The Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, as reported by the Guardian. The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world’s richest man, according to the results of a digital forensic analysis.
A United Nations expert said Jeff Bezos’ experience should sound alarms because even with his wealth and resources, it took months of investigation by specialists to figure out what had happened. “It basically means that we are all extremely vulnerable." https://t.co/WYHRxWj4ps
— The New York Times (@nytimes) January 23, 2020
This is not the first zero-day attack to hit WhatsApp – and it probably won’t be the last. Other messaging applications, like Signal, have a better security history. However, the truth is it’s impossible to use any of these services without some degree of risk.
As a high value target, Jeff Bezos is more at risk of an attack than your average Joe. These individuals need the protection of a skilled security team to continuously monitor for and move quickly to defend against the first signs of an attack. Obviously, they also need to accept that this entails a slight amount of inconvenience.
In the case of Jeff Bezos there is no public indication of OS level root exploits being used, so it is probable that attackers were able to access contacts, photos, and document files as part of basic WhatsApp functionality, as well as possibly location and calendar data.
For high value targets, the best protection is to compartmentalise how apps are used.
For example, they might use WhatsApp or Signal for communicating with external contacts, and Teams for communicating with internals.
It makes sense to separate use by device, I recommend communicating with external contacts with a different device to the one that you use for handling critical matters such as 2 factor authentication apps.
It is also important to review application permissions regularly to deny access to apps that have fallen out of use.
The reporting indicates that Mr. Bezos was in a WhatsApp chat with KSA\’s Mohammed bin Salman when — unprompted — the Prince sent him a video file. The file apparently contained malware which hacked Bezos\’ phone. The motive is clear: Jeff Bezos owns the Washington Post, which had reported extensively about the October 2018 murder by the Kingdom of the Post\’s journalist Jamal Khashogi. A text chat can easily be run by what the intelligence community calls an \”operator\” (a.k.a. hacker) appearing to be the Prince, and Bezos was none the wiser. Intelligent people fall for social engineering efforts like phishing attacks all the time, especially if they think the email or file is from a trusted source. Hacking humans is often easier and takes less time than a straight forward network approach.
This has all the hallmarks of the Pegasus spyware, which is a very sophisticated malware. When run on a device you will likely have no idea of what has just happened. Engineering a file to look like a photo or video that has come from a contact is the perfect way of executing the malware, so no doubt Bezos was unaware what had just occurred.
This particular spyware is used on highly targeted individuals and so people of high value or wealth need to be extremely cautious of such tactics used. Bezos may well have innocently clicked on the file in the message, but extreme caution should always be adhered to whenever something is received. Although difficult to reduce the risk, anyone who is a possible target, including people in the media and politicians, should always be aware of the risks.
Groups such as the NSO are very capable of carrying out vulnerability checks on operating systems and are always out to exploit and weaknesses found before they are patched.
I can’t speak to the absolute particulars of the incident. It does seem strange that the Saudi Crown Prince would knowingly be involved using his own account. It seems too immediately traceable. I don’t know for sure what happened, but entities breaking into other entities to hack someone else is fairly normal these days. It’s new to hear that it happened on WhatsApp and that a video file was created to take advantage of an unknown WhatsApp flaw. That part quickly points to a nation state intelligence agency. The Saudis aren’t known for their cutting edge hacking. Of course any nation state can buy that expertise, which is what appears to have happened here, because an Israeli-based company known to make this type of spyware appears involved. But still it would be very strange if the Crown Prince was involved for him to use his main account. It seems more likely that someone else broke into the Prince’s phone and then used his existing network of contacts and trust to spread to other targets, of which Bezos was one. The originating party could have also intentionally used the Prince’s account to do a “false flag” operation to cause inaccurate attribution. There are ways to tell which scenario happened, but it would involve getting forensic images of the Prince’s phone. The Saudis say the Prince wasn’t or didn’t intend to be involved. That’s easy to prove. Just give us the forensic details that prove it. They can give us the necessary details without revealing confidential data. This doesn’t have to be a simply “trust us” scenario. There is a way to prove if it was caused by another party using the Prince as the go between or if it was a false flag operation. The Saudis can remove the suspicion by being more forthcoming. If they don’t provide the forensic evidence for independent examination, it becomes a little more suspicious.
NSO develop spyware and malicious payloads for sale to the highest bidder.
They sell to many nation states which have questionable human rights records and oppressive regimes. They are known for their Pegasus spyware, designed to deliver remote surveillance via infection of personal devices. Such software is used by nation states to undermine and monitor activists, journalists, free speech advocates and corporate espionage. The Israeli department of defence licensed the sale of Pegasus to nation state but not private entities. Yoram Golandsky is the VP of technologies and Infosec at the NSO group, and spoke at OWASP AppSec Tel Aviv 2019, despite many objections. NSO are considered unethical by many in the cyber security community, given that they develop offensive technology which undermines many organisations’ cyber defences.