The innocuous-looking video file believed to have been used to hack Jeff Bezos’ smartphone says a lot about the technological sophistication of today’s spyware.
Within hours of receiving the file and its encrypted downloader from the personal WhatsApp account of Saudi Crown Prince Mohamed bin Salman, the Amazon founder’s phone began transmitting “massive” amounts of data without authorization, according to the forensic report by Bezos’ team (obtained by Vice). While no smoking gun has been uncovered — and experts still have many unanswered questions — the purported attack bears all the hallmarks of spyware such as NSO Group’s Pegasus, which has exploited weaknesses in WhatsApp to hack phones. (NSO denies its tech was used in this instance.)
Yet the story also says a lot about the non-technological aspects of 21st-century hacking, and what it takes to uncover the secrets of the richest man in the world. Money helps, obviously: This kind of spyware doesn’t come cheap. Saudi Arabia has, in the past, reportedly paid $55 million for the use of NSO’s tools — though the kingdom says it’s “absurd” to imagine it’s behind the attack.
Then there’s the relaxed attitude to mobile hygiene on the target’s part: We know from the technical report that Bezos doesn’t use a burner phone, keeps personal selfies on his system and might not even know his iTunes password. The icing on the cake, though, is personal trust. The “last mile” of the hack seems to have simply come down to getting Bezos’ number and sending him a message. Access, not technology, was the key.
This is not a dig at Bezos. Unlike the CEOs and world leaders who have been hoodwinked by undercover pranksters, the billionaire was taken in by the real thing. Who wouldn’t exchange numbers with a crown prince feted by the U.S. media and the White House as a millennial modernizer? The fact that the infamous 4.22 MB video file landed in Bezos’ phone on May 1, 2018 — just four weeks after the pair exchanged numbers — suggests the hack really began when they first met in April 2018.
In the hierarchy of scams, if a phishing hack is disseminated to unsuspecting members of the public, and spear-phishing targets one individual, then securing this kind of personal connection surely tops both. As the owner of The Washington Post, which employed dissident Saudi columnist Jamal Khashoggi, Bezos was a prime target.
There has always been a human element to hacking. In the early years of the internet, Kevin Mitnick, once the world’s most famous hacker, used the term “social engineering” to describe the skill of talking his way into key network infrastructure or obtaining passwords.
Today, there’s a multitude of ways hackers interact with the physical world. Stuxnet, a virus specifically used to sabotage Iran’s nuclear program, was reportedly injected directly into machines at the Natanz facility by a double agent using a thumb drive. The long global supply chain of consumer electronics offers plenty of opportunities for malicious actors to physically plant microscopic bugs. Phishing is the most common type of hack, according to a U.K. survey, but cyber-physical attacks are rising.
Maybe the personal connection between Bezos and MBS that apparently enabled this hack is, on one level, a sign that iPhone-toting elites are perhaps too quick to trust each other. Spying, even among allies, is always going to be a grim fact of diplomatic life. But the possibility that authoritarian state actors are prepared to deploy weapons-grade spyware on their WhatsApp contacts is a game-changer. Consumers are being advised to learn from Bezos’ errors. This is also something for the Davos set to take on board.
If the forensic findings turn out to be on target, what comes next should be as much about policy and regulation as about tech-savviness. Rules of engagement are needed in the world of state-backed cyber warfare, including spyware.
Humanity doesn’t seem well-prepared for the myriad of cybersecurity threats coming down the pipe. That’s especially true with the unrelenting march of connected devices and an Internet of Things where physical objects like cars and critical infrastructure can be hacked. There, too, we need better regulation and a more interventionist response instead of trusting the market forces driving innovation, as author Bruce Schneier has suggested.
Until then, the Bezoses of the world will simply have to guard their secrets, and all of their other data, more closely than usual.