Trump campaign arms up with 'unhackable' phones after Iranian intrusion
- Reference: 1728916085
- News link: https://www.theregister.co.uk/2024/10/14/trump_unhackable_phones/
- Source link:
Military kit supplier Green Hills Software has equipped Trump's team with supposedly unhackable phones and computers as the campaign attempts to avoid a repeat of [1]earlier incidents where pro-Iranian attackers managed to steal emails and other data from the crew. The provider claims its software is impervious to any intrusion attempts and has also offered the technology to the Harris campaign team.
The kit uses the Green Hills Integrity-178B operating system, which is used on the stealth B-2 bomber, F-22, and F-35 fighters, and appears to be one of the only [2]commercially available OSes certified to Evaluation Assurance Level 6. The company says its security comes from tight coding and locking down absolutely everything it can to minimize the opportunities for intrusion.
[3]
Green Hills Software CEO Dan O'Dowd told The Register that the entire operating system of the devices operates on around 10,000 lines of code that are penetration tested by a team incentivized to find bugs.
[4]
[5]
"I've had staff complaining that they can't find enough bugs," O'Dowd claimed.
For now, the company focuses on high profile users, building a billion-dollar business providing secure operating systems for the military and law enforcement.
[6]
"We spend thousands of dollars reviewing every line of code," he said. "Everything is security Day 1, 2, and 10 without being checked. We have a whole team checking each other's code."
[7]Feds charge 3 Iranians with 'hack-and-leak' of Trump 2024 campaign
[8]Iran's cyber-goons emailed stolen Trump info to Team Biden – which ignored them
[9]Trump campaign cites Iran election phish claim as evidence leaked docs were stolen
[10]If you're holding important data, Iran is probably trying spearphish it
The software shop claims it is immune to [11]zero-click commercial surveillance tools such as the NSO group's Pegasus code and Green Hills asserts the phones "never fail and can't be hacked."
However, this is like a red rag to a bull for some criminally minded coders, as well as white-hat hackers. Logically, no software is impervious to dedicated attacks, but Green Hills thinks otherwise, and also wants to extend the use of the code to election systems themselves.
"We must also ensure that the same level of security and reliability used in nuclear systems be applied to voting machines, given their critical role in the electoral process," O'Dowd said. "Securing the integrity of the democratic process is paramount."
The firm isn't wrong on the latter point. As has been shown again and again, election voting systems are woefully inadequate, despite [12]strenuous [13]efforts by the hacking community to fix insecure systems. As we race towards election day, Green Hills will soon see if its kit lives up to its claims. ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2024/09/27/us_charges_iran_trump_campaign_hack/
[2] https://www.ghs.com/customers/lockheedf35.html
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zw1AJtJudNbAEDmQc2wFOwAAABQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zw1AJtJudNbAEDmQc2wFOwAAABQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zw1AJtJudNbAEDmQc2wFOwAAABQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zw1AJtJudNbAEDmQc2wFOwAAABQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/09/27/us_charges_iran_trump_campaign_hack/
[8] https://www.theregister.com/2024/09/19/iran_trump_hack_info_biden/
[9] https://www.theregister.com/2024/08/12/trump_campaign_hacked_iran_claim/
[10] https://www.theregister.com/2024/09/30/iran_spearphishing/
[11] https://www.theregister.com/2023/04/12/quadream_spyware_microsoft_citizenlab/
[12] https://www.theregister.com/2023/05/11/us_voting_system_pen_testing/
[13] https://www.theregister.com/2020/08/05/blaze_blackhat_keynote/
[14] https://whitepapers.theregister.com/
If I remember correctly several Trump associates, including Guliani, were caught in a phishing attack. The OS is never the weakest link.
Used on B-2, F-22, F-35
"Integrity-178B operating system, which is used on the stealth B-2 bomber, F-22, and F-35 fighters,"
A lot of people are seeking to get their hands of these phones, I believe.
Oh, my
Unhackable, eh? Let's see how long it will take to crack it. Remember, this kind of security is only as strong as its weakest point, which in this case would be The Donald himself. I rather suspect that he would use an easily guessed password and would turn off any multifactor, despite the best efforts of his security guys. Who may be less than enthusiastic, depending on whether or not he treats them the way he treats other minions and hasn't paid them for a while/
[gets popcorn]
Re: Oh, my
Well I suppose that's one way to get your designs stress tested by the best in the world - not that you'd know it had failed until far too late.
