- Author: Brian Barrett
Mar-a-Lago's Security Problems Go Way Beyond a Thumb Drive
- Author: Brian Barrett
Mar-a-Lago's Security Problems Go Way Beyond a Thumb Drive
On Saturday afternoon, Yujing Zhang arrived at Mar-a-Lago and approached a Secret Service agent, seeking entry. She explained, according to court documents, that she was there to use the pool. What happened next illustrates just how hard it is to secure President Trump’s home away from the White House, and it joins a steadily growing number of concerning incidents.
Keeping Mar-a-Lago locked down is of vital importance: Trump has spent around 100 days at his private club in Palm Beach since taking office in 2017. He’s visited his golf course in Bedminster, New Jersey, nearly as often, and whiled away cumulative months at other properties he owns. But Mar-a-Lago is where Trump hosts foreign dignitaries, Cabinet officials, members of Congress, and other high-profile individuals. He has conducted high-wire, real-time diplomacy from its dining room, in full view of the guests.
Given those stakes, US Secret Service understandably keeps as tight a lid as it can on who goes in and out. According to a recent Government Accountability Office study, it deploys three layers of vetting, depending on how close someone will get to the president. But unlike the White House or, say, previously popular presidential getaway Camp David, Mar-a-Lago remains a relatively public space—which makes it a relatively easy target. In fact, on Wednesday the Miami Herald reported that federal authorities have been investigating possible Chinese intelligence operations in the area.
“It's really hard to lock somewhere like that down,” says Jake Williams, founder of Rendition Infosec and former NSA hacker. “While the Secret Service can make recommendations, it is a commercial establishment at the end of the day. The more they make it like a fortress, the less people want to be there.”
The Zhang incident neatly exposes those tensions. According to the criminal complaint filed in the Southern District of Florida, which you can read in full below, the first Secret Service agent Zhang encountered confirmed her passport, then sent her to Mar-a-Lago security to confirm that she was on the guest or member list. While it may sound surprising that the first real layer of protection comes from private security rather than federal agents, that’s how precisely the system is designed, something the Secret Service pointedly noted in a statement Tuesday night.
“The Secret Service does not determine who is invited or welcome at Mar-a-Lago; this is the responsibility of the host entity,” the statement begins. “The Mar-a-Lago club management determines which members and guests are granted access to the property.”
In this case, management apparently let Zhang in not because she was cleared, but because she shared a last name with a Mar-a-Lago member. They asked if she was the member’s daughter; she allegedly didn’t respond definitively either way, so Mar-a-Lago gave her the benefit of the doubt. Which, in retrospect, seems fairly remarkable.
“That makes it very difficult for security,” says Jeffrey Ringel, director of operations for The Soufan Group, a security intelligence firm, and a 21-year FBI veteran. “They have to work hand in hand with Mar-a-Lago management to make sure that there’s a plan in place, that both parties know what’s expected of one another.”
From there, court documents say, Zhang passed multiple restricted access signs and at least two Secret Service agents on the way to reception, where her story finally collapsed: She allegedly claimed to be there for a nonexistent “United Nations Friendship Event,” changed her story during a Secret Service interview, and had not packed a swimsuit. She had, though, managed to bring along four cellular phones, a laptop, an external hard drive, and a thumb drive containing malware.
It’s unclear still what Zhang’s intentions were, and what was on that thumb drive to begin with. In some ways, the lesson here is that the system works: Mar-a-Lago let in someone that it shouldn’t have, but Secret Service caught the interloper before any damage was done.
“Her being there is in some sense good news, since it means someone wanted access and was not able to get it via remote means,” says Dave Aitel, former NSA analyst who currently runs the penetration testing firm Immunity. “On the other hand, there could be a bug or other implant that she was there to collect the data from. The possibilities are endless.”
Looking at the Zhang incident in light of other recent Mar-a-Lago mishaps, though, and a picture emerges of a place that seems too exposed to house serious presidential deliberations. First, there’s the physical element; multiple people have trespassed, albeit with less sophistication than Zhang. “It's an attacker's dream and a physical security nightmare,” says Williams.
"It's an attacker's dream and a physical security nightmare."
