A new investigation suggests that the hacking of Amazon CEO Jeff Bezoss phone stems from a WhatsApp account linked to Saudi Arabias Crown Prince Mohammed bin Salman and one seemingly innocuous video file. The alleged hack shows that security online is never guaranteed, even on this very popular Facebook-owned encrypted messaging app. And thats something to keep in mind even if you arent a billionaire.
How Jeff Bezos allegedly got hacked, explained
First reported by the Guardian and the Financial Times, the investigation found that an iPhone X belonging to Bezos was hacked after it received a video file in a WhatsApp message in May 2018. The business advisory firm FTI Consulting, which conducted the investigation, claims with medium to high confidence that the video file came from a WhatsApp account belonging to Mohammed bin Salman, also known as MBS.
According to a copy of the full report, compiled by FTI and obtained by Vice, the video itself could not be studied due to WhatsApps encryption feature, so it remains unclear if it contained malware. Nevertheless, investigators observed that, shortly after the video was sent, abnormally large amounts of data were exfiltrated from the phone. (Data exfiltration occurs when a malicious actor transfers data off of a device, usually without the owners knowledge.) This exfiltration continued at a high rate for several months.
The video was sent to Bezos, who owns the Washington Post, at the same time as the Saudi government was, according to the report, very concerned about Washington Post columnist Jamal Khashoggi. Khashoggi was murdered in October 2018. CIA officials later concluded that the killing took place with MBSs approval, an allegation the Saudi prince has denied.
Meanwhile, suspicions that the Saudi government had hacked Bezoss phone began in February 2019, after the National Enquirer reported that Bezos was having an extramarital affair. That report appeared to rely on information that could only have been obtained through Bezoss phone. Bezoss security team hired FTI Consulting to investigate his phone shortly after. (The National Enquirer claims its information came from Bezoss girlfriends brother and that the Saudi government was not involved.)
Further adding to the evidence that MBS hacked Bezoss phone: A few days after Bezos was told on the phone that he may have been hacked by the Saudi government, MBS sent him a message over WhatsApp saying (all sic): Jeff all what you hear or told to its not true and its matter of time tell you know the truth, there is nothing against you or amazon from me or Saudi Arabia.
The release of the FTI report also caught the attention of two United Nations Human rights experts, who called for further investigation into allegations that MBS hacked into Bezoss phone. Meanwhile, the potential link between the phone hacking and Khashoggis murder does not appear to be lost on Bezos, who tweeted this the day after the FTI report emerged:
MBS allegedly uses WhatsApp to communicate with many high-profile figures, including Boris Johnson, Richard Branson, and President Trumps son-in-law Jared Kushner. One Silicon Valley executive told Recode that other leaders and executives in the tech industry are worried about undiscovered attacks. After all, MBS met with several of them including Sergey Brin, Tim Cook, and Peter Thiel when he visited the region in April 2018.
If it happened to Bezos, it could happen to you so heres what you should keep in mind
Its easy to dismiss this maze of revelations involving Bezos and MBS as just another high-profile hack. Whats notable here, however, is that the hacking happened within WhatsApp, a service that promotes itself as the safe option for people who are concerned that their messages will be intercepted by hackers. WhatsApp even says in its FAQ, Privacy and security is in our DNA. (WhatsApp did not respond to a request for comment.)
Thanks in part to this promise of privacy and security, WhatsApp is one of the most popular apps in the world, with about 1.5 billion active users worldwide as of February 2018. Its primary security feature is end-to-end encryption, which means messages can only be seen by the sender and receiver while theyre in transit anyone who intercepts them will receive an unreadable encrypted file. Not even WhatsApp can read users messages.
However, this added layer of protection should not be confused with absolute security, as the Bezos hack shows. Assuming the reports conclusions are correct, the end-to-end encryption worked just fine: FTI was unable to decrypt the file apparently sent by the account linked to MBS. But good encryption didnt prevent Bezoss phone from sending gigabytes worth of data to a malicious actor for weeks after the video file was sent.
Its worth pointing out that a defaultsetting in WhatsApp allowed Bezoss phone to download the video file and any malware therein automatically. You can opt out of this feature to help protect against something like this happening to you.
As alarming as the Bezos hacking story seems, WhatsApp users concerned about security might not want to delete the app just yet. Even with WhatsApps checkered history, several security experts told Recode they dont think the app is particularly problematic.
This is not indicative of a vulnerability in WhatsApp, Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, said. There is nothing they can do when a trusted contact sends you a carefully crafted malicious link.
Maya Levine, a security engineer at cybersecurity company Check Point, said its not so much that WhatsApp is especially flawed. The Facebook-owned app is simply an attractive target, which makes its vulnerabilities much more likely to be exposed.
Its encrypted messages, so you can get a lot of information if you are able to hack WhatsApp successfully, Levine said. WhatsApp is probably the most popular encrypted messaging app worldwide and because of that, its maybe targeted a little bit more by hackers. But I wouldnt say its less secure.
The best takeaway for the average person is not to be lulled into a false sense of security and assume theyll be left alone because they arent a typical hacker target, said Paul Ducklin, principal research scientist at cybersecurity firm Sophos. Even apps packed with privacy features, he added, arent completely safe.
Unfortunately, when it comes to cybercriminality these days, nobodys immune and no software that you use is likely to be 100 percent free of bugs, Ducklin said. Sometimes people get a program like WhatsApp or any of its many competitors, and once they find out its got all this encryption, they assume that encryption means that the message is secure forever hereafter, when the encryption is about securing the content while its going between you and the other person. Its important not to hear about a technology and assume that it protects you more than it does.
And while nothing is foolproof, there are some things you can do to minimize your risk.
Keep up to date on your updates, Levine said, both on your phones operating system itself and your apps. Updates will contain security patches that fix flaws and vulnerabilities, and often roll out soon after they are discovered.
Despite WhatsApps security issues and WhatsApp is hardly the only encrypted messaging app to have this problem Galperin doesnt think users should abandon it. Last May, she wrote about a different WhatsApp vulnerability and recommended that people continue to use end-to-end encrypted messaging apps, which she said are one of the most effective ways to protect the contents of your messages, at least for most people most of the time.
Ducklin, meanwhile, said the best way to prevent sensitive information from being taken from your phone is the time-honored method of not putting it there in the first place. That, and thinking twice about what youre sharing and who youre sharing it with.
Sometimes, the best way to avoid that problem is simply to go, Okay, Im going to share less information, or, Im not going to share this particular photograph, or, Im not going to talk about secret personal stuff on this channel. Maybe Ill wait until I meet up with this person face to face, Ducklin said. Modulating your own behavior a little bit is often a lot better than fretting about which of many potentially equal apps youre using to communicate.
Bezos may be a unique and desirable hacking target, but the dangers of putting all your trust in an app even a reasonably secure one apply to everyone.
The app cant save you from yourself, Ducklin said.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.