Re: Oh, my
username TheDonald
PW The bestiestpasswordever1
Re: Oh, my
[1]maga2020! . note the secure mix of letters numbers and symbols you would expect from the greatest genius ever
[1] https://www.theregister.com/2020/10/23/trump_twitter_account_no_mfa/
Very stable genius
Not 'greatest genius ever' - but "very stable genius!"
SFW - great music and lyrics - https://youtu.be/k-LTRwZb35A?si=MMF0BzNuK3tf_-Ef
"Everything is security Day 1, 2, and 10 without being checked."
The what now?
Days 3 - 9 we insert the requisite bugs, per staff requirements.
"The provider claims its software is impervious to any intrusion attempts"
Green Hills asserts the phones "never fail and can't be hacked."
"...claims it is immune to zero-click commercial surveillance tools"
I haven't looked at a single line of the code, do not know this device, have never heard of Green Hills and I'm not a professional hacker. But despite this I can say, with absolute certainty, that these statements are bullshit and that by stating them, the company is hoping that the Trump team share the same shoe-size IQ as the MAGA loons that support them.
Who cares whether the end-user devices are hackable, if the services they're using are?
I imagine they've set everything up to go over a VPN, so that would be the best place to attack.
My thought is...
.. that this phone does not run any Android or IOS apps, so Donald will have his own 'secret' more mainstream phone to enable him to post on X or his Truth (sic) Social platform.
But that's OK, because he won't use it for mail (until he does, by mistake).
Re: My thought is...
I am told the orange buffoon does not actually post on X / Truth himself and never has. He is unable to use a modern phone and all his posts are made by staffers.
Yes, that's right, someone else wrote 'covfefe'.
Re: My thought is...
What, does he have staffers in the bedroom? I'm pretty certain that he has been reported as waking up, checking Twitter as was then, and posting at ungodly hours of the morning.
One law, etc
I wonder how long it will be before the Donald rages at Apple because they can't hack a criminal's iPhone, or at any of the E2E encrypted messages services.
But, as others have alluded, a secure device still relies on secure meatware...
Hmm
It would be interesting if it frustrates the security services from listening in on Trump. But since a potential 3rd assassination attempt has now been thwarted I hope secret service protection is taken more seriously for the potential next president.
My prediction:
This will turn out to be a supply-chain attack.
So the testers are incentivised to find bugs
And they're complaining that the coders aren't putting enough bugs in?
There's an obvious revenue enhancement opportunity there, if the two teams only talk to each other...
Re: So the testers are incentivised to find bugs
It's classic prisoners' dilemma. Let's cooperate.
All the responses refer to the main candidate on the ticket being the point of failure. But I suspect he will not be informed about the sensitive stuff anyway lest he would spill all the beans* during a rally or "interview". I even do not even think he will get one of these phones.
* Pun intended, he has been said to do spill beans during rallies.
Wii U (yes, the Wii U)
Green Hills Software also [1]made the Wii U IDE environment for Nintendo .
An anonymous third-party developer [2]said it was clunky and slow :
Having worked on other hardware consoles, I suppose that we were rather spoilt by having mature toolchains that integrated nicely with our development environment. Wii U on the other hand seemed to be trying at every turn to make it difficult to compile and run any code. [...] Finally, when you had the code, you would deploy it to the console and start up the debugger, which was part of the toolchain that Nintendo had licensed from Green Hills Software. As a seasoned developer I've used a lot of debuggers, but this one surprised even me. Its interface was clunky, it was very slow to use and if you made the mistake of actually clicking on any code, then it would pause and retrieve all of the values for the variables that you had clicked, which might take a minute or more to come back.
The Wii U [3]also got hacked in record time .
[1] https://www.ghs.com/customers/nintendo_wiiu.html
[2] https://www.eurogamer.net/digitalfoundry-2014-secret-developers-wii-u-the-inside-story
[3] https://fail0verflow.com/blog/2014/console-hacking-2013-omake/
"Unhackable" assumes that the person using the device has secure passwords and multi-factor authentication setup as well. You'd think that would be the case, but there is a precedent here. 2 in fact, allegedly.
https://www.theregister.com/2020/09/11/trump_twitter_account_recycled_password/
https://www.theregister.com/2020/10/23/trump_twitter_account_no_mfa/