Jake Williams, Rendition Infosec
Ringel notes that Mar-a-Lago deciding who gets in, rather than Secret Service, isn’t all that unusual. Think of a benefit or a fundraiser, where the organization manages the list of attendees or donors. But Mar-a-Lago’s vetting process for members and guests remains unclear. The property did not respond to a request for comment, but the Miami Herald report notes that Mar-a-Lago regular Li Yang—founder of the massage parlor that New England Patriots owner Robert Kraft allegedly visited—apparently became a recent focus of the federal probe. More generally, the level of scrutiny for guests depends on whether Trump is in residence, but can be as minimal as an ID check.
And that’s before you get to the cybersecurity risks, to which Trump is no stranger. A 2017 report from ProPublica and Gizmodo found that the Wi-Fi networks at various Trump properties, including Mar-a-Lago, were painfully easy to hack.
The Zhang debacle manages to combine both the digital and physical threats. A 2016 study found that nearly half the people who find an USB drive on the ground go ahead and plug it in. If installing spyware on a Mar-a-Lago device and hoping to get lucky was her aim, all Zhang needed to do was drop the drive somewhere on the property. That may not have turned up much, but when it’s apparently so easy to sneak in, what’s the harm of trying?
It’s important not to overhype Zhang’s intrusion. “The security steps in place are working, because she was stopped,” says Ringel. But it does underscore that compared to the White House, Mar-a-Lago is a relatively soft target—one that attackers are willing to test.
“This latest incident raises very serious questions regarding security vulnerabilities at Mar-a-Lago, which foreign intelligence services have reportedly targeted,” wrote Senators Chuck Schumer (D-NY), Dianne Feinstein (D-CA), and Mark Warner (D-VA) to director of national intelligence Dan Coats and Secret Service director Randolph Alles. “These potential vulnerabilities have serious national security implications.”
In that letter, the senators ask what steps can be taken to assure the confidence of classified information at Mar-a-Lago. Given the inescapable tensions between the property's public and private roles, the obvious answer is not to go there in the first place.
More Great WIRED Stories
- The body pullers of Raqqa, Syria
- How Democrats’ plan to fix their crumbling data operation
- 5 best rain jackets, and how to pick the right one
- HTTPS isn't always as secure as it seems
- How much prenatal genetic info do you really want?
- 👀 Looking for the latest gadgets? Check out our latest buying guides and best deals all year round
- 📩 Get even more of our inside scoops with our weekly Backchannel newsletter
Related Video
How to Get Started with Encrypted Messaging
It’s time to start using an encrypted messaging app. Why? Using end-to-end encryption means that no one can see what you’re sharing back and forth.
Sponsored Content
- Andy Greenberg
A Guide to LockerGoga, the Ransomware Crippling Industrial Firms
Sponsored
- Alex W. Palmer
On the Trail of the Robocall King
Sponsored
- Zeynep Tufekci
Machines Shouldn’t Have to Spy On Us to Learn
Sponsored
- Garrett M. Graff
Mueller Says No Collusion, Barr Raises a Million Questions
Sponsored
- Emily Dreyfuss
Security News This Week: Jared Kushner Used WhatsApp for White House Business
Sponsored
More security
- WIRED Opinion
It’s Time to End the NSA’s Metadata Collection Program
Author: Jake Laperruque
- Privacy
Third-Party Apps Exposed Over 540 Million Facebook Records
Author: Issie Lapowsky
- privacy
Hacker Eva Galperin Has a Plan to Eradicate Stalkerware
Author: Andy Greenberg
- WIRED Opinion
Right to Repair Is Now a National Issue
Author: Nathan Proctor
- security roundup
Google Play Store Has a Malware Problem (Again)
Author: Emily Dreyfuss
- Flaws
The Huawei Threat Isn’t Backdoors. It’s Bugs
Author: Lily Hay Newman
We Recommend
- Lily Hay Newman
HTTPS Isn't Always as Secure as It Seems
- Lily Hay Newman
Want Apple Card’s Security Benefits? Just Use Apple Pay
- Lily Hay Newman
Mastercard Wades Into Murky Waters With Its New Digital ID
- Emily Dreyfuss
How Zello Became a Lifeline for Venezuelans Under Maduro
- Lily Hay Newman
Hack Brief: How to Check Your Computer for Asus Update Malware