President Trump’s Twitter feed is vulnerable to being hacked by a foreign power or other adversary, according to a Washington Examiner investigation of cybersecurity measures in place to protect his account.
When Trump logs on to his Twitter account, an authentication code is sent in a text message to a senior aide’s cellphone, a step that could allow for the same type of intrusion as last week’s hack of Twitter CEO Jack Dorsey.
But while Dorsey’s Twitter account spewed racism for 18 minutes, the stakes are much higher for Trump, whose feed can move markets and threaten world peace. “A hack of this President’s Twitter account would be especially dangerous because the world would have a hard time recognizing it as such,” said Ned Price, a White House National Security Council aide under President Barack Obama.
Security for Trump’s @realdonaldtrump account was described to the Washington Examiner by a source with direct knowledge. The source said the fact that the aide’s number is not public, along with security offered by Verizon, should prevent hacking, though some experts say a dedicated adversary, such as China or Russia, might well be able to overcome those hurdles with relative ease.
The hack of Dorsey’s account was the result of a “SIM swap,” a tactic where a hacker persuades a phone company to transfer a victim’s phone number to their own phone. Knowing the Trump aide’s phone number would be the first step. Then, the attacker must trick Verizon.
White House technology staff have roughly 10,000 cellphone lines provided by Verizon. They are not registered with the phone company to specific employees. Phones assigned to Trump and close aides are rotated regularly for security, and few people are authorized to change the account.
Trump uses two phones: one that can place calls, and a second for Twitter. The revelation of Trump’s relatively secure internet-enabled “Twitter phone” was first reported last year in what insiders viewed as a malicious leak by disgruntled staff.
Trump’s Twitter phone cannot receive text messages, so his Twitter account was configured so that an SMS message with an authentication code was sent to social media manager Dan Scavino. The source was not able to say if Scavino could transfer the confirm mechanism to a personal cellphone.
“On the government phones, there is no way Verizon would ever change the account information from a request from anyone, including Dan,” the source said. “There were only a handful of [staff] that were authorized to make account changes, just for situations like this.”
If the authentication setup was transferred to a personal Scavino phone, “the carrier would have a high-profile person like that under their VIP program. There is no way they would make changes to his account without him being in person in front of a senior supervisor at Verizon that is authorized to make VIP changes,” the source said.
The White House would not address details of Trump’s digital security.
Verizon spokesman Jeffrey Nelson said, “There is zero chance we would provide information about any of our customers, nor validate that we provide service to specific customers.”
Carnegie Mellon University computer scientist Nicolas Christin said the Twitter setup for Trump may be insecure.
“The devil is in the details — how frequently is the phone rotated, how good Verizon’s VIP program is, and how hard it is to map an official phone line to a given name — particularly that of the social media manager — at a specific point in time,” he said.
Security consultant Kevin Mitnick, a former hacker who illegally accessed phone systems across the country, including as a fugitive, questioned the degree of protection. “When I was on the other side back in the 1990s, I basically compromised every phone company in the United States,” Mitnick said. “If somebody wanted to target the guy’s phone … with my persistence, I would get it.”
To determine the cellphone used by Scavino, an attacker could use an ISMI catcher, or cell-site simulator, Mitnick said, or make use of a data breach. The task could be eased by knowing the service provider and the fact that Scavino often travels with Trump.
Tricks of the hacking trade include acquiring fake identity documents to fool phone company agents. Mitnick said he was unfamiliar with specific security offered by Verizon for high-profile VIPs and the government, but that “I don’t trust it based on my past experience of compromising phone companies and being a victim of it.”
SMS authentication is widely known to have vulnerabilities. Twitter also allows two-factor authentication through apps such as Google Authenticator, which generates a random code each time someone logs in. These apps were deemed by White House staff to pose their own challenges. Mitnick urged the White House to build an in-house authentication app.
“All [two-factor authentication] at the White House is via SMS,” said the source who described White House Twitter security. Two former senior White House officials confirmed to the Washington Examiner that they received text messages with codes to log onto their official Twitter accounts.
In response to Dorsey’s hack, Twitter turned off a function Thursday that allowed users to tweet via text message. But if the hacker knew the Trump password, they could gain access to the account to tweet, or reset the password if they are able to access to the email address that receives the reset link, potentially aided by the hijacked phone number.
Twitter declined to comment on Trump’s account, but the source who described White House security said the company offered “nothing more than high-profile celebrities get.”
Meanwhile, there’s a debate among Trump’s critics about the stakes if his account is hacked.
Price, the former Obama White House aide who believes it would be “ especially dangerous,” said damaging tweets are risky because “his account has featured it all” already, “from threats of nuclear annihilation to ad hominem attacks.”
But fired White House Communications Director Anthony Scaramucci, a newly avowed Trump opponent, quipped, “what he writes can’t be made any worse by a hacker. I have no concern whatsoever.”
“He is having a full blown nervous breakdown and the market and international community is prepared for any and everything,” Scaramucci said. “The stuff is priced into the market and the shock value is declining.”
The source who shared information about Trump’s Twitter security said they don’t believe the account will be hacked, but that the risk should be kept in perspective. “Remember we are talking about access to a Twitter account, not access to the nuclear launch codes,” they said. “While the optics would be bad if the account were ever hacked, it would not be a national crisis.”
