This story was co-published with Gizmodo.
Two weeks ago, on a sparkling spring morning, we went trawling along Florida's coastal waterway. But not for fish.
We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.
A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.
We have also visited two of President Donald Trump's other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.
The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smartphones and use them to record conversations involving anyone on the premises.
"Those networks all have to be crawling with foreign intruders, not just ProPublica," said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.
Security lapses are not uncommon in the hospitality industry, which — like most industries and government agencies — is under increasing attack from hackers. But they are more worrisome in places where the president of the United States, heads of state and public officials regularly visit.
U.S. leaders can ill afford such vulnerabilities. As both the U.S. and French presidential campaigns showed, hackers increasingly exploit weaknesses in internet security systems in an effort to influence elections and policy. Last week, cyberattacks using software stolen from the National Security Agency paralyzed operations in at least a dozen countries, from Britain's National Health Service to Russia's Interior Ministry.
Since the election, Trump has hosted Chinese President Xi Jinping, Japanese Prime Minister Shinzo Abe and British politician Nigel Farage at his properties. The cybersecurity issues we discovered could have allowed those diplomatic discussions — and other sensitive conversations at the properties — to be monitored by hackers.
The Trump Organization follows "cybersecurity best practices," said spokeswoman Amanda Miller. "Like virtually every other company these days, we are routinely targeted by cyberterrorists whose only focus is to inflict harm on great American businesses. While we will not comment on specific security measures, we are confident in the steps we have taken to protect our business and safeguard our information. Our teams work diligently to deploy best-in-class firewall and anti-vulnerability platforms with constant 24/7 monitoring."
The White House did not respond to repeated requests for comment.
Trump properties have been hacked before. Last year, the Trump hotel chain paid $50,000 to settle charges brought by the New York attorney general that it had not properly disclosed the loss of more than 70,000 credit card numbers and 302 Social Security numbers. Prosecutors alleged that hotel credit card systems were "the target of a cyber-attack" due to poor security. The company agreed to beef up its security; it's not clear if the vulnerabilities we found violate that agreement. A spokesman for the New York attorney general declined comment.
Our experience also indicates that it's easy to gain physical access to Trump properties, at least when the president is not there. As Politico has previously reported, Trump hotels and clubs are poorly guarded. We drove a car past the front of Mar-a-Lago and parked a boat near its lawn. We drove through the grounds of the Bedminster golf course and into the parking lot of the golf course in Sterling, Virginia. No one questioned us.
Both President Obama and President Bush often vacationed at the more traditional presidential retreat, the military-run Camp David. The computers and networks there and at the White House are run by the Defense Information Systems Agency.
In 2016, the military spent $64 million on maintaining the networks at the White House and Camp David, and more than $2 million on "defense solutions, personnel, techniques, and best practices to defend, detect, and mitigate cyber-based threats" from hacking those networks.
Even after spending millions of dollars on security, the White House admitted in 2015that it was hacked by Russians. After the hack, the White House replaced all its computer systems, according to a person familiar with the matter. All staffers who work at the White House are told that "there are people who are actively watching what you are doing," said Mikey Dickerson, who ran the U.S. Digital Service in the Obama Administration.
By comparison, Mar-a-Lago budgeted $442,931 for security in 2016 — slightly more than double the $200,000 initiation fee for one new member. The Trump Organization declined to say how much Mar-a-Lago spends specifically on digital security. The club, last reported to have almost 500 members paying annual dues of $14,000 apiece, allotted $1,703,163 for all administration last year, according to documents filed in a lawsuit Trump brought against Palm Beach County in an effort to halt commercial flights from flying over Mar-a-Lago. The lawsuit was dropped, but the FAA now restricts flights over the club when the president is there.