Mar-a-Lago’s Security Problems Go Way Beyond a Thumb Drive
Credit to Author: Brian Barrett| Date: Wed, 03 Apr 2019 21:10:56 +0000
On Saturday afternoon, Yujing Zhang arrived at Mar-a-Lago and approached a Secret Service agent, seeking entry. She explained, according to court documents, that she was there to use the pool. What happened next illustrates just how hard it is to secure President Trump’s home away from the White House, and it joins a steadily growing number of concerning incidents.
Keeping Mar-a-Lago locked down is of vital importance: Trump has spent around 100 days at his private club in Palm Beach, Florida, since taking office in 2017. He has visited his golf course in Bedminster, New Jersey, nearly as often, and whiled away cumulative months at other properties he owns. But Mar-a-Lago is where Trump hosts foreign dignitaries, cabinet officials, members of Congress, and other high-profile individuals. He has conducted high-wire, real-time diplomacy from its dining room, in full view of the club's guests.
Given those stakes, the US Secret Service understandably keeps as tight a lid as it can on who goes in and out. According to a recent Government Accountability Office study, it deploys three layers of vetting, depending on how close someone will get to the president. But unlike the White House or, say, previously popular presidential getaway Camp David, Mar-a-Lago remains a relatively public space—which makes it a relatively easy target. In fact, on Wednesday the Miami Herald reported that federal authorities have been investigating possible Chinese intelligence operations in the area.
“It's really hard to lock somewhere like that down,” says Jake Williams, founder of Rendition Infosec and a former NSA hacker. “While the Secret Service can make recommendations, it is a commercial establishment at the end of the day. The more they make it like a fortress, the less people want to be there.”
The Zhang incident neatly exposes those tensions. According to the criminal complaint filed in the Southern District of Florida, which you can read in full below, the first Secret Service agent Zhang encountered confirmed her passport, then sent her to Mar-a-Lago security to confirm that she was on the guest or member list. While it may sound surprising that the first real layer of protection comes from private security rather than federal agents, that’s how the system is designed, something the Secret Service pointedly noted in a statement Tuesday night.
“The Secret Service does not determine who is invited or welcome at Mar-a-Lago; this is the responsibility of the host entity,” the statement begins. “The Mar-a-Lago club management determines which members and guests are granted access to the property.”
In this case, management apparently let Zhang in not because she was cleared but because she shared a last name with a Mar-a-Lago member. They asked if she was the member’s daughter; she allegedly didn’t respond definitively either way, so Mar-a-Lago gave her the benefit of the doubt. Which, in retrospect, seems fairly remarkable.
“That makes it very difficult for security,” says Jeffrey Ringel, director of operations for the Soufan Group, a security intelligence firm, and a 21-year FBI veteran. “They have to work hand in hand with Mar-a-Lago management to make sure that there’s a plan in place, that both parties know what’s expected of one another.”
From there, court documents say, Zhang passed multiple restricted access signs and at least two Secret Service agents on the way to reception, where her story finally collapsed: She allegedly claimed to be there for a nonexistent “United Nations Friendship Event,” changed her story during a Secret Service interview, and had not packed a swimsuit. She had, though, managed to bring along four cellular phones, a laptop, an external hard drive, and a thumb drive containing malware.
It’s unclear what Zhang’s intentions were and what was on that thumb drive to begin with. In some ways, the lesson here is that the system works: Mar-a-Lago let in someone that it shouldn’t have, but the Secret Service caught the interloper before any damage was done.
“Her being there is in some sense good news, since it means someone wanted access and was not able to get it via remote means,” says Dave Aitel, a former NSA analyst who runs the penetration testing firm Immunity. “On the other hand, there could be a bug or other implant that she was there to collect the data from. The possibilities are endless.”
Look at the Zhang incident in light of other recent Mar-a-Lago mishaps, though, and a picture emerges of a place that seems too exposed to house serious presidential deliberations. First, there’s the physical element; multiple people have trespassed, albeit with less sophistication than Zhang. “It's an attacker's dream and a physical security nightmare,” Williams says.
"It's an attacker's dream and a physical security nightmare."
Jake Williams, Rendition Infosec
Ringel notes that Mar-a-Lago deciding who gets in, rather than the Secret Service, isn’t all that unusual. Think of a benefit or a fund=raiser, where the organization manages the list of attendees or donors. But Mar-a-Lago’s vetting process for members and guests remains unclear. The property did not respond to a request for comment, but the Miami Herald notes that Mar-a-Lago regular Li Yang—founder of the massage parlor that New England Patriots owner Robert Kraft allegedly visited—apparently became a recent focus of the federal probe. More generally, the level of scrutiny for guests depends on whether Trump is in residence but can be as minimal as an ID check.
And that’s before you get to the cybersecurity risks, to which Trump is no stranger. A 2017 report from ProPublica and Gizmodo found that the Wi-Fi networks at various Trump properties, including Mar-a-Lago, were painfully easy to hack.
The Zhang debacle manages to combine both the digital and physical threats. A 2016 study found that nearly half the people who find a USB drive on the ground go ahead and plug it in. If installing spyware on a Mar-a-Lago device and hoping to get lucky was her aim, all Zhang needed to do was drop the drive somewhere on the property. That may not have turned up much, but when it’s apparently so easy to sneak in, what’s the harm of trying?
It’s important not to overhype Zhang’s intrusion. “The security steps in place are working, because she was stopped,” Ringel says. But it does underscore that, compared to the White House, Mar-a-Lago is a relatively soft target—one that attackers are willing to test.
“This latest incident raises very serious questions regarding security vulnerabilities at Mar-a-Lago, which foreign intelligence services have reportedly targeted,” wrote Democatic senators Chuck Schumer (New York), Dianne Feinstein (California), and Mark Warner (Virginia) to director of national intelligence Dan Coats and Secret Service director Randolph Alles. “These potential vulnerabilities have serious national security implications.”
In that letter, the senators ask what steps can be taken to assure the confidence of classified information at Mar-a-Lago. Given the inescapable tensions between the property's public and private roles, the obvious answer is not to go there in the first place.