Trump's Mar-a-Lago resort is a hacker's dream, investigation alleges
Dismal internet security at Mar-a-Lago and other Trump properties leaves the president — and U.S. national security interests -- egregiously exposed to hacking threats, according to a joint investigation by ProPublica and Gizmodo published Wednesday.
The investigation exposed a long litany of security vulnerabilities at Mar-a-Lago and three other Trump family-owned properties frequented by the president, including:
- Three weakly encrypted Wi-Fi networks, a Wi-Fi-enabled "open" printer (which can be used by hackers as an entry point to infiltrate a larger network), and an unencrypted router at Mar-a-Lago in Palm Beach, Florida.
Two open Wi-Fi networks, which anyone could join without a password, at the Trump National Golf Club in Bedminster, New Jersey.
A long list of weaknesses -- "weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information" -- at the Trump International Hotel in Washington, D.C., and a Trump golf club in Sterling, Virginia.
The presence of weakly protected or unsecured Wi-Fi networks across Trump properties is particularly concerning, as hackers could leverage these networks to infiltrate computers and smartphones, potentially gaining a pair of ears on the ground where sensitive conversations and high-level presidential business are unfolding.
The situation is "bad, very bad," Jeremiah Grossman of cybersecurity firm SentinelOne told ProPublica and Gizmodo. "I'd assume the data is already stolen and systems compromised."
Mar-a-Lago is a frequent base for the president's meetings with U.S. officials and foreign dignitaries, and an obvious target for hackers. The president has met with Japanese Prime Minister Shinzo Abe, British politician Nigel Farage, and Chinese President Xi Jinping at his family-owned Mar-a-Lago club. The president also conducts high-level operations on these properties: for instance, he authorized the April strike on a Syrian airbase while meeting with Xi at Mar-a-Lago.
In March, the U.S. Government Accountability Office agreed to Democrats' demands to open an investigation into the president's stays at Mar-a-Lago, and specifically explore information security, screening standards for guests, and travel expenses billed to taxpayers. Two months later, that report is still in its "early stages," ProPublica and Gizmodo said -- which is what prompted the two outlets to test security levels themselves.
The reporters set up a 2-foot wireless antenna aboard a rented boat and piloted it within about 800 feet of the beachfront club in Palm Beach.
"There, we picked up signals from the club's wireless networks, three of which were protected with a weak and outmoded form of encryption known as WEP. In 2005, an FBI agent publicly broke this type of encryption in minutes," write co-authors Jeff Larson, Surya Mattu and Julia Angwin.
"By comparison, the military limits the signal strength of networks at places such as Camp David and the White House so that they are not reachable from a car driving by. It also requires wireless networks to use the strongest available form of encryption."
The investigation comes as the world reels from a massive cyberattack last week, in which hackers used so-called WannaCry ransomware to cripple Britain's nationally run hospitals and businesses and government offices in countries around the globe.
Mr. Trump has spent seven weekends at Mar-a-Lago and one at his golf club in Bedminster, New Jersey, out of his first 17 weekends as president. The Center for American Progress, a liberal organization tracking his travel, estimates the cost to U.S. taxpayers at $26 million.
The president's travel habits are a departure from those of his predecessors: both President Obama and President Bush took weekend getaways at Camp David, where the Defense Information Systems Agency is responsible for digital security.
A spokeswoman for the Trump Organization told ProPublica and Gizmodo that the company follows "cybersecurity best practices" and is "confident in the steps we have taken to protect our business and safeguard our information."
The White House did not respond to repeated requests for comment, according to ProPublica and Gizmodo.