When evidence suggested President Trump was still using his personal Android phone in the White House earlier this year, security experts expressed both alarm and dismay at what might happen if hackers broke into that device. Now, Politico reports that former Department of Homeland Security head and current chief of staff John Kelly used a personal smartphone, possibly for months, that was compromised. That is bad. Don't do that.

The breach was apparently discovered over the summer, when Kelly gave the smartphone to White House tech support after having problems with it and struggling to successfully run software updates. Several questions remain unanswered, as to what type of phone Kelly was using, and what sort of access hackers may have had. The possibilities run the gamut—and have potentially serious consequences.

"Having a phone compromised for several months definitely is not good," says David Kennedy, the CEO of TrustedSec, who formerly worked at the NSA and with the Marine Corps' signal intelligence unit. "To what extent and who compromised it is important. If it was just [run of the mill] malware it's probably not a big deal, but if it was a nation state, monitoring phone communications, emails, and other data is all possible."

Easy Access

How Kelly's phone was compromised matters a lot. There are myriad ways it could have happened, and some are relatively benign. If Kelly had an Android phone he may have gotten tricked into downloading a malicious app. Phishing links and attachments also pose a constant threat no matter what device you're on. From there, a petty criminal might have done something small, like secretly charging Kelly in-app fees or mining some relatively innocuous data. Nothing too alarming there.

'If he's in classified meetings and the phone is in his pocket, hackers could eavesdrop and listen to planning.' David Kennedy, Former NSA Analyst

But there's also a whole gray market of security firms, like Zerodium and NSO Group, that sell mobile operating system exploits and espionage tools to governments around the world. Any attacker with awareness about their target—and deep pockets—could have used more sophisticated exploits to burrow deep into the device and start reconnaissance and data-gathering, even potentially masquerading as Kelly on his accounts, or taking them over to mislead his associates.

It's also hard to tell exactly how often and how long Kelly used the phone in question. Reports indicate that Kelly did primarily use his hardened, government-issued smartphone, even while he still had his apparently compromised personal phone around, but it's unclear how often he carried the extra device with him, and what he still relied on it for. A White House spokesman told POLITICO that Kelly "hadn’t used the personal phone often since joining the administration." It would be helpful to know how hard that "often" is working. The incident was apparently considered serious enough to warrant a memo about the situation in September.

A White House spokesman told WIRED, “Last December, General Kelly’s personal phone stopped working and he discontinued its use,” a statement that still leaves the exact timeline open for interpretation.

Those details matter, because in a totally owned phone, hackers could have tracked his every move.

Assessing the Damage

Regardless of the method a compromised smartphone, Kelly's data would have definitely been at risk. Attackers could have used a keylogger to follow his every input. They would also potentially had access to his physical location through GPS and cell ID data. If he stored any sensitive files on the device, needless to say, they would have been exposed.

But even assuming that Kelly did no confidential or nationally important work on the personal phone, even if he simply used it to play Candy Crush, it still would have posed a major threat. Attackers can surreptitiously take over a smartphone's microphone and camera, a particular concern given that Kelly takes meetings at the highest levels of national security.

"If he's in classified meetings and the phone is in his pocket, hackers could eavesdrop and listen to planning," Kennedy notes.