The US Speaker of the House’s Porn Tracking App
How This Disturbing Choice of Apps is a Potential Security Threat
Visit the Evidence Files Facebook and YouTube pages; Like, Follow, Subscribe or Share!
Mike Johnson, a relatively unknown representative from the state of Louisiana, and now third in line to the US Presidency, has admitted publicly that he uses a pornography-tracking mobile application. The app, called Covenant Eyes, was founded by Ron DeHaas, a self-described “elder” of an evangelical Presbyterian institution. According to the company's website, the app supposedly uses artificial intelligence to track screen activity and blocks whatever it decides is explicit content. What makes it especially strange is that the app user chooses a “partner” who uses an associated application made by the company called “Victory.” The partner receives “activity alerts” in the form of a “scrollable, filterable feed of device activity” of the initial user’s porn activity. Apparently, the Victory app blurs the actual content. Regardless, in case this isn’t creepy enough Johnson chose as his partner in porn-monitoring his 17-year-old son.
A screen shot from the application’s website.
Notwithstanding the moral ambiguity of joining forces with one’s teenage son to control each other’s porn habits, the use of the app by the third-highest ranked person in the United States government itself raises serious security questions. (Ok, for the record, there is no moral ambiguity here. Johnson’s ‘partnership’ with his son in this escapade is evidence of a serious sickness). The fact that Johnson feels compelled to employ an application to monitor and control his porn habits suggests that either his habits or his son’s—or both—are either prolific or disturbing. While there is nothing wrong with looking at porn per se, most people would go to great lengths to prevent their specific interests from becoming public. This seems especially so when it comes to a political figure whose platform relies heavily on religious overtones and moral chastisement. Many people would likely go even further to protect their children from shaming exposure. In other words, the use of this application strongly suggests that Johnson has an acute susceptibility to blackmail or some other form of extortion.
Covenant Eyes proclaims its services are protected by AES (Advanced Encryption Standard) 256-bit encryption. It purports to store the following information: “names, usernames, passwords, billing information (including credit card), demographics (including IP addresses), and other account information.” Marijus Briedis, chief technical officer at NordVPN, told Newsweek: "If everything is configured accordingly, even if cybercriminals intercept the data, at current technological capabilities it would nearly be impossible to decrypt it and see screenshots of users' devices." This statement offers a strong presumption: “if everything is configured accordingly.” Mike Johnson openly states he does not “believe” in evolution, he does believe that the Earth is about 6,000 years old and that people co-existed with dinosaurs, and the sum of his intellectual writing consists of pontifications about the “bizarre choices” of homosexuals’ lifestyles. This track record does not strongly support the notion that Johnson has any concerns about or comprehension of correctly configuring his porn app.
His probable security ignorance notwithstanding, knowing Johnson’s predisposition to religious zealotry presents him as an extraordinarily easy mark for spear phishing attacks, which abrogates any protections related to his porn app’s configuration even if it is properly set up. One way to do this would be to send Johnson a message stating that his porn app was potentially compromised and that he needs to immediately reset his password. In doing so, the message will naturally ask for Johnson’s current password. In his panic to cover-up whatever outlandish things he allegedly uses the app to try to discourage him from looking at, he will almost certainly respond quickly and without thinking. And the company website says nothing of two-factor authentication (meaning once the password is given away, the account is compromised). As a high-profile target, this type of message will employ extraordinary sophistication, making it eminently believable because the internet contains an abundance of material about Johnson from which to craft the attack. Retrieving Johnson’s credentials this way would hardly be difficult, and the moment they are stolen, his entire account will likely be downloaded or, even worse, his and his son’s app activity will be secretly sub-routed to a hacker’s server where all future activity would be monitored, downloaded, packaged, and sold. Johnson would remain blissfully unaware—that is, until someone leverages it against him. And to be clear, both Johnson and his son provide an apt target for spear phishing. Double the targets, double the chances of success.
**I exclaim here in no uncertain terms—I do not mention the son here to shame or otherwise impugn him. At best, he is sort of collateral damage in an extremely untoward situation not of his making. Any involvement he may have in opening the door to attackers through spear phishing or other methods is inadvertent and a result of him being involuntarily placed in a bad spot. A better read of the situation in my view is that he is the victim of his extremist father who seems unconcerned about the implications of using his own child to forward his political goals, and who has hefted his religious extremism upon his child probably throughout his entire upbringing. It is shameful that the boy has effectively entered public life this way.
Read more about how sophisticated phishing attacks work and why they are very frequently successful, here:
Spear Phishing attacks might even be a moot point. Cyber researchers found that Bible apps contain the highest proportion of data-stealing malware of any application category. These apps routinely exchange data over dozens of servers globally, in some cases across as many as 50 at a time, and frequently link to social media as well. All these servers and social media connections create vectors of attack and subsequent vulnerability. In addition, they obfuscate where stolen data might end up going. The public admission of having downloaded Covenant Eyes, among other statements, suggests that Johnson or his son have likewise downloaded one or more Bible apps. This means his history or his son’s history of porn habits may already be in the possession of adversaries stolen through malware currently resident on either or both of their devices as a result of downloading it through a compromised religious application. Even if as yet unnoticed, the stolen data could be sitting on some hacker server somewhere as I write this, lost in a sea of thousands of others’ stolen data from these kinds of apps. But as all the details of Johnson’s sordid private life become public, and his government position becomes known to the underworld, you can bet that every data thief on the planet who has ever infiltrated any of these platforms is or will be furiously searching their data banks to see if they inadvertently grabbed this most precious nugget. When they find it, as at least one almost inevitably will, they will eagerly fence it to the highest bidder or otherwise exploit it. Data stolen from bible sites or apps will provide even more information to help infiltrate Johnson’s porn app, if it has not been already. And the porn habits of the US Speaker of the House or his family members will, I assure you, garner an extraordinarily high price.
