Trump’s iPhone Security Practices Are Awful

Good news: President Donald Trump has apparently stopped using an old Android phone, which is probably one of the easiest targets for a hacker to own. Bad news: despite using presumably up-to-date iPhones, his operational security, or “OPSEC,” is still terrible.

On Monday, Politico revealed that Trump uses at least two iPhones. One for calls and one for Twitter and news apps. Politico quoted a senior West Wing official saying that the phones “are seamlessly swapped out on a regular basis through routine support operations. Because of the security controls of the Twitter phone and the Twitter account, it does not necessitate regular change-out.”

Trump, however, is refusing to swap out phones every month, and hasn’t swapped one of them for five months, because he thinks that’s “too inconvenient,” according to Politico. President Barack Obama reportedly swapped phones every 30 days.

Swapping the phones is meant to mitigate the risks in case one of the president’s phones got hacked. The idea being, even if he gets hacked, the hacker’s won’t get more than at most one month of access to his conversations or whatever he does on his iPhones.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

Politico didn’t provide much more details about Trump’s iPhones—though Twitter sleuths Jamie Wallace and rabbit believe it’s an iPhone 6 Plus—but it was enough to alarm security researchers.

“While the iPhone is one of the most secure commercial devices available, it’s not infallible. Remote jailbreaks have been reported to exist for around the $3M price range. That’s a pretty low price to pay for access to an American President’s phone,” Ryan Duff, a security researcher who has studied iPhone, told Motherboard. “Access to that iPhone has incredible implications for national security. Not only would it allow you to have a microphone around the President during his private conversations, but being able to do something more nefarious, like sending a rogue tweet, could literally start a war.”

Duff, who’s the Director of Cyber Solutions at Point3 Security and a former US Cyber Command hacker, added that not switching out phones regularly “could be disastrous.”

Multiple surveillance technology vendors advertise hacking tools for iPhones that allow someone to take control of the phone remotely for around $3 million. That sounds like a lot of money, but it’s certainly worth it to get a chance to spy on the most powerful man in the world.

Read more: Who’s afraid of Kaspersky?

“Any nation can do it,” the security researcher known as The Grugq tweeted on Tuesday, reacting to the news. “The intel value, even if he were switching on monthly cycles, would be worth the cost.”

While there are not enough details to know exactly what’s the setup of Trump’s iPhone, if he were the one tasked with securing Trump’s iPhone, Duff said he’d take several precautions, such as disabling iMessage, or even the browser, monitoring all web traffic, or allowing the phone to only connect through a VPN, which would prevent app installs.

That would make it a harder target, but still not impossible to hack. Government hackers have compromised iPhones using exploits against the phone’s browser, but it’s not the only way.

“When the target is the President, nothing is out of reach,” Duff said. “He is still holding an internet connected device with a microphone.”

Get six of our favorite Motherboard stories every day by signing up for our newsletter.