Support The Bulwark and subscribe today.
  Join Now

How to Hack Mar-a-lago

Let's hope the NSA figures this out before the bad guys do.
by Ian Smith
April 11, 2019
How to Hack Mar-a-lago

Yujing Zhang attempted to enter Mar-a-lago, a private Florida club owned by President Trump, on April 2 carrying a memory stick with malware on it.

Zhang nearly succeeded in entering the club on dubious pretenses. She claimed to be attending an event that didn’t exist. When pushed on this fact, she claimed she needed to understand and evaluate the location before the event. (In some quarters this is translated from the Chinese as “casing the joint.”)

There was some confusion about the details due to the languages involved, but some Mar-a-lago employees seemed willing to believe she was the daughter of a member of the club, one Mr. Zhang. However, Zhang is the third most common name in China.

When Ms. Zhang was eventually arrested and searched by the Secret Service, it was revealed that she possessed four mobile phones, two passports, and the memory stick. If you read the details of the reporting around this incident, you can not help but conclude this is the amateur hour of attempted breaches of presidential security: She claimed to be going to the pool, then later claimed she never said that, and whatever the case, she had no swimsuit. She claimed that somebody name “Charles” told her to come to Mar-a-lago from Shanghai (an 18 hour flight) but either could not or would not provide contact information for him. She also lied to the agents interviewing her.

It’s all very amusing. Except that it isn’t.

What concerns me most about this incident is precisely its amateurishness. Let’s make the reasonable assumption that Zhang did not write the malware she was carrying but was only the delivery vector. (If she had been author, one presumes she would have concealed it better.)

So, we can now imagine an attempted security breach where the author of the malware says: “Hey, Yujin, fly to Florida, try to get in to Mar-a-lago and if you can, shove this memory stick in the first computer you can find.” Clearly this plan—or something approximating it—was thwarted by the Secret Service on April 2.

The first and most obvious concern here is the idea that an adversary with more cleverness and preparation than Zhang and her colleagues might have gotten much farther. This adversary could have, you know, “done their homework” on who the vector’s relative was at the club, what events were taking place when she arrived, even have had some documents in English that worked with the cover story.

Although we do not know the network security that is being used at Mar-a-lago, we do know that the club functions fairly normally when the president is not physically present. If malware were injected into the network of the club (not the secure areas) that was insufficiently secured, here are some things that any self-respecting hacker would attempt:

  • “Sniff” or read and record, all the data passing over the network. Depending on the particulars of the software used by members of the club, such a sniffer might be able to decrypt some types of “secure” data.
  • Turn any infected machine’s microphone on and record what is said near it. This is particularly useful for attacking laptops that are moved to different points in the club and usually have built in microphones.
  • Infect computers that are transiently in the club for the purposes of attacking networks it connects to later. This is keenly effective in the case of a frequent visitor to Mar-a-lago whose computer has poor security, since this would allow the malware to “return” to the club, even if it were discovered and removed.
  • Infect applications—attempt to surreptitiously steal data—running on computers that are connected to the network. Surely this would include applications used to run the club’s business (think: guest lists, calendars of presidential entourage arrivals) as well as any vulnerable personal applications on guest computers.

There are many more ideas that a clever hacker might have. Similarly, there are many countermeasures that a diligent information security team could take to prevent these sorts of breaches.

The disconcerting part is that an attempt as poorly thought-out as Zhang’s was even news at all. Unless this is a disinformation campaign by the Secret Service, one would expect physical and electronic security procedures to thwart attacks such as this one without anyone even noticing.

For example, perhaps laptops and mobile phones should not be allowed inside the club unless they have passed a rigorous inspection? The government has clearly been diligent about secure areas inside Mar-a-lago but, naturally, any hacker worth the Bitcoin they are paid would not attack the heavily secured areas. “Water flows around the lowest point,” said the noted 5th century security consultant Sun Tzu.

And all of this assumes that Trump and members of his executive branch are adhering perfectly to security protocols and safety guidelines. Which may or may not be a thing that is happening.

Which brings us to the elephant in the room. It’s not a big elephant, these days it’s about the size of two candy bars: the mobile phone.

There are numerous articles that discuss the security breaches that have already been made public with public servants in Germany, Mexico, and Greece (as well as with members of the U.S. Congress). The list of known vulnerabilities on commodity mobile phones is so long as beggar belief. It is not overly dramatic to say that if something matters to national security, you shouldn’t use a commodity phone to talk about it.

It is interesting that information about what was on the four mobile phones carried by Zhang has not been made public.

In 2017, the vulnerability known as BlueBorne was disclosed and this vector was able to infect other phones wirelessly via Bluetooth. If Zhang had BlueBorne on her phone (either knowingly or unknowingly) she could infect any unprotected phone or device she walked near. Back in 2017 the number of at-risk devices was more than 5 billion.

Since this vulnerability was discovered in particular versions of Linux, Google has patched their Android operating system (which is a Linux derivative) for all mobile phones for which that is possible.

But now it gets more complicated. In the case of Mar-a-lago, has security done audits of all the TVs that show information in the facility? Many TVs today (and even those built before 2017) are actually running Linux and have a bluetooth connection to allow nearby users to control the TV. The possibility that a display exists in Mar-a-lago showing the current day’s events, the dinner specials for the evening, and infecting vulnerable phones as they pass by seems quite real.

We should hope that our security agencies (notably the NSA) have placed a huge emphasis on securing Trump properties—especially Mar-a-lago and Bedminster, where the president frequently visits. The NSA and other security agencies might have more trouble with this issue at Trump Turnberry, where they have no jurisdiction.

And we should all remember that as comical as the case of Yujing Zhang sounded, the cybersecurity threats are very real.

Ian Smith

Ian Smith has a Ph.D. in Computer Science from Georgia Tech. Follow him on Twitter @iansmith.