Everything so far focuses upon the broader web of thieves, activists, or anarchists lurking across the internet. The gravest threat, however, comes not from these shadowy folks but from state-sponsored hackers. Johnson’s recent elevation to Speaker of the House means that every well-funded, hyper-resourced, state-sponsored agent will put him within their crosshairs. For this reason, I think Norton’s Marijus Briedis (quoted above) misses a key point. While stolen encrypted data may be of little use to “cybercriminals,” the story is very much different for foreign agents. To illustrate, classified data is stored with more advanced encryption than AES 256-bit, the kind the Covenant app uses, for very good reason. While the US Cybersecurity and Infrastructure Security Agency (CISA) states that “AES 256 will still be safe for decades,” the National Institute for Standards and Technology (NIST) notes in another bulletin some of the reasons why. Unfortunately, these reasons apply primarily to general users, not ones of acute interest to foreign adversary spy agencies. For example, in reference to using quantum computing for defeating encryption NIST correctly proclaims that “quantum computing hardware will likely be more expensive to build and use than classical hardware.” This will almost certainly not affect governments interested in compromising the Speaker of the US House. For the available prize, money is no object. As a second potential mitigation to the problem, NIST points out that “even if quantum computers turn out to be much less expensive than anticipated, the known difficulty of parallelizing Grover’s algorithm suggests that both AES 192 and AES 256 will still be safe for a very long time.” This might be true—though “known difficulty” does not equal “impossibility”—but it seems that this might also be immaterial anyway.
All the way back in 2013, ProPublica—the outlet famous for revealing the extensive corruption of Supreme Court Justice Clarence Thomas—released a bombshell report that today seems all but forgotten. The article can be summed up nicely by this quote, “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.” The US National Security Agency (NSA) spends hundreds of millions of dollars per year to “actively engage[] the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” As Steven Vaughan-Nichols noted in an article on ZDNet back then, “The groups report that the NSA has been working hard on breaking the encryption in universal use in the US, including SSL, virtual private networks (VPNs), and 4G smartphones. What these have in common is their use of 256-bit AES for encryption” [emphasis mine]. Again, this was more than TEN years ago. The notion that 256-bit AES encryption remains secure—at least among government agencies—seems quite improbable. Obviously whether the breaking of AES 256-bit encryption has happened and how remains unknown to the public, but ten years in the digital world is an eternity. Moreover, if US spy agencies have broken it, others also have. After all, as the ProPublica report highlights, the NSA shares information with other spy agencies meaning that each node of sharing provides a vector for a leak. Adversarial spy agencies may not need to conduct the process themselves; they could simply steal it or buy it.
Whatever the state of security of AES encryption, the issue remains salient. Catapulting an inexperienced individual to among the highest levers of government, one whose world view is situated in mythology and religiously inspired extremism, makes him an imminent security threat for a number of reasons. That he employs a mobile application that simultaneously engages in the tracking of habits he would prefer kept secret and stores an abundance of other sensitive data creates a delicious element of vulnerability to nefarious actors who will stop at nothing to compromise such a highly placed official. Combining his psychological inclinations with his use of (to be kind) questionable mobile applications renders him an easily exploitable target for spear phishing or other social engineering attacks. Unfortunately, it will be extremely difficult to tell if any of the data from the porn-tracking app already found its way onto the web somewhere, whether through social engineering or via malware present on his devices from whatever other apps he or his son may have downloaded. It will be even harder still—maybe impossible—to determine what specifically was leaked and where it may now reside. As such, it hardly seems prudent to allow him access to any sensitive government data and probably also imminently disqualifies him from the position he currently holds. The third-in-line to the US Presidency should not be so easily corruptible by foreign adversaries.
***
I am a Certified Forensic Computer Examiner, Certified Crime Analyst, Certified Fraud Examiner, and Certified Financial Crimes Investigator with a Juris Doctor and a Master’s degree in history. I spent 10 years working in the New York State Division of Criminal Justice as Senior Analyst and Investigator. Today, I teach Cybersecurity, Ethical Hacking, and Digital Forensics at Softwarica College of IT and E-Commerce in Nepal. In addition, I offer training on Financial Crime Prevention and Investigation. I am also Vice President of Digi Technology in Nepal, for which I have also created its sister company in the USA, Digi Technology America, LLC. We provide technology solutions for businesses or individuals, including cybersecurity, all across the globe. I was a firefighter before I joined law enforcement and now I currently run a non-profit that uses mobile applications and other technologies to create Early Alert Systems for natural disasters for people living in remote or poor areas.
Find more about me on Instagram, Facebook, LinkedIn, or Mastodon. Or visit my EALS Global Foundation’s webpage page here.
For more on the ignorance of politicians when it comes to present-day technology, click below.
Holy crap! Pun intended. If he gets hacked , and I hope he does, let him be stripped of his position and shamed into hiding. We don't have time in this world and our country to have any type of extremist.