This story was co-published with Gizmodo.
Two weeks ago, on a sparkling spring morning, we went trawling along Florida's coastal waterway. But not for fish.
We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.
A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.
We have also visited two of President Donald Trump's other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.
The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.
"Those networks all have to be crawling with foreign intruders, not just ProPublica," said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.
Security lapses are not uncommon in the hospitality industry, which — like most industries and government agencies — is under increasing attack from hackers. But they are more worrisome in places where the president of the United States, heads of state and public officials regularly visit.
U.S. leaders can ill afford such vulnerabilities. As both the U.S. and French presidential campaigns showed, hackers increasingly exploit weaknesses in internet security systems in an effort to influence elections and policy. Last week, cyberattacks using software stolen from the National Security Agency paralyzed operations in at least a dozen countries, from Britain's National Health Service to Russia's Interior Ministry.
Since the election, Trump has hosted Chinese President Xi Jinping, Japanese Prime Minister Shinzo Abe and British politician Nigel Farage at his properties. The cybersecurity issues we discovered could have allowed those diplomatic discussions — and other sensitive conversations at the properties — to be monitored by hackers.
The Trump Organization follows "cybersecurity best practices," said spokeswoman Amanda Miller. "Like virtually every other company these days, we are routinely targeted by cyberterrorists whose only focus is to inflict harm on great American businesses. While we will not comment on specific security measures, we are confident in the steps we have taken to protect our business and safeguard our information. Our teams work diligently to deploy best-in-class firewall and anti-vulnerability platforms with constant 24/7 monitoring."
The White House did not respond to repeated requests for comment.
Trump properties have been hacked before. Last year, the Trump hotel chain paid $50,000 to settle charges brought by the New York attorney general that it had not properly disclosed the loss of more than 70,000 credit card numbers and 302 Social Security numbersFEFF. Prosecutors alleged that hotel credit card systems were "the target of a cyber-attack" due to poor security. The company agreed to beef up its security; it's not clear if the vulnerabilities we found violate that agreement. A spokesman for the New York attorney general declined comment.
Our experience also indicates that it's easy to gain physical access to Trump properties, at least when the president is not there. As Politico has previously reported, Trump hotels and clubs are poorly guarded. We drove a car past the front of Mar-a-Lago and parked a boat near its lawn. We drove through the grounds of the Bedminster golf course and into the parking lot of the golf course in Sterling, Virginia. No one questioned us.
Both President Obama and President Bush often vacationed at the more traditional presidential retreat, the military-run Camp David. The computers and networks there and at the White House are run by the Defense Information Systems Agency.
In 2016, the military spent $64 million on maintaining the networks at the White House and Camp David, and more than $2 million on "defense solutions, personnel, techniques, and best practices to defend, detect, and mitigate cyber-based threats" from hacking those networks.
Even after spending millions of dollars on security, the White House admitted in 2015 that it was hacked by Russians. After the hack, the White House replaced all its computer systems, according to a person familiar with the matter. All staffers who work at the White House are told that "there are people who are actively watching what you are doing," said Mikey Dickerson, who ran the U.S. Digital Service in the Obama administration.
By comparison, Mar-a-Lago budgeted $442,931 for security in 2016 — slightly more than double the $200,000 initiation fee for one new member. The Trump Organization declined to say how much Mar-a-Lago spends specifically on digital security. The club, last reported to have almost 500 members paying annual dues of $14,000 apiece, allotted $1,703,163 for all administration last year, according to documents filed in a lawsuit Trump brought against Palm Beach County in an effort to halt commercial flights from flying over Mar-a-Lago. The lawsuit was dropped, but the FAA now restricts flights over the club when the president is there.
It is not clear whether Trump connects to the insecure networks while at his family's properties. When he travels, the president is provided with portable secure communications equipment. Trump tracked the military strike on a Syrian air base last month from a closed-door situation room at Mar-a-Lago with secure video equipment.
