10/8/2017 from Wired. {abridged and removed overtly political jabs by DGL}
John Kelly's Hacked Phone Could Be a Major National Security Issue | WIRED
Politico reports that former Department of Homeland Security head and current chief of staff John Kelly used a personal
smartphone, possibly for months, that was compromised. That is bad. Don't do that.
The breach was apparently discovered over the summer, when Kelly gave the smartphone to White House tech support
after having problems with it and struggling to successfully run software updates. Several questions remain
unanswered, as to what type of phone Kelly was using, and what sort of access hackers may have had. The
possibilities run the gamut—and have potentially serious consequences.
"Having a phone compromised for several months definitely is not good," says David Kennedy, the CEO of TrustedSec,
who formerly worked at the NSA and with the Marine Corps' signal intelligence unit. "To what extent and who
compromised it is important. If it was just [run of the mill] malware it's probably not a big deal, but if it was a nation state,
monitoring phone communications, emails, and other data is all possible."
How Kelly's phone was compromised matters a lot. There are myriad ways it could have happened, and some are
relatively benign. If Kelly had an Android phone he may have gotten tricked into downloading a malicious app. Phishing
links and attachments also pose a constant threat no matter what device you're on. From there, a petty criminal might
have done something small, like secretly charging Kelly in-app fees or mining some relatively innocuous data. Nothing
too alarming there.
'If he's in classified meetings and the phone is in his pocket, hackers could eavesdrop and listen to
planning.'
David Kennedy, Former NSA Analyst
But there's also a whole gray market of security firms, like Zerodium and NSO Group, that sell mobile operating system
exploits and espionage tools to governments around the world. Any attacker with awareness about their target—and
deep pockets—could have used more sophisticated exploits to burrow deep into the device and start reconnaissance
and data-gathering, even potentially masquerading as Kelly on his accounts, or taking them over to mislead his
associates.
It's also hard to tell exactly how often and how long Kelly used the phone in question. Reports indicate that Kelly did
primarily use his hardened, government-issued smartphone, even while he still had his apparently compromised
personal phone around, but it's unclear how often he carried the extra device with him, and what he still relied on it for. A
White House spokesman told POLITICO that Kelly "hadn’t used the personal phone often since joining the
administration." It would be helpful to know how hard that "often" is working.
The incident was apparently considered
serious enough to warrant a memo about the situation in September.
A White House spokesman told WIRED, “Last December, General Kelly’s personal phone stopped working and he
discontinued its use,” a statement that still leaves the exact timeline open for interpretation.
Those details matter, because in a totally owned phone, hackers could have tracked his every move. Regardless of the method {used}, Kelly's data would have definitely been at risk. Attackers could
have used a keylogger to follow his every input. They would also potentially had access to his physical location through
GPS and cell ID data. If he stored any sensitive files on the device, needless to say, they would have been exposed.
But even assuming that Kelly did no confidential or nationally important work on the personal phone, even if he simply
used it to play Candy Crush, it still would have posed a major threat. Attackers can surreptitiously take over a
smartphone's microphone and camera, a particular concern given that Kelly takes meetings at the highest levels of
national security.
"If he's in classified meetings and the phone is in his pocket, hackers could eavesdrop and listen to planning," Kennedy
notes.
{DGL: here is a scenario that is relevant to the "average" citizen. You give your phone to someone you know because they want to make a call or they want to play a game. They download a "kid monitor" program without your knowledge. They enter their phone number as the recipient and turn the program on in the background, and in the settings they set the program to autostart. Now your phone is set up to do everything talked about above! Though national security was the topic above, your security, your home's security, the security of your kids and grandkids, etc is relevant to you.}
There are some protections against that sort of snooping, like device lockers in the West Wing where staffers are
encouraged to leave their phones, and Sensitive Compartmented Information Facilities, where officials shed all their
devices before discussing truly secret issues of national security. But human error is a problem. People don't always
comply with SCIF protocols.
"Most people, even though data breaches and surveillance are in the news every day, they still don’t really understand
that they could be targeted—they always think that it will never happen to them," says Larry Johnson, the CEO of
security firm CyberSponse who was a special agent in the Secret Service for 24 years and worked on cybersecurity in
the White House. "It’s like everything in security, it’s not convenient to be secure, but once you walk into the White
House you have to be cognizant of all of the things around you and anything that isn't quite right."
Experts say that it's surprising that Kelly in particular used a potentially compromised phone, given his past military and
command service.
Still, it's possible that Kelly was lucky, and whatever malware was on his phone just served him malicious ads and tried
to trick him out of some money. If it really was the worst case scenario, though, one or a handful of nation states may
have gained valuable intelligence that could haunt the United States for years. Without more information—and none
seems forthcoming—we'll never know just how worried we should be.
