Over the weekend, as President Trump was enjoying his 23rd visit to Mar-a-Lago since his inauguration, a woman was arrested by the Secret Service and accused of bluffing her way into the reception area of the resort. At the time she was detained, she was carrying Chinese passports, four cellphones, a laptop, an external hard drive and a USB thumb drive that, according to the criminal complaint, “contained malicious malware.” That’s redundant; “malware” is a contraction of “malicious software.”
For obvious reasons, the arrest set off alarm bells. Mar-a-Lago has long been seen as vulnerable, since Trump and Japanese Prime Minister Shinzo Abe held a brief foreign policy meeting in the middle of the club dining room in 2017. ProPublica and Gizmodo conducted a probe of the club’s security and determined that it would be fairly easy to access its WiFi network. And Mar-a-Lago itself is responsible for limiting access from visitors to the facility at large, as the Secret Service was quick to note in a statement. The only time a visitor list for the facility has been released, after a court fight, it included only 22 people — all of whom were accompanying Abe.
The arrest raises one very specific question, though: What damage, exactly, could a USB drive do at the resort?
It’s important to note at the front end that it’s not clear what type of malware was on the woman’s USB drive. She may have been legitimately trying to attend an event at the facility (though she allegedly claimed only to be trying to visit the pool) and had with her materials that she might normally carry — including a drive that unbeknown to her was infected. So let’s consider the question in the abstract. To do so, we spoke by phone with Israel Barak, chief information security officer for the security firm Cybereason.
There are distinct advantages and drawbacks to using a USB drive to try to access a network. The most significant drawback, of course, is that it requires physical access to a USB port. The advantage? Once you’ve plugged the device in, any number of possibilities open up.
One scenario offered by Barak involved placing a USB drive on a network — but not an Internet-connected computer.
“A malicious tool that was injected into the target’s environment will report back or provide telemetry that will be saved back to the USB drive,” he said, “that will be carried out by an individual to a place where it can be transmitted to the operator, and then commands will be downloaded to the USB drive, and some further actions can be taken by tool.” In other words, the USB drive could spy on how to hack into the network, allowing hackers to gain more information about how to attack the network more broadly.
That was hardly the only example.
“You can use the USB drive to download data from the target’s environment,” Barak added. “You would sometimes use it to avoid transmitting large quantities of data over the network, which might seem abnormal to a network operator.”
And, he said, “a USB drive may not be just a USB drive. It may have a form factor of a USB drive but quite honestly any type of device can be connected via USB to a machine. It can be a WiFi antenna or a [radio frequency] antenna. It can be a device that executes or that also hides the malicious code that scans the network. It can be a full-blown computer that is inside that thing that looks like a USB drive.”
In other words, there’s not a lot you can’t do.
So what? So a hacker gets, what, the ability to change a user’s reservation? Well, it’s more complicated than that. In 2017, hackers took over a hotel’s door-lock system, locking out everyone until a ransom of $1,800 was paid. At Mar-a-Lago, the attendance of various VIPs adds another problematic level.
Hackers, Barak pointed out, could access the “visitors list or the guest list or the reservation system.” That would allow them to potentially know when VIPs — such as Cabinet officials, who often join Trump at the facility — were arriving and the rooms in which they would be staying, information that would obviously be of use to foreign intelligence officers.
Mar-a-Lago would be a very target-rich environment, Trump’s attendance notwithstanding.
“I think it represents, especially the amount of connected devices represent, a unique challenge that often the security staff will not find at the same level of magnitude in other industries,” Barak said.
That’s a common problem with places that see a lot of guest turnover, such as hotels and casinos. But it’s also a function of the hotels wanting to offer resources and amenities for visitors. He cited the example of a casino where the network was compromised because hackers identified an unprotected network access point: an Internet-connected fish tank.
“There’s nothing that can be done to fully prevent a determined hacker from gaining access to a network,” Barak said. “You need to assume,” he later added, “[an] assumption of breach mind-set: The perimeter’s going to get breached. So you put in place systems, processes and people that can detect when something like this happens and have the capability to remove it from the environment before it impacts one of those critical assets.”
Filtering data coming into the network from the Internet or email — or a USB drive — was the perimeter. But once hackers move past the perimeter, it’s incumbent on the facility to discover them quickly and root them out. That means a lot of real-time monitoring, by the facility itself or by an off-site firm that tracks network activity. (Remember Barak’s point about storing large data sets on a USB drive? It’s specifically to avoid that monitoring.)
There are still a number of questions about the events at Mar-a-Lago this weekend that remain unanswered. If it was a clumsy attempt to access the hotel’s network, it thankfully failed. But one of Barak’s central points was that a successful intrusion attempt by a determined hacker was all but inevitable.
We’re left to hope that Mar-a-Lago’s “IT security hygiene,” as he put it, is good enough to protect a facility that Trump likes to call the “winter White House.”