Internet security at Mar-a-Lago — the private club President Trump owns and has dubbed the “Southern White House” — is weak, ProPublica and Gizmodo reported Wednesday, based on their recent joint investigation.
Trump has used the resort, as well as other properties he owns, to meet with staffers and foreign heads of state on official business.
Among the security holes the publications identified at Mar-a-Lago:
- a WiFi-enabled printer/scanner that is publicly accessible;
- a misconfigured and unencrypted router;
- use of the weak and outmoded WEP encryption for three of the club’s wireless networks, which makes them vulnerable to hacking in less than five minutes; and
- a database with an insecure login page on the club’s website, which is not protected by standard Internet encryption.
Mar-a-Lago guests only have to produce a photo ID when they enter through the facility’s main door. Also, the club serves as a venue for ticketed public events.
The president has hosted foreign leaders and politicians at his properties. In February, he took a call about a North Korean ballistic missile launch in Mar-a-Lago’s dining room, with members and waiters present and able to overhear the conversation. In April, he tracked the first attack he ordered on Syria from what the White House described as a makeshift situation room at Mar-a-Lago.
“Any presidential retreat or home is a target for foreign and domestic surveillance,” said James Scott, a senior fellow at the Institute for Critical Infrastructure.
A spy “could attempt to capture audio, video, or images of classified information, meetings, conversations and documents,” he told TechNewsWorld.
A Security Nightmare
Despite millions of dollars spent annually on cybersecurity to protect White House communications, they fell victim to hack attacks in 2014, 2015 and 2016.
Mar-a-Lago reportedly spent just $443,000 on cybersecurity.
The United States Government Accountability Office has launched an investigation into security at Mar-a-Lago.
Other Trump Properties
The Trump International Hotel in Washington, D.C., where the president often dines with son-in-law and senior adviser Jared Kushner, has two WiFi networks that can be accessed simply by typing in a room number.
“Hotels have long been a more than attractive target for cyberattackers,” noted independent cybersecurity analyst Randy Abrams.
“To conduct a meeting with a national security import in a location surrounded by vulnerable systems if of great concern,” he told TechNewsWorld. “Considering the target value, it is incomprehensible.”
A Trump club in Bedminster, New Jersey, where the president interviewed candidates for top administration positions, has two open WiFi networks that don’t require a password to join, the ProPublica and Gizmodo reported.
Trump club websites are hosted by Clubessential, which has an incorrectly configured Internet-accessible backend server. Clubessential also puts many of the default settings and usernames for its software online without password protection.
“The president and his staff should use two separate and secure networks for all other personal and professional traffic while on the premises of any property like Mar-a-Lago,” ICI’s Scott said.
Maintenance of the [presidential business] network would be funded by taxpayers, ICI’s Scott suggested, but the cybersecurity of Mar-a-Lago guests “would be the responsibility of the club.”
“The majority of breaches are the result of poor cybersecurity practices,” said Adam Meyer, chief security strategist at SurfWatch Labs.
“Turning a blind eye to these cyber-risks “could have great consequences,” he told TechNewsWorld.
“Securing networks … is a basic step which is required,” observed John Maring, managing partner at Optimal IdM.
“It’s important for organizations to … implement secure practices as part of the corporate culture,” he told TechNewsWorld.
“The fact that Trump properties don’t even use well-known, basic, security controls seen at most of our homes is alarming,” said James Carder, CISO of LogRhythm.
“If Mar-a-Lago is the White House in the South,” he told TechNewsWorld, “it should have the same cybersecurity precautions in place as the real White House in Washington, D.C.”