Trump campaign arms up with 'unhackable' phones after Iranian intrusion

Oh, my

Unhackable, eh? Let's see how long it will take to crack it. Remember, this kind of security is only as strong as its weakest point, which in this case would be The Donald himself. I rather suspect that he would use an easily guessed password and would turn off any multifactor, despite the best efforts of his security guys. Who may be less than enthusiastic, depending on whether or not he treats them the way he treats other minions and hasn't paid them for a while/

[gets popcorn]

"Everything is security Day 1, 2, and 10 without being checked."

The what now?

"The provider claims its software is impervious to any intrusion attempts"

I haven't looked at a single line of the code, do not know this device, have never heard of Green Hills and I'm not a professional hacker. But despite this I can say, with absolute certainty, that these statements are bullshit and that by stating them, the company is hoping that the Trump team share the same shoe-size IQ as the MAGA loons that support them.

My thought is...

.. that this phone does not run any Android or IOS apps, so Donald will have his own 'secret' more mainstream phone to enable him to post on X or his Truth (sic) Social platform.

But that's OK, because he won't use it for mail (until he does, by mistake).

One law, etc

I wonder how long it will be before the Donald rages at Apple because they can't hack a criminal's iPhone, or at any of the E2E encrypted messages services.

But, as others have alluded, a secure device still relies on secure meatware...

Hmm

It would be interesting if it frustrates the security services from listening in on Trump. But since a potential 3rd assassination attempt has now been thwarted I hope secret service protection is taken more seriously for the potential next president.

My prediction:

This will turn out to be a supply-chain attack.

All the responses refer to the main candidate on the ticket being the point of failure. But I suspect he will not be informed about the sensitive stuff anyway lest he would spill all the beans* during a rally or "interview". I even do not even think he will get one of these phones.

* Pun intended, he has been said to do spill beans during rallies.

Wii U (yes, the Wii U)

Green Hills Software also made the Wii U IDE environment for Nintendo.

An anonymous third-party developer said it was clunky and slow:

Having worked on other hardware consoles, I suppose that we were rather spoilt by having mature toolchains that integrated nicely with our development environment. Wii U on the other hand seemed to be trying at every turn to make it difficult to compile and run any code. [...] Finally, when you had the code, you would deploy it to the console and start up the debugger, which was part of the toolchain that Nintendo had licensed from Green Hills Software. As a seasoned developer I've used a lot of debuggers, but this one surprised even me. Its interface was clunky, it was very slow to use and if you made the mistake of actually clicking on any code, then it would pause and retrieve all of the values for the variables that you had clicked, which might take a minute or more to come back.

The Wii U also got hacked in record time.

They may be right

They may be correct in a few, carefully limited ways about the quality of their code. Not that it's entirely unhackable, but for example, that NSO's existing exploits wouldn't work on it, that people don't have active exploits for it, that there aren't low-hanging vulnerabilities ready for the taking. There is code that obtains that level of quality, although I have no evidence that theirs is. Still, there are some times where code is good enough that finding a vulnerability directly through it is difficult or impractical, so maybe theirs has that.

However, that's not going to help you when attackers bypass it, as they're already trying to because that's cheaper and faster anyway. The humans are the weakest links in this scenario, and there are probably many limits. For example, the quoted figure of ten thousand lines of code actually makes it more likely that they have thoroughly checked that code, but it means that whatever it can do, it's probably not that many things. Maybe that doesn't include connectivity code because it runs on a different chip, in which case there's a place to look for vulnerabilities. Maybe it does, in which case I'm wondering what communication methods it actually supports to fit into that relatively small code limit. If the answer is that it can send text messages, presumably encrypted, and that's it, then the attackers can cheerfully ignore this and go to the systems on which all the information is stored. Sure, they might miss the last minute messages about something, but they'll see everything important enough that someone wanted a permanent note of it. People don't abandon email or group messages to use phones alone, and an attacker might find all the stuff they want on a different system. Even if the phones are unhackable, that won't be enough, and the phones probably aren't unhackable even if the code this company wrote was.

