Cyber security: The Jeff Bezos phone hack proves anyone can fall victim

Source Business Insider:

Jeff Bezos’ phone was hacked in 2018 after receiving a WhatsApp message from Mohammed bin Salman, according to an explosive new report from The Guardian , which sites multiple sources familiar with the investigation.

Amazon CEO Jeff Bezos was reportedly hacked by Saudi Arabia crown prince MbS in 2018, according to a new bombshell report from The Guardian’s Stephanie Kirchgaessner.

Citing unnamed sources with knowledge of an international investigation into the hacking, The Guardian report reveals that Bezos’ phone was infiltrated after opening a malicious video file sent from the crown prince’s number on WhatsApp.

The two men reportedly had a seemingly friendly texting exchange on WhatsApp on May 1, 2018, after which an unsolicited video file was sent from bin Salman’s account. After Bezos opened the file, data was rapidly extracted from his personal phone, according to the report.

Saudi Arabia has yet to comment on The Guardian’s report, while an attorney for Bezos declined to comment beyond saying Bezos was cooperating with investigations.

Representatives for Bezos and the Saudi Arabian government did not immediately respond to Business Insider’s request for comment.

The incident was revealed in a forensic investigation conducted by FTI Consulting that was first reported by The Guardian earlier this week. The United Nations has since called on the United States and other relevant authorities to conduct an investigation. The Saudi government denied the allegations against it and called them “absurd.”

While reports suggest the Bezos hack was a specific and targeted attack, security experts say that the critical amount of sensitive data stored on today’s smartphones means mobile devices will continue to be high-value targets for state-sponsored attackers and black market hackers alike. It also illustrates that anyone, even prominent CEOs with vast resources, can be vulnerable to cybersecurity threats.

“It’s ultimately a fact of life at this point,” Paul Lipman, CEO of cybersecurity firm BullGuard, said to Business Insider. “As more of what we do relies on technology, [devices] become a target.”

Although it may be impossible to completely prevent and detect some cyber attacks before they occur, there are certain measures that both high-profile figures like Bezos and average smartphone users can take to mitigate the risks, experts say. The first thing people need to do to protect themselves is understand how they might be vulnerable to attacks.

Bezos’ phone reportedly began leaking data within hours of the encrypted downloader being received, and it continued to do so for months, FTI Consulting’s report said. In its statement calling for an investigation, the United Nations said that spyware tools believed to have previously been used by Saudi officials, such as the NSO Group’s Pegasus-3 malware, may have been used to execute the attack.

Malware attacks can generally be difficult to prevent because, in some cases, the target doesn’t even need to click on a link or download a file to become infected.

A previous vulnerability in WhatsApp, for example, made it possible to inject spy software on a user’s smartphone simply by calling them, even if the victim didn’t answer. That exploitation was carried out using software from NSO Group, as the Financial Times reported.

“Malware wants to remain under the radar,” said Etay Maor, chief security officer at Intsights. “And usually once it’s in, it’s extremely hard to identify that something is wrong.”

That’s why Bogdan Botezatu, director of threat research and reporting at cybersecurity firm Trend Micro, suggests that high-profile targets like Bezos use two phones: one with no valuable personal information stored on it for browsing social media and using apps like WhatsApp, and a separate highly-secure phone with limited access to the Internet and apps for storing sensitive information.

Maor similarly suggests leaving your primary mobile device in a secure location when traveling and bringing a burner phone instead to mitigate the risk of an attack.

“There’s no such thing as ‘this device cannot be hacked,'” Maor said. “And we’ve seen this over and over again. So at the end of the day, it’s a game of risk management.”

Such measures may be practical and worthwhile for public-facing figures like Bezos, one of the world’s richest men who runs one of the world’s most valuable companies and owns The Washington Post. But most people will probably be able to adequately protect themselves by following best practices when it comes to digital security, like keeping software up to date, avoiding downloading files from unknown sources, and only installing apps and programs from official app stores managed by Apple and Google.

“The reality is that these kinds of attacks are highly targeted, not attacks that the average person is going to fall prey to,” Lipman said. “And the reality is that anyone can be hacked, with enough time, motivation, and resources.”

Share on facebook
Share on twitter
Share on linkedin

Subscribe for more news from The Nile Explorer