68ºF

The big lesson from the Bezos hack: Anyone can be a target

PROVIDENCE, R.I. – You may not think you're in the same league as Jeff Bezos when it comes to being a hacking target. Probably not, but you — and just about anyone else, potentially including senior U.S. government figures — could still be vulnerable to an attack similar to one the Amazon founder and Washington Post owner apparently experienced.

Two U.N. experts this week called for the U.S. to investigate a likely hack of Bezos' phone that could have involved Saudi Arabian Crown Prince Mohammed bin Salman. A commissioned forensic report found with “medium to high confidence” that Bezos' iPhone X was compromised by a video MP4 file he received from the prince in May 2018.

Bezos later went public about the hack after the National Enquirer tabloid threatened to publish Bezos’ private photos if he didn’t call off a private investigation into the hacking of his phone. It's not clear if those two events are related. The Saudis have denied any involvement in the purported hack.

The events could potentially affect U.S.-Saudi relations. On Friday, Sen. Ron Wyden, an Oregon Democrat, said he is asking the National Security Agency to look into the security of White House officials who may have messaged the crown prince, particularly on personal devices. Jared Kushner, a White House aide and President Donald Trump's son-in-law, is known to have done so using WhatsApp.

Wyden called reports of the Bezos hack “extraordinarily ominous” and said they may have “startling repercussions for national security.”

But they could resonate at the personal level as well. As the cost of hacking falls while opportunities to dig into peoples' online lives multiply, more and more people are likely to end up as targets, even if they're not the richest individuals in the world.

Ultimately, that boils down to a simple lesson: Be careful who you talk to — and what you're using to chat with them.

“People need to get out of the mindset that nobody would hack them,” said Katie Moussouris, founder and CEO of Luta Security. “You don’t have to be a specific target or a big fish to find yourself at the mercy of an opportunistic attacker.”

WhatsApp, owned by Facebook, is generally considered a secure way of trading private online messages due to the fact that it scrambles messages and calls with encryption so that only senders and recipients can understand them. What many people may not have realized is that it, like almost any messaging service, can act as a conduit for malware.

That encryption, however, is no help if a trusted contact finds a way to use that connection to break into the phone's operating system. In fact, an infected attachment can't be detected by security software while it's encrypted, and apps like WhatsApp don't scan for malware even once files are decrypted.

WhatsApp users can disable the automatic downloading of photos, videos and other media, which happens by default unless the user takes action.

Other messaging apps are likely also vulnerable. “It just so happens that this one was a vulnerability in WhatsApp," said JT Keating, of Texas-based security firm Zimperium. “It could have been in any one of any number of apps."

Prince Mohammed exchanged numbers with Bezos during a U.S. trip in spring 2018. On the same visit, the prince also met with other tech executives, including the CEOs of Google, Apple and Palantir, as well as sports and entertainment celebrities and academic leaders. Virgin Group founder Richard Branson gave the Saudi delegation a tour of the Mojave Air and Space Port in the desert north of Los Angeles.

Google and Apple didn’t respond to emailed requests for comment this week on whether their executives shared personal contacts after that trip. Palantir Technologies confirmed that its CEO Alex Karp met with the prince but said they never shared personal messages. Virgin Group said it was looking into it.

UC Berkeley cybersecurity researcher Bill Marczak cautioned that there's still no conclusive evidence that the Saudi video was malicious, adding that it might be premature to jump to broader conclusions about it. Many other security experts have also questioned the forensics report upon which U.N. officials are basing their conclusions.

But Marczak said it is generally good advice to “always be on the lookout for suspicious links or messages that sound too good to be true."

Even caution about avoiding suspicious links might not be good enough to ward off spyware — especially for high-profile targets like dissidents, journalists and wealthy executives. Hackers-for-hire last year took advantage of a WhatsApp bug to remotely hijack dozens of phones and take control of their cameras and microphones without the user having to click anything to let them in.

In such cases, said Marczak, “there doesn’t need to be any interaction on the part of the person being targeted.”