physical security

When Physical Security Affects Cybersecurity

General Security

Share this Post

On March 30 the Secret Service arrested Yujing Zhang, a 32-year-old Chinese national, at the Trump-owned Mar-a-Lago resort (where President Trump frequently spends weekends). The charge? Suspicion of being a “foreign agent.” At the time she was carrying an alarming trove of spy gear:

  • two passports
  • four separate cellphones
  • five cellphone SIM cards
  • an external hard drive
  • nine USB thumb drives (one with malicious computer software)
  • and a device for detecting electronic signals
The physical security gates at Mar-a-Lago Resort in Palm Springs, FL

The secure gates at Mar-a-Lago Resort in Palm Springs, FL (source)

Was the President’s life in danger because of this? Probably not. No matter where the President roams, the Secret Service is there. However, we should be worrying about the building’s USB ports.

Ali Soufan, a private security consultant and former FBI counterterrorism agent, described this “loadout” as “consistent with an effort to monitor computer systems while evading surveillance.” He characterized Mar-a-Lago as “the worst counterintelligence nightmare the country has faced since the Cold War.”

The Role of USB Thumb Drives in Hacking

T.J. McComas is a security consultant, electrical technologist specializing in life safety and auxiliary systems, and founder of Bastion Security. (He also sits on the board of the Detroit chapter of ASIS International—the American Society for Industrial Security.)

As McComas has mentioned here in the past, “the easiest way to gain access to a computer system is physically. If you are physically in front of that computer, there are hundreds of things you can do in a matter of seconds—plug in a USB drive with a pre-loaded Trojan, clip a vampire tap onto a cable, plug in a hardware keylogger—and that network is completely compromised.”  He notes that thumb drives are a very popular network attack vector.

For example, the worst digital attack the Defense Department ever suffered was in 2008. The still-unidentified attackers used a compromised USB thumb drive. Once plugged into a U.S. military laptop, the USB drive infected the laptop with a worm. The laptop then connected to a classified USCENTCOM network. At that time, the worm hidden on the thumb drive propagated, spreading throughout both classified and unclassified military systems. Ultimately, it took the Pentagon over a year to purge their networks of the worm, and lead to major policy changes (including banning “removable media” like USB thumb drives, disabling Windows “auto-run” features, and forming the United States Cyber Command.)

Could such an attack be successful at the President’s favorite relaxation spot? Almost certainly.

bulletproof barrier

Physical Security Is the Weakest Link in Any Computer System

Laurence Leamer, a Palm Beach writer who recently wrote a book about Mar-a-Lago, is a frequent visitor to the resort. He told the Washington Post that, once past reception, any visitor is stopped well before getting access to any private areas frequented by the President. But apart from that “You can go anywhere…There’s no checkpoints once you’re in there.” And, like any hospitality venue, Mar-a-Lago has networked computers and devices everywhere.

McComas agrees that there’s reason to be concerned here. “It’s always a lot easier to gain access to information from the inside than it is from the outside,” McComas explains. “A lot of businesses, as default, allow unrestricted USB access at all of their terminals. Most of the time that’s fine—and very convenient for workers, visitors, and so on. But if someone has a corrupted USB drive—one with a Trojan or a worm or something like that on it—then as soon as they plug that in, it’s going to infect the entire network. That can be more than enough to open up a hole in a firewall,” which would allow remote hackers access to the network, and give them a huge leg-up in compromising devices connected to it.

Protecting Celebrities, Dignitaries and Others Who Need Physical Security

Jim Richards, CEO of Total Security Solutions, has experience designing, engineering, fabricating, and installing custom bullet-resistant physical security systems for foreign dignitaries and other extremely high-profile individuals who face ongoing physical threats. These have included designing and creating temporary security systems for hotel rooms, conference rooms, and rental properties being used by foreign dignitaries.

How easy does Jim think it would be to physically secure a resort like Mar-a-Lago?

“Not very.”

Jim notes the significant trade-offs that come with truly meaningful physical security in these situations. “They have to block out areas, seal doors—really control where the dignitary can and can’t go. That’s the reality.”

For example, Jim mentioned that one dignitary they worked with had a $10 million bounty on his head. “For him, this level of security and compartmentalization, it’s everyday life. He wants to live to be old, so he lives a pretty isolated life, with people constantly controlling what he can and cannot do. He accepts that; being him means being less free. But that’s the 0.0001% of the population.  When you’re dealing with other people—people who perceive themselves as important because they are wealthy, or celebrities—they’re tougher to get in line.” Because they are accustomed to their wealth or popularity making them free to do whatever they chose, “They are much more likely to get in the way of their own security.”