However, Trump has held sensitive meetings in public spaces at his properties. Most famously, in February, he and the Japanese prime minister discussed a North Korean missile test on the Mar-a-Lago patio. Over the course of that weekend in February, the president's Twitter account posted 21 tweets from an Android phone. An analysis by an Android-focused website showed that Trump had used the same make of phone since 2015. That phone is an older model that isn't approved by the NSA for classified use.
Photos of Trump and Abe taken by diners on that occasion prompted four Democratic senators to ask the Government Accountability Office to investigate whether electronic communications were secure at Mar-a-Lago.
In March, the GAO agreed to open an investigation. Chuck Young, a spokesman for the office, said in an interview that the work was in "the early stages," and did not offer an estimate for when the report would be completed.
So, we decided to test the cybersecurity of Trump's favorite hangouts ourselves.
Our first stop was Mar-a-Lago, a Trump country club in Palm Beach, Florida, where the president has spent most weekends since taking office. Driving past the club, we picked up the signal for a Wi-Fi-enabled combination printer and scanner that has been accessible since at least February 2016, according to a public Wi-Fi database.
An open printer may sound innocuous, but it can be used by hackers for everything from capturing all the documents sent to the device to trying to infiltrate the entire network.
To prevent such attacks, the Defense Information Systems Agency, which secures the White House and other military networks, forbids installing printers that anyone can connect to from outside networks. It also warns against using printers that do more than printing, such as faxing. "If an attacker gains network access to one of these devices, a wide range of exploits may be possible," the agency warns in its security guide.
We also were able to detect a misconfigured and unencrypted router, which could potentially provide a gateway for hackers.
To get a better line of sight, we rented a boat and piloted it to within sight of the club. There, we picked up signals from the club's wireless networks, three of which were protected with a weak and outmoded form of encryption known as WEP. In 2005, an FBI agent publicly broke this type of encryption in minutes.
By comparison, the military limits the signal strength of networks at places such as Camp David and the White House so that they are not reachable from a car driving by. It also requires wireless networks to use the strongest available form of encryption.
From our desks in New York, we were also able to determine that the club's website hosts a database with an insecure login page that is not protected by standard internet encryption. Login forms like this are considered a severe security risk, according to the Defense Information Systems Agency.
Without encryption, spies could eavesdrop on the network until a club employee logs in, and then steal his or her username and password. They then could download a database that appears to include sensitive information on the club's members and their families, according to videos posted by the club's software provider.
This is "bad, very bad," said Jeremiah Grossman, chief of Security Strategy for cybersecurity firm SentinelOne, when we described Mar-a-Lago's systems. "I'd assume the data is already stolen and systems compromised."
A few days later, we took our equipment to another Trump club in Bedminster, New Jersey. During the transition, Trump had interviewed candidates for top administration positions there, including James Mattis, now secretary of defense.
We drove on a dirt access road through the middle of the golf course and spotted two open Wi-Fi networks, TrumpMembers and WelcomeToTrumpNationalGolfClub, that did not require a password to join.
Such open networks allow anyone within range to scoop up all unencrypted internet activity taking place there, which could, on insecure sites, include usernames, passwords and emails.
Robert Graham, an Atlanta, Georgia, cybersecurity expert, said that hackers could use the open Wi-Fi to remotely turn on the microphones and cameras of devices connected to the network. "What you're describing is typical hotel security," he said, but "it's pretty concerning" that an attacker could listen to sensitive national security conversations.
Two days after we visited the Bedminster club, Trump arrived for a weekend stay.
Then we visited the Trump International Hotel in Washington, D.C., where Trump often dines with his son-in-law and senior adviser Jared Kushner, whose responsibilities range from Middle East diplomacy to revamping the federal bureaucracy. We surveyed the networks from a Starbucks in the hotel basement.
From there, we could tell there were two Wi-Fi networks at the hotel protected with what's known as a captive portal. These login screens are often used at airports and hotels to ensure that only paying customers can access the network.
However, we gained access to both networks just by typing "457" into the room number field. Because we provided a room number, the system assumed we were guests. We looked up the hotel's public IP address before logging off.
