Any Half-Decent Hacker Could Break Into Mar-A-Lago
Reprinted with permission from ProPublica.
This story was co-published with Gizmodo.
by Jeff Larson, ProPublica, Surya Mattu, Gizmodo, and Julia Angwin, ProPublica.
Two weeks ago, on a sparkling spring morning, we went trawling along Florida’s coastal waterway. But not for fish.
We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.
A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.
We have also visited two of President Donald Trump’s other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.
The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.
“Those networks all have to be crawling with foreign intruders, not just ProPublica,” said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.
Security lapses are not uncommon in the hospitality industry, which — like most industries and government agencies — is under increasing attack from hackers. But they are more worrisome in places where the president of the United States, heads of state and public officials regularly visit.
U.S. leaders can ill afford such vulnerabilities. As both the U.S. and French presidential campaigns showed, hackers increasingly exploit weaknesses in internet security systems in an effort to influence elections and policy. Last week, cyberattacks using software stolen from the National Security Agency paralyzed operations in at least a dozen countries, from Britain’s National Health Service to Russia’s Interior Ministry.
Since the election, Trump has hosted Chinese President Xi Jinping, Japanese Prime Minister Shinzo Abe and British politician Nigel Farage at his properties. The cybersecurity issues we discovered could have allowed those diplomatic discussions — and other sensitive conversations at the properties — to be monitored by hackers.
The Trump Organization follows “cybersecurity best practices,” said spokeswoman Amanda Miller. “Like virtually every other company these days, we are routinely targeted by cyberterrorists whose only focus is to inflict harm on great American businesses. While we will not comment on specific security measures, we are confident in the steps we have taken to protect our business and safeguard our information. Our teams work diligently to deploy best-in-class firewall and anti-vulnerability platforms with constant 24/7 monitoring.”
The White House did not respond to repeated requests for comment.
Trump properties have been hacked before. Last year, the Trump hotel chain paid $50,000 to settle charges brought by the New York attorney general that it had not properly disclosed the loss of more than 70,000 credit card numbers and 302 Social Security numbers. Prosecutors alleged that hotel credit card systems were “the target of a cyber-attack” due to poor security. The company agreed to beef up its security; it’s not clear if the vulnerabilities we found violate that agreement. A spokesman for the New York attorney general declined comment.
Our experience also indicates that it’s easy to gain physical access to Trump properties, at least when the president is not there. As Politico has previously reported, Trump hotels and clubs are poorly guarded. We drove a car past the front of Mar-a-Lago and parked a boat near its lawn. We drove through the grounds of the Bedminster golf course and into the parking lot of the golf course in Sterling, Virginia. No one questioned us.
Both President Obama and President Bush often vacationed at the more traditional presidential retreat, the military-run Camp David. The computers and networks there and at the White House are run by the Defense Information Systems Agency.
In 2016, the military spent $64 million on maintaining the networks at the White House and Camp David, and more than $2 million on “defense solutions, personnel, techniques, and best practices to defend, detect, and mitigate cyber-based threats” from hacking those networks.
Even after spending millions of dollars on security, the White House admitted in 2015 that it was hacked by Russians. After the hack, the White House replaced all its computer systems, according to a person familiar with the matter. All staffers who work at the White House are told that “there are people who are actively watching what you are doing,” said Mikey Dickerson, who ran the U.S. Digital Service in the Obama administration.
By comparison, Mar-a-Lago budgeted $442,931 for security in 2016 — slightly more than double the $200,000 initiation fee for one new member. The Trump Organization declined to say how much Mar-a-Lago spends specifically on digital security. The club, last reported to have almost 500 members paying annual dues of $14,000 apiece, allotted $1,703,163 for all administration last year, according to documents filed in a lawsuit Trump brought against Palm Beach County in an effort to halt commercial flights from flying over Mar-a-Lago. The lawsuit was dropped, but the FAA now restricts flights over the club when the president is there.
It is not clear whether Trump connects to the insecure networks while at his family’s properties. When he travels, the president is provided with portable secure communications equipment. Trump tracked the military strike on a Syrian air base last month from a closed-door situation room at Mar-a-Lago with secure video equipment.
However, Trump has held sensitive meetings in public spaces at his properties. Most famously, in February, he and the Japanese prime minister discussed a North Korean missile test on the Mar-a-Lago patio. Over the course of that weekend in February, the president’s Twitter account posted 21 tweets from an Android phone. An analysis by an Android-focused website showed that Trump had used the same make of phone since 2015. That phone is an older model that isn’t approved by the NSA for classified use.
Photos of Trump and Abe taken by diners on that occasion prompted four Democratic senators to ask the Government Accountability Office to investigate whether electronic communications were secure at Mar-a-Lago.
In March, the GAO agreed to open an investigation. Chuck Young, a spokesman for the office, said in an interview that the work was in “the early stages,” and did not offer an estimate for when the report would be completed.
