Propublica and Gizmodo sent a penetration-testing team to Mar-a-Lago, the Trump resort that has been at the center of series of controversial potential breaches of US military secrecy (for example, loudly discussing sensitive information about the North Korean missile launch in the club's full, public dining room); they discovered that it would be child's play to hack the Mar-a-Lago networks, and that indeed, the networks have almost certainly already been hacked.
The team found multiple unsecured wireless networks, unsecured and open wireless printers, misconfigured routers, an unsecured website from which they could "download a database that appears to include sensitive information on the club’s members and their families" and more.
They also inspected other Trump properties in which the president has conducted sensitive, highly secret government business, and found more open wifi networks from which they could access internal networks that relied on a 13-year-old software tool to protect it.
American presidents usually holiday at Camp David, a property secured by the US military with resources drawn from a $64m annual technology maintenance budget and a $2m budget earmarked for "defense solutions, personnel, techniques, and best practices to defend, detect, and mitigate cyber-based threats" (these budgets also cover the White House's information security).
By contrast, Mar-A-Lago budgets $442,931 for security. Last year, the Trump Organization paid $50,000 "to settle charges brought by the New York attorney general that it had not properly disclosed the loss of more than 70,000 credit card numbers and 302 Social Security numbers" that were leaked "due to poor security."
A Trump Organization spokesperson says that Mar-a-Lago follows "cybersecurity best practices."
We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.
A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.
We have also visited two of President Donald Trump’s other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.
The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.
Any Half-Decent Hacker Could Break Into Mar-a-Lago
[Jeff Larson, Surya Mattu, and Julia Angwin/ProPublica/Gizmodo]
(Image: Jeff Larson/ProPublica)