From our desks in New York, we could also tell that the hotel is using a server that is accessible from the public internet. This server is running software that was released almost 13 years ago.
Finally, we visited the Trump National Golf Club in Sterling, Virginia, where the president sometimes plays golf. From the parking lot, we recognized three encrypted wireless networks, an encrypted wireless phone and two printers with open Wi-Fi access.
The Trump club websites are hosted by an Ohio-based company called Clubessential. It offers everything from back-office management and member communications to tee time and room reservations.
In a 2014 presentation, a company sales director warned that the club industry as a whole is "too lax" in managing and protecting passwords. There has been a "rising number of attacks on club websites over the last two years," according to the presentation. Clubessential "performed [an] audit of security in the club industry" and "found thousands of sensitive documents from clubs exposed on [the] Internet," such as "lists of members and staff, and their contact info; board minutes, financial statements, etc."
Still, the club software company has set up a backend server accessible on the internet, and configured its encryption incorrectly. Anyone who reaches the login page is greeted with a warning that the encryption is broken. In its documentation, the company advises club administrators to ignore these warnings and log in regardless. That means that anybody snooping on the unprotected connection could intercept the administrators' passwords and gain access to the entire system.
The company also publishes online, without a password, many of the default settings and usernames for its software — essentially providing a roadmap for intruders.
Clubessential declined comment.
Aitel, the CEO of Immunity, said the problems at Trump properties would be difficult to fix: "Once you are at a low level of security it is hard to develop a secure network system. You basically have to start over."
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.
In the early 2000s, banks successfully sued to stop Iowa from limiting their ability to charge ATM fees to non-customers. They also fought off states' attempts to stop them from charging non-customers to cash checks drawn on the banks' accounts. In another case, they stopped California from forcing two banks to conduct audits of their own residential mortgages.
What do all these cases have in common? The winning argument in each was that states had no right to impose their laws on federally regulated national banks. And the man who helped make that powerful argument was Keith Noreika — President Trump's pick to head the federal agency that oversees national banks.
Noreika, a prominent Washington attorney who specializes in financial regulatory law, has made a career out of representing banks as they sought to fight back consumer-friendly state regulations and class-action lawsuits accusing banks of deceptive practices.
He is now the acting head of the Office of the Comptroller of the Currency, a position he can serve for 130 days without Senate approval and during which he does not have to abide by stricter ethics rules governing permanent appointees.
As head of the OCC, Noreika will be well-positioned to lighten regulations on banks — without the need for Congress to pass legislation.
Among the targets may be the 2010 Dodd-Frank Wall Street overhaul, which made it easier for states to hold national banks accountable. Noreika has criticized the law's burdens, while Trump has called it "horrendous."
Under Dodd-Frank, the head of the OCC has broad power to review and preempt states' consumer finance laws.
"The first way to change the regulations is to put in regulators who will propose to stop enforcing them," said Andy Green, a former Democratic Senate staffer who helped craft the 2010 law and now works at the liberal Center for American Progress.
Noreika's ascension fits into a broader pattern of Trump administration appointees. Many of them have worked to influence the same agencies they've now been assigned to lead. And while Trump has been slow to name people to positions that require Senate confirmation, he has been quick to install officials out of public view.
Through an OCC spokesman, Noreika declined to be interviewed. But he said in a statement:
"I am proud to have had an effective law practice where I represented clients of all types — banks, institutions, individuals, and a large labor union."
"I do think that ten years after the crisis and seven years after the passing of Dodd-Frank, now is a good time to take stock of the rules implemented and actions taken to ensure the nation has the right sense of balance and coherence in regulating financial institutions."
(Read his full statement here.)
Noreika's appointment has raised the ire of Democratic lawmakers.
"You have chosen to replace the current head with an acting head who is unvetted, has obvious conflicts of interest, and lacks the experience to run an agency that employs almost 4,000 individuals," seven Democratic Senators wrote in a letter to Treasury Secretary Steven Mnuchin on Thursday.
