Why the Jeff Bezos phone hack is a wake-up call for the powerful
By Richard Waters in San Francisco
When deeply personal information about one of the world’s most powerful businessmen is exposed through an attack apparently coming from the WhatsApp account of a future head of state, then who can truly feel safe?
This week’s assertion that Jeff Bezos’s iPhone X was probably hacked by the personal account of Mohammed bin Salman, crown prince of Saudi Arabia, had plenty of shock value. For anyone operating at a senior level of business or government, it is a clear wake-up call.
Three things come together to make the case an object lesson in the exploitation of digital vulnerability. The first involves social engineering. Attacks like this play on weaknesses in the human operating system that can’t easily be patched. At senior levels of business and government, ego, opportunity and responsibility jostle to shape how personal networks operate. Trust is a requisite, and electronic channels of communication unavoidable.
Even friends spy on each other. Angela Merkel’s phone calls were monitored by the U.S. National Security Agency, according to leaks by Edward Snowden — though German prosecutors dropped their investigation after failing to come up with hard evidence.
For anyone aspiring to power and influence in the world, this prompts deeply uncomfortable questions. For instance, which is worse: that a future head of state hasn’t been sending you internet memes over WhatsApp, or that he has? It’s a safe bet that the crown prince has many fewer WhatsApp contacts today than he started the week with.
The second weakness exposed by the Bezos hack is the ready availability of powerful cyberweapons for anyone with the money to pay — and the ethical willingness to use them.
Security expert Bruce Schneier compares it to any other branch of the international arms industry. Rich governments may have access to the most effective weapons, he says, but it is still possible to establish international norms that put some weapons off-limits for most combatants, as has happened with landmines.
Bezos’s investigators reported that they couldn’t determine exactly what type of malware had been planted on his phone, but that it was typical of products sold by groups such as NSO Group and Hacking Team. Public exposure may limit the ability of organizations like this to operate so easily. NSO was majority owned by the Silicon Valley private equity firm Francisco Partners, before the controversial company was sold back to management in February last year.
Facebook last year sued NSO Group over an alleged attack on the phones of 1,400 WhatsApp users, among them government officials, journalists and human rights activists. This kind of pressure seems to be having some effect. In denying this week that its technology was used in the Bezos hack, NSO claimed that its own software couldn’t be used against U.S. phone numbers. That’s some progress, perhaps — though it still leaves roughly 2.5 billion smartphones in the rest of the world to be targeted by any unscrupulous user.
The third significant aspect of the Bezos attack is what it shows about widely used networks and devices. One focus has been on WhatsApp. According to the investigators, the malware appeared to come from an encrypted media server on the Facebook-owned network. This might suggest that encryption itself is the hacker’s friend and that, as Facebook moves its business more towards private messaging over encrypted networks, it will become harder to block such attacks.
But even if encryption makes it harder to identify the precise vector of the attack after the fact, blaming a company for not rooting out malware flowing over its network sets too high a bar. It would be like blaming the road that a burglar took on the way to robbing your house, says Schneier.
That puts the spotlight squarely on Bezos’ iPhone X — which is exactly what Facebook tried to do on Thursday, when one of its executives suggested that “operating systems” were the real point of weakness.
Apple’s iOS operating system has proved more secure than the smartphone rival Android software, but nothing is bulletproof. For instance, fixes to iOS that Apple released in August 2016, and again in December last year, pointed to the risk in some circumstances of “arbitrary code execution” — in other words, that malware would be able to run automatically on an Apple device, even if the user didn’t click on a suspicious link. The malware planted on Bezos’ phone is thought to have come via a video showcasing Saudi telecommunications, but he may never even have clicked to watch it.
At its heart, intrusions such as this are an attack on trust itself, and at the very highest levels. For the great and the good of the business and political worlds who are gathered in Davos this week to perform their annual ritual of social bonding, that should provide plenty of food for thought.