacker with awareness about their target—and deep pockets—could have used more sophisticated exploits to burrow deep into the device and start reconnaissance and data-gathering, even potentially masquerading as Kelly on his accounts, or taking them over to mislead his associates.
It’s also hard to tell exactly how often and how long Kelly used the phone in question. Reports indicate that Kelly did primarily use his hardened, government-issued smartphone, even while he still had his apparently compromised personal phone around, but it’s unclear how often he carried the extra device with him, and what he still relied on it for. A White House spokesman told POLITICO that Kelly “hadn’t used the personal phone often since joining the administration.” It would be helpful to know how hard that “often” is working. The incident was apparently considered serious enough to warrant a memo about the situation in September.
A White House spokesman told WIRED, “Last December, General Kelly’s personal phone stopped working and he discontinued its use,” a statement that still leaves the exact timeline open for interpretation.
Those details matter, because in a totally owned phone, hackers could have tracked his every move.
Assessing the Damage
Regardless of the method a compromised smartphone, Kelly’s data would have definitely been at risk. Attackers could have used a keylogger to follow his every input. They would also potentially had access to his physical location through GPS and cell ID data. If he stored any sensitive files on the device, needless to say, they would have been exposed.
But even assuming that Kelly did no confidential or nationally important work on the personal phone, even if he simply used it to play Candy Crush, it still would have posed a major threat. Attackers can surreptitiously take over a smartphone’s microphone and camera, a particular concern given that Kelly takes meetings at the highest levels of national security.
“If he’s in classified meetings and the phone is in his pocket, hackers could eavesdrop and listen to planning,” Kennedy notes.
There are some protections against that sort of snooping, like device lockers in the West Wing where staffers are encouraged to leave their phones, and Sensitive Compartmented Information Facilities, where officials shed all their devices before discussing truly secret issues of national security. But human error is a problem. People don’t always comply with SCIF protocols—including President Trump himself.
“Most people, even though data breaches and surveillance are in the news every day, they still don’t really understand that they could be targeted—they always think that it will never happen to them,” says Larry Johnson, the CEO of security firm CyberSponse who was a special agent in the Secret Service for 24 years and worked on cybersecurity in the White House. “It’s like everything in security, it’s not convenient to be secure, but once you walk into the White House you have to be cognizant of all of the things around you and anything that isn’t quite right.”
Experts say that it’s surprising that Kelly in particular used a potentially compromised phone, given his past military and command service.
Still, it’s possible that Kelly was lucky, and whatever malware was on his phone just served him malicious ads and tried to trick him out of some money. If it really was the worst case scenario, though, one or a handful of nation states may have gained valuable intelligence that could haunt the United States for years. Without more information—and none seems forthcoming—we’ll never know just how worried we should be.