Prediction:

Today:

DJR: "These are the greatest phones ever! Unhackable! Absolute best!"

Next week, after they've been hacked:

DJR: "These are the worst phones ever! So easy to hack! They lied to me!"

Oh goody

Now he can plan the next Jan 6th in private with his pal Bannon who despite being in chokey, will have access to at least one phone.

Beware USAsians, Trump won't take any defeat lying down. He's running to stay out of jail for the rest of his life.

Of course they are unhackable, just like the Titanic was unsinkable.

Youj

I am telling ya, the battery in this thing is youj.

The software is reviewed in depth? How about the hardware?

One of my favorite anecdotes relates to SPECTRE and MELTDOWN. If the software is perfect (hah!) but the hardware doesn't behave as you expect, then (obviously) it's the software's fault.

The key thing about those vulnerabilities is that they were discovered long after the the hardware was shipped. So even the most paranoid review process wouldn't have found issues caused by them.

It's not the OS they'll target

Hey, Donald! Look! Want pictures of scantily clad ladiez in golden shower scene? klik here: <gif with a payload>

Job done.

Security rocks

You write the massage on a rock, then throw it to the recipient.

Unhackable.

I call bullshit

No way this company has developed an entire OS for smartphones. Maybe their 10K line OS is somehow used as a microkernel underneath Android's Linux kernel, but if they're still running Android they'll be vulnerable to everything it is vulnerable to.

If they've basically turned a smartphone into a dumbphone that can't run apps, they'll hand these out to staff but they'll continue using their personal phones and it'll have accomplished nothing.

So let me get this straight

They decided to take an operating system

That is part of some of the most dangerous weapon systems on Earth

Put it in a phone, which is online 24/7

and then throw down a challenge to the entire fecking internet to prove that their OS is "unhackable"

No.... I can't possibly see where this might have knock on effects.....

So, basically a cleverly-hardened dumbphone?

And then monkey boy installed crapware from Xitter and Tik-Hack and negated all the security.

Never heard of this company

Sure it isn’t one of those front companies the Feds set up to sell “unhackable” backdoored phones to criminals?

Possibly...

Do we know what Chinese hardware this wonderful OS runs on, or which AppStore you can download malware from?

I suspect staff will not want to use it as it will "lack essential features" like X, Facebook, ChatGPT, CandyCrush etc.

"We spend thousands of dollars reviewing every line of code,"

Thousands *per* line of code, or for *all* lines of code? Either way, it doesn't matter, its all bull.

Personally I always found code reviews to be marginally useful. There were basically only two outcomes -- a) I am absolutely certain this code won't work, or b) I am absolutely certain this code is so badly written you will never convince me it works.

Test cases and TDD on the other hand are most excellent, both for finding defects and for increasing confidence in the lack of defects. The code could still be a mess but if the tests pass then that's it (until you try to change it of course...).

Apps that won't be available on this OS....

Let me start with Twitter.

Small wins, people. Small wins

My, how far we've come. For years ago it was "the most secure election, ever". Now it's

We must also ensure that the same level of security and reliability used in nuclear systems be applied to voting machines, given their critical role in the electoral process," O'Dowd said. "Securing the integrity of the democratic process is paramount."

The firm isn't wrong on the latter point. As has been shown again and again, election voting systems are woefully inadequate, despite strenuous efforts by the hacking community to fix insecure systems.

Surprised this hasn't been quoted yet...

https://xkcd.com/538/

Bold claims

One wishes that absolute claims (like these) about information security were not associated with politicians with a reputation for, well, BS.

The only way for our industry to improve security is through transparency -- responsible disclosure transparancy -- about the root cause of each breach.

Bruce Schneier, and any number of other security researchers, are laughing.

Any cryptographer/company can build an encryption system they can't personally break.

Unhackable.

Heh heh heh!

IDF

Despite Israeli companies doing really good security products, he might want to steer clear of devices made by the IDF.