It seems like nobody wants to carry a work phone and that includes even those charged with protecting the US president. The US Secret Service’s extremely lax mobile phone security practices - including using unsecured personal devices during mission operations - put America’s leaders’ and agents’ lives at risk, according to a government-issued report. Secret Service agents routinely used personal cell phones to communicate with law enforcement and each other, including during protective operations in the US and overseas, because their government-issued devices lacked the capabilities they needed to perform their missions, according to a federal review ordered after the 2024 assassination attempt against President Trump in Butler, Pennsylvania. Even when Secret Service employees did use government-furnished equipment (GFE), these mobile devices didn’t have sufficient security to “ensure real-time, continuous protection from cyberattacks by foreign adversaries or individuals,” according to a report by the Department of Homeland Security inspector general. The inspector general’s investigation also found vulnerable apps on these GFE mobile devices. In addition to being prohibited - Homeland Security policy only allows Secret Service employees to use GFE devices for official business - using personal cell phones is especially bad from a cybersecurity perspective. As we have seen time and time again, government employees’ personal devices and private communications provide highly attractive targets for foreign spies or even homegrown criminals plotting attacks against elected leaders. Secret Service agents’ phones can also reveal mission-related details, geolocation - and, by proxy, the US president, vice president, and visiting heads of state’s geolocations - as well as photos, contacts, and other personal information such as family members and home addresses. Since these personal devices are not managed or secured by the US government, it's much easier for attackers to plant surveillanceware and other malware on them. “If a personal device is jailbroken, infected with malicious code, or not up to date on security software, an adversary could intercept device communication,” according to the report. “Outdated and vulnerable apps could enable malicious actors to conduct surveillance, track locations, or record employees’ communications. Connecting to unsecured networks may also allow cybercriminals to access data or install malware.” The inspector general reviewed call and text logs from Secret Service GFE mobile device records from October 2022 through May 2025, and found more than 15,000 instances among 4.8 million calls in which employees sent and received calls from colleagues’ personal phones while working protective events. Investigators also examined travel vouchers for Secret Service employees who travelled internationally between October 2022 and April 2025. They found 30 employees who claimed reimbursement for using personal phones for official, government business. Most of these (23 of the 24 interviewed) said they needed to use their personal cell phones during nearly every foreign assignment. Plus, they used personal mobile devices as hotspots to provide internet access for government-issued laptops, or to access websites blocked on GFE phones. Even when employees did use government-issued devices on overseas trips, these phones also lacked basic security, the investigation found. For example: the Secret Service did not begin installing mobile threat defense software on any GFE phones until August 2025. Nor did the agency consistently wipe data from GFE devices after employees returned from international missions despite Secret Service policy requiring employees to do this within 24 hours of returning to the US. Do these 5 things As a result of its findings, the inspector general made five recommendations to improve mobile device security. These include implementing a formal policy to ensure government-issued devices have all the needed capabilities to ensure mission functions can be conducted securely, and also ensure all employees complete cybersecurity awareness training, as required by the Secret Service. The report also recommends the Secret Service office of the chief information officer do a better job communicating to employees that the use of personal devices is not allowed for official business, and implement controls to wipe all mobile devices returning from international missions. Finally, the inspector general also recommends an updated vulnerability testing policy be applied to all mobile app code. The Secret Service “concurred” with all five recommendations. We reached out to the Secret Service about the report and recommended actions, and a spokesperson declined to comment beyond a letter from Secret Service Director Sean Curran included in the report. Curran said, among other things, that in response to the inspector general’s findings, the agency made “several comprehensive enhancements to Secret Service communications policies and protocols to both mitigate the potential for adversaries to intercept and exploit Secret Service information, as well as further strengthen the protective environment.”®
