When President Donald Trump fired James Comey as director of the FBI on Tuesday, the move immediately sparked controversy. Some saw in the dismissal an attempt to hinder the FBI's investigation into possible ties between Russia and his presidential campaign. It didn't help that Trump and Secretary of State Rex Tillerson hosted the Russian foreign minister, Sergei Lavrov, and Russian Ambassador Sergey Kislyak in the Oval Office the very next day—or that the only photos of that meeting came from the Russian-sponsored news agency Tass.

The White House says it didn't realize the government photographer who accompanied Lavrov to the meeting was also a journalist; it had barred US media from the meeting. And while the incident provoked unfounded speculation that the visitor could have brought sensing and listening devices into the meeting, or even planted a bug in the Oval Office, it mostly underscores the consistently careless manner with which the Trump administration regularly treats security.

The Spy's the Limit

US government facilities have certainly been bugged by foreign adversaries at times. As recently as 1998, for example, the State Department discovered that a Russian spy had bugged one of its conference rooms. While there's no indication that the photographer fulfilled the Twitter commentariat's wildest conspiracy theories, analysts agree that he could have attempted to compromise White House security in countless ways. And that's not even to mention the lack of proper vetting that allowed him entry in the first place.

"It’s a security breach for sure, because they should know exactly who’s in the White House," says Jill Johnston, president of KJB Security Products, a security and surveillance device wholesaler. "He could have recorded everything that went on there. He could have definitely left something behind."

Recording the conversation in the moment wouldn't have posed much of a challenge; any smartphone or voice recorder could do that. No fancy spy stuff needed. For a more sophisticated takeaway, he could have also hidden a portable signal sensor inside his camera to track nearby radio frequency activity, mapping the wireless devices and over-the-air communications in that part of the White House. Collecting this data could theoretically open the door for future espionage operations by showing what mobile devices were in use in the area, what frequencies they communicated on, whether there were any wireless networks available, and even where fiber optic and ethernet cables were in the walls.

Planting a listening devices would have been trickier, but far from impossible. Some audio bugs are as small as a key or a tube of chapstick. Slightly larger models like GSM bugs use cell network connectivity, and can capture audio and video streams. The photographer could have even set up a laser tap that bounces a laser beam off of window glass to capture sound waves in a room.

"He absolutely could have bugged the Oval Office," says David Kennedy, who worked in US intelligence and is now the CEO of TrustedSec, which does penetration testing, including physical security checks like bug sweeps. "You could tuck anything into [camera] equipment and make it very difficult to detect."

A Trump administration official told the Washington Post on Wednesday that the photographer and his equipment were both screened before they went into the White House, the same way a member of the US media would be screened.

In truth, ticking off all the many devices the photographer could have snuck into the Oval Office and left there seems counterproductive; it's too long a list. Besides, it turns out that planting a bug's not the hard part.

They Came From Within

As with most things in life, a wide gap exists between what's hypothetically feasible and what's actually doable here. "It’s certainly possible that anybody could plant something. In theory, anything’s possible," says Phil Polstra, a digital forensics professor at Bloomsburg University of Pennsylvania who studies low-power surveillance devices. "But the reality is it would be pretty hard to do anything."

As the location of some of the nation's most sensitive conversations, the Oval Office presumably goes through rigorous audits. Security staff would routinely check it for bugs using visual assessments, as well as radio-frequency scans to check for unexplained activity, like a bug transmitting what it hears back to home base. These scans can ultimately even detect devices that use evasive techniques like "frequency hopping," in which a device continually changes the frequency it broadcasts on, in an attempt to avoid discovery. In a controlled setting like the Oval Office, baseline scans establish "normal" for the room, so that anything even slightly irregular on subsequent scans raises a red flag.

The Oval Office presents other challenges to potential snoops as well. Any electronic device needs access to power, so one that runs on a battery will eventually die. Bugs could tap into wall power instead, but that would be difficult to set up during a meeting involving multiple people.

And while small devices can certainly do harm, size often limits how much functionality can fit in a tiny gadget. For example, GSM bugs that mimic smartphones to gain connectivity and avoid looking suspicious on scans are more noticeable, because they have more components. "There are cameras that look like all types of items, we sell them every day," says Jon Marshall, president of the surveillance device seller Spy Gadgets. "There are also bugs that we don’t sell because they’re illegal that governments would have access to. But there are always limitations."

The reality is it would be pretty hard to do anything. Phil Polstra, Bloomsburg University of Pennsylvania

Passive surveillance tools are one way around those limitations, but can be incredibly difficult to implement. When the Soviet Union famously bugged the US ambassador's Moscow residence for seven years beginning in 1945, they did so using electromagnetic beams rather than radio signals. Counterespionage specialists have since wised up, using electromagnetic radiation shields to nullify any surveillance device that depends on a transmitter. You won't be able to receive TV channels over the air in a shielded room, and it blocks cellular and data smartphone connectivity, too, but it also helps limit any chance of snooping.

"I can't imagine that our country wouldn't shield the Oval Office. That's like security 101," Polstra says. Any material with the right conductivity or magnetism can act as a shield. There's even electromagnetic shield paint.

Doing Lapse

So no, the Russian photographer probably didn’t plant a bug in the White House. That doesn’t excuse the White House’s lack of proper vetting, though, which fits into a larger disregard for administration security.

When he first moved to the White House, the president brought and used his personal, off-the-shelf Android phone. Without special protections, the phone could have been compromised relatively easily by spyware, and directly surveilled by foreign intelligence groups or common criminals.

In January, a hacker called out Trump and other administration officials for inadequate security on their Twitter accounts, revealing that many of them depended on personal email accounts for two-factor authentication. White House press secretary Sean Spicer has tweeted what appear to be personal passwords on more than one occasion.

Meanwhile, in February, while having dinner with guests at his Mar-a-Lago resort in Florida, President Trump worked with aides to address a North Korean missile test—extremely sensitive international relations work—while diners watched and listened.

So chalk up the admittance of a Russian photographer with two jobs to a generally lax security posture—and hope that the next lapse, when it comes, isn't any more serious either.