Under Dugan, the OCC was criticized as being too friendly to banks in the face of widespread lending abuses that fueled the financial crisis. While Noreika now heads up the OCC, Dugan is back at Covington, where his bio says he "advises clients on a range of legal matters affected by significantly increased regulatory requirements resulting from the financial crisis."
Some say it's too early to draw any conclusions on how Dugan's protégé will run the agency.
"I don't think you should assume that what a lawyer argues for a client is indicative of how he or she would react when you're administering the law," said H. Rodgin Cohen, senior chairman of Sullivan & Cromwell, a prominent corporate law firm.
Consumer advocates are particularly concerned about Noreika's frequent reliance on the argument that federal banking laws and OCC regulations trump state laws — a concept known as preemption.
In 2005, when Noreika became a partner at Covington, the firm noted that "many of Mr. Noreika's cases have challenged the validity of state and local laws as preempted by the federal banking laws" and listed Wells Fargo and Bank of America as prominent clients.
ProPublica identified more than a dozen such cases filed in federal court from 2000 through 2005. Most were dismissed or settled in banks' favor.
"That's a real problem," said Lauren Saunders, associate director of the National Consumer Law Center in Washington, D.C. "States often have laws that protect consumers in areas where there are no national laws."
Banking lawyers say it only makes sense to give precedence to federal banking laws. Otherwise, national banks would end up dealing with 50 different regulators rather than one — the OCC. That was the whole point behind Congress' creation of the agency during the Civil War, when states' conflicting regulations made banking and commerce more difficult.
But in the years before the financial crisis, as abuses in the mortgage-lending markets began to surface, the OCC was slow to act. States did act. Between 1999 and 2007, North Carolina and about 30 other states passed laws targeting predatory lending practices.
The OCC, meanwhile, adopted sweeping regulations that prevented those laws from applying to national banks and extended that protection to the banks' state-chartered subsidiaries. In 2008, then-New York Gov. Eliot Spitzer accused the agency of embarking "on an aggressive and unprecedented campaign to prevent states from protecting their residents."
At the time, Dugan brushed off the criticism. "Almost everyone who has paid attention to the subprime lending crisis has concluded that OCC-regulated national banks were not the problem," he said in a statement responding to Spitzer.
But two separate inquiries — the Financial Crisis Inquiry Commission and a report by the U.S. Senate Banking Committee — disagreed. The commission concluded that the OCC's preemption of state laws ended up "preventing adequate protection for borrowers and weakening constraints" on risky mortgages.
Dugan did not return phone calls but said in an email, "I disagree categorically with Wilmarth." He referred his testimony to the crisis investigators, in which he said the financial crisis was "not caused by federal preemption of state mortgage lending laws." Instead, Dugan said, "the root cause of the mortgage crisis was exceptionally weak underwriting standards."
In 2007, as Dugan presided over the OCC, Noreika and his Covington colleagues won the biggest preemption victory of all, Watters vs. Wachovia Bank. The case evolved from separate federal lawsuits involving banks that had sought to shield their subsidiaries from state laws and subsequently faced collapse or fell into legal trouble for their business practices — Wachovia, National City Bank of Cleveland and Wells Fargo. Wilmarth advised state banking regulators on the cases.
The cases were merged and went all the way up to the Supreme Court, where Noreika argued that state laws didn't apply to subsidiaries of national banks like Wachovia. In a 5-3 vote, the high court agreed.
Preemption became an even bigger issue after the 2008 collapse of several big banks, including Wachovia. Local governments tried to sue banks for alleged misdeeds, but again were blocked by preemption.
By then, Congress was working on Dodd-Frank, and preemption was a hotly debated area of reform. One of the changes Congress enacted as part of the law was to negate the effect of the Supreme Court decision that Noreika had litigated. Dodd-Frank also gave local law enforcement authorities more power to bring lawsuits against national banks under state laws. And it created a revised set of rules under which the OCC can review state banking laws to determine if they should be preempted.
The responsibility for those reviews falls to the head of the OCC — now Noreika. He has the power to determine if a state consumer finance law is preempted by federal law.
"He will now have his hand on the preemption button," said Wilmarth, the George Washington University law professor.
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.