How the Russians listen to all of Trump's phone calls

They have been — ever since he first took office in 2017, and probably longer

Feb 03, 2025

In the early days of Trump’s first Presidency on May 10, 2017, he (very infamously) brought two Russian officials into the Oval Office to give them classified Israeli intelligence about ISIS. They were the Russian Foreign Minister Sergey Lavrov and Ambassador Sergey Kislyak. Trump would not allow the Secret Service to screen them or take their phones, or to have anybody else in the room except the Russian photographer they brought with them.

The photographer tweeted photos during the meeting (note the time and date on the tweet) from inside the Oval Office:

That’s important. It means the photo was taken right there, on the spot, with a cell phone. That’s important. Read on.

Trump used his own personal iPhone while he was in office, the exact same kind you and I could buy — very much against security protocols, as cell phones are vulnerable to a huge number of attacks. Calls are not encrypted and cell towers and networks have their own vulnerabilities, so calls can actually be listened to and recorded — which is why Presidents are never allowed to use unmodified phones, as Trump insisted on doing.

Security researchers nearly all agree that if Trump’s phone had not already been compromised, it was for sure during that meeting. Here are some of the ways it might have happened.

Messaging attack. If one of the Russians asked Trump if he’d like a copy of the photo, then here they’ll just text it to him. Message attachments can contain malicious code to install malware — and Russia’s cybersecurity people could easily have modified the phone to immediately and automatically append the malicious code to photos or other attachments. During the 2016 campaign, Trump often met with Kislyak, so we can assume they had each other’s cell phone numbers. Or even if they couldn’t get his cell phone number from him, the photo could have been AirDropped, and the same malicious payloads can still be used.
Man-in-the-middle over WiFi. The Russians could have brought an unsecured WiFi hotspot in there, either on one of their phones or in the photographer’s bag. All they would have had to know was the SSID of the WiFi in the Oval Office, and impersonate it as an “evil twin”; and assuming Trump’s iPhone was set to Auto-Join known networks, the next time it tried to check email or messages (even while in Trump’s pocket) the malicious payload would be sent. This scenario is most likely if there was a known vulnerability in the iPhone at that time, which is improbable.
Zero click attack. Both of the above are called zero click attacks, because the victim does not have to take any action, such as saying OK to a dialog box, for it to succeed. Most other kinds of zero click attacks depend on there being a flaw in the device’s security. It might be a vulnerability in its Bluetooth, or its WiFi, or anywhere. Such vulnerabilities exist because they are discovered by malicious hackers before the vendor knows about them. These are called zero day exploits and, once discovered, they are often sold to parties such as governments and intelligence agencies, often for millions of dollars. The average time for a zero day exploit to exist before it is patched is 22 days.
- The white market: People who discover exploits can sell them to the device vendor in exchange for a bug bounty.
- The gray market: This is where governments and intelligence agencies pay the big bucks for zero day exploits, for purposes exactly like what the Russians in Trump’s office did.
- The black market: Criminal organizations sometimes buy zero day exploits from black hat hackers.
IMSI Catcher. These are specialized devices that mimic a cell tower, and which nearby phones will switch to automatically to get a stronger signal. Some are commercially available, such as the Stingray and Kingfish. Their main purpose is to track a cell phone’s location, and can be used legally for purposes like search and rescue. As a man-in-the-middle attack device, it can intercept all traffic, including phone calls. These devices can also be modified to insert malicious payloads, and have the advantage of not relying on the brief existence of a zero day exploit. Here is a DEFCON talk by expert Chris Paget on how this is done, given in 2013. It’s a long video but it makes it pretty obvious that Trump’s phone is absolutely loaded by spyware.

Well, those are a few. By so carelessly using a vulnerable device, and by being the world’s highest value target, Trump represents a clear threat to national security. He’s often described by his opponents as a “compromised Russian asset” and it does appear that’s not just hyperbole, it’s literally true.

During his first term, he and the Secret Service compromised by agreeing to have his personal, off-the-shelf iPhone completely replaced every 30 days. He did this once, and discovered that he was not allowed to restore it from a backup of his previous one (as that would restore any malware), and found it so inconvenient that he never did it again. It’s a virtual certainty that the one new phone was freshly installed with replacement (updated!) spyware the next time he met with any foreign national, or even the next time he was out at a golf club and in range of malicious devices.

He even lost his iPhone at a golf course once in 2017. It was missing for hours before some random person turned it over to the Secret Service who were running all over the place looking for it.

For more, see “When Trump Phones Friends, the Chinese and the Russians Listen and Learn” (New York Times)

It is fair to point out that I have not yet seen any reports about Trump’s iPhone hygiene in his nascent second term. But as with everything else about the guy, we tend to get exactly what we expect, or worse.

If you enjoy this publication, please consider becoming a paid subscriber. There are no ads or annoying crap on these pages, which makes it a nice place.

Brian’s Bullshit-Free Zone

Discussion about this post