So, we decided to test the cybersecurity of Trump’s favorite hangouts ourselves.
Our first stop was Mar-a-Lago, a Trump country club in Palm Beach, Florida, where the president has spent most weekends since taking office. Driving past the club, we picked up the signal for a Wi-Fi-enabled combination printer and scanner that has been accessible since at least February 2016, according to a public Wi-Fi database.
An open printer may sound innocuous, but it can be used by hackers for everything from capturing all the documents sent to the device to trying to infiltrate the entire network.
To prevent such attacks, the Defense Information Systems Agency, which secures the White House and other military networks, forbids installing printers that anyone can connect to from outside networks. It also warns against using printers that do more than printing, such as faxing. “If an attacker gains network access to one of these devices, a wide range of exploits may be possible,” the agency warns in its security guide.
We also were able to detect a misconfigured and unencrypted router, which could potentially provide a gateway for hackers.
To get a better line of sight, we rented a boat and piloted it to within sight of the club. There, we picked up signals from the club’s wireless networks, three of which were protected with a weak and outmoded form of encryption known as WEP. In 2005, an FBI agent publicly broke this type of encryption in minutes.
By comparison, the military limits the signal strength of networks at places such as Camp David and the White House so that they are not reachable from a car driving by. It also requires wireless networks to use the strongest available form of encryption.
From our desks in New York, we were also able to determine that the club’s website hosts a database with an insecure login page that is not protected by standard internet encryption. Login forms like this are considered a severe security risk, according to the Defense Information Systems Agency.
Without encryption, spies could eavesdrop on the network until a club employee logs in, and then steal his or her username and password. They then could download a database that appears to include sensitive information on the club’s members and their families, according to videos posted by the club’s software provider.
This is “bad, very bad,” said Jeremiah Grossman, chief of Security Strategy for cybersecurity firm SentinelOne, when we described Mar-a-Lago’s systems. “I’d assume the data is already stolen and systems compromised.”
A few days later, we took our equipment to another Trump club in Bedminster, New Jersey. During the transition, Trump had interviewed candidates for top administration positions there, including James Mattis, now secretary of defense.
We drove on a dirt access road through the middle of the golf course and spotted two open Wi-Fi networks, TrumpMembers and WelcomeToTrumpNationalGolfClub, that did not require a password to join.
Such open networks allow anyone within range to scoop up all unencrypted internet activity taking place there, which could, on insecure sites, include usernames, passwords and emails.
Robert Graham, an Atlanta, Georgia, cybersecurity expert, said that hackers could use the open Wi-Fi to remotely turn on the microphones and cameras of devices connected to the network. “What you’re describing is typical hotel security,” he said, but “it’s pretty concerning” that an attacker could listen to sensitive national security conversations.
Two days after we visited the Bedminster club, Trump arrived for a weekend stay.
Then we visited the Trump International Hotel in Washington, D.C., where Trump often dines with his son-in-law and senior adviser Jared Kushner, whose responsibilities range from Middle East diplomacy to revamping the federal bureaucracy. We surveyed the networks from a Starbucks in the hotel basement.
From there, we could tell there were two Wi-Fi networks at the hotel protected with what’s known as a captive portal. These login screens are often used at airports and hotels to ensure that only paying customers can access the network.
However, we gained access to both networks just by typing “457” into the room number field. Because we provided a room number, the system assumed we were guests. We looked up the hotel’s public IP address before logging off.
From our desks in New York, we could also tell that the hotel is using a server that is accessible from the public internet. This server is running software that was released almost 13 years ago.
Finally, we visited the Trump National Golf Club in Sterling, Virginia, where the president sometimes plays golf. From the parking lot, we recognized three encrypted wireless networks, an encrypted wireless phone and two printers with open Wi-Fi access.
The Trump club websites are hosted by an Ohio-based company called Clubessential. It offers everything from back-office management and member communications to tee time and room reservations.
In a 2014 presentation, a company sales director warned that the club industry as a whole is “too lax” in managing and protecting passwords. There has been a “rising number of attacks on club websites over the last two years,” according to the presentation. Clubessential “performed [an] audit of security in the club industry” and “found thousands of sensitive documents from clubs exposed on [the] Internet,” such as “lists of members and staff, and their contact info; board minutes, financial statements, etc.”
Still, the club software company has set up a backend server accessible on the internet, and configured its encryption incorrectly. Anyone who reaches the login page is greeted with a warning that the encryption is broken. In its documentation, the company advises club administrators to ignore these warnings and log in regardless. That means that anybody snooping on the unprotected connection could intercept the administrators’ passwords and gain access to the entire system.
The company also publishes online, without a password, many of the default settings and usernames for its software — essentially providing a roadmap for intruders.
Clubessential declined comment.
Aitel, the CEO of Immunity, said the problems at Trump properties would be difficult to fix: “Once you are at a low level of security it is hard to develop a secure network system. You basically have to start over.”
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.