The big lesson from the Bezos hack: Anyone can be a target
search

The big lesson from the Bezos hack: Anyone can be a target

WhatsApp and other messaging apps vulnerable to malware, as cost of hacking falls; experts recommend everyday users exercise caution

Jeff Bezos speaks at an event to unveil Blue Origin's Blue Moon lunar lander in Washington, May 9, 2019. (AP/Patrick Semansky, File)
Jeff Bezos speaks at an event to unveil Blue Origin's Blue Moon lunar lander in Washington, May 9, 2019. (AP/Patrick Semansky, File)

AP — You may not think you’re in the same league as Jeff Bezos when it comes to being a hacking target. Probably not, but you — and just about anyone else, potentially including senior US government figures — could still be vulnerable to an attack similar to one the Amazon founder and Washington Post owner apparently experienced.

Two UN experts this week called for the US to investigate a likely hack of Bezos’s phone that could have involved Saudi Arabian Crown Prince Mohammed bin Salman. A commissioned forensic report found with “medium to high confidence” that Bezos’s iPhone X was compromised by a video MP4 file he received from the prince in May 2018.

The UN experts suggested the hack was facilitated with spyware developed by Israel’s NSO Group which is currently facing a lawsuit by the Facebook-owned WhatsApp app. That lawsuit, filed in October, accuses NSO Group of using the messaging service to conduct cyber-espionage on journalists, human rights activists, and others.

Bezos later went public about the hack after the National Enquirer tabloid threatened to publish Bezos’s private photos if he didn’t call off a private investigation into the hacking of his phone. It’s not clear if those two events are related. The Saudis have denied any involvement in the purported hack.

The events could potentially affect US-Saudi relations. On Friday, Senator Ron Wyden, an Oregon Democrat, said he is asking the National Security Agency to look into the security of White House officials who may have messaged the crown prince, particularly on personal devices. Jared Kushner, a White House aide and US President Donald Trump’s son-in-law, is known to have done so using WhatsApp.

Wyden called reports of the Bezos hack “extraordinarily ominous” and said they may have “startling repercussions for national security.”

But they could resonate at the personal level as well. As the cost of hacking falls while opportunities to dig into peoples’ online lives multiply, more and more people are likely to end up as targets, even if they’re not the richest individuals in the world.

Saudi Arabia’s Crown Prince Mohammed bin Salman attends a meeting with US Secretary of State Mike Pompeo in Jeddah, Saudi Arabia, on September 18, 2019. (Mandel Ngan/Pool Photo via AP)

Ultimately, that boils down to a simple lesson: Be careful who you talk to — and what you’re using to chat with them.

“People need to get out of the mindset that nobody would hack them,” said Katie Moussouris, founder and CEO of Luta Security. “You don’t have to be a specific target or a big fish to find yourself at the mercy of an opportunistic attacker.”

WhatsApp is generally considered a secure way of trading private online messages due to the fact that it scrambles messages and calls with encryption so that only senders and recipients can understand them. What many people may not have realized is that it, like almost any messaging service, can act as a conduit for malware.

That encryption, however, is no help if a trusted contact finds a way to use that connection to break into the phone’s operating system. In fact, an infected attachment can’t be detected by security software while it’s encrypted, and apps like WhatsApp don’t scan for malware even once files are decrypted.

This week, UN Special Rapporteurs Agnes Callamard and David Kaye said in a statement that “the forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group’s Pegasus-3 malware, a product widely reported to have been purchased and deployed by Saudi officials.”

An Israeli woman uses her phone in front of a building in Herzliya that housed the NSO Group intelligence firm, August 28, 2016. (Jack Guez/AFP/File)

Kaye and Callamard said “this would be consistent with other information,” noting the recent lawsuit by the Facebook-owned WhatsApp against NSO Group.

The Israeli firm said in a statement it was “shocked and appalled” by the reports linking its software to the Bezos phone hacking, and asserted that its software was definitely not involved.

NSO Group’s flagship malware, called Pegasus, allows spies to effectively take control of a phone, surreptitiously controlling its cameras and microphones from remote servers and vacuuming up personal data and geolocations.

The spyware has also been implicated in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul in 2018. Bezos owns The Washington Post, which employed Khashoggi as a columnist.

NSO Group has been adamant that it only licenses its software to governments for “fighting and terror” and that it investigates credible allegations of misuse.

Messaging apps besides WhatsApp are likely also vulnerable to hacking. “It just so happens that this one was a vulnerability in WhatsApp,” JT Keating, of Texas-based security firm Zimperium, said of the Bezos hack. “It could have been in any one of any number of apps.”

WhatsApp users can disable the automatic downloading of photos, videos and other media, which happens by default unless the user takes action, to better protect themselves.

Illustrative: WhatsApp on an iPhone, Nov. 15, 2018. (AP/Martin Meissner)

Prince Mohammed exchanged numbers with Bezos during a US trip in spring 2018. On the same visit, the prince also met with other tech executives, including the CEOs of Google, Apple and Palantir, as well as sports and entertainment celebrities and academic leaders. Virgin Group founder Richard Branson gave the Saudi delegation a tour of the Mojave Air and Space Port in the desert north of Los Angeles.

Google and Apple didn’t respond to emailed requests for comment this week on whether their executives shared personal contacts after that trip. Palantir Technologies confirmed that its CEO Alex Karp met with the prince but said they never shared personal messages. Virgin Group said it was looking into it.

UC Berkeley cybersecurity researcher Bill Marczak cautioned that there’s still no conclusive evidence that the Saudi video was malicious, adding that it might be premature to jump to broader conclusions about it. Many other security experts have also questioned the forensics report upon which UN officials are basing their conclusions.

But Marczak said it is generally good advice to “always be on the lookout for suspicious links or messages that sound too good to be true.”

Even caution about avoiding suspicious links might not be good enough to ward off spyware — especially for high-profile targets like dissidents, journalists and wealthy executives. Hackers-for-hire last year took advantage of a WhatsApp bug to remotely hijack dozens of phones and take control of their cameras and microphones without the user having to click anything to let them in.

In such cases, said Marczak, “there doesn’t need to be any interaction on the part of the person being targeted.”

TOI staff contributed to this report

read more:
comments