Dirty tricks Could a video really have hacked Jeff Bezos' phone?
Did a video really hack Jeff Bezos’ iPhone?
IN JANUARY, IT was reported that Jeff Bezos — CEO of Amazon and, more relevantly, proprietor of The
Washington Post — had had data leaked from his phone by malware installed when he received a video from Mohammad bin Salman, the Crown Prince of Saudi Arabia. The story was based on an ongoing inquiry by UN special rapporteurs drawing on a technical analysis commissioned by Bezos. This suggested that the hack could have been done using Pegasus, a spyware product from the Israeli company NSO, or Galileo from Milan–based HackingTeam. At the time of writing, Saudi Arabia and NSO had denied any involvement, while the other parties hadn’t commented.
But nobody claims to know exactly what was done, or how. When Bezos’ iPhone X was later examined by Cellebrite, which “cracks” iOS devices for law enforcement, no malware was found. Perhaps code contained in the video file, received via WhatsApp on 8 November 2018 had executed itself — although iOS
should prevent this — and exfiltrated the megabyte or more of data per day that Bezos’ records would show had been transmitted in the following months, then deleted itself. Ironically, WhatsApp’s end–to– end encryption, which (as with Apple’s iMessage) prevents messages being intercepted or faked, hampered investigation.
There are certainly examples of “cyberarms” targeting iOS by exploiting newly discovered security vulnerabilities before Apple patches them. Android and WhatsApp have also been targeted. It’s assumed that national security agencies acquire tools to compromise all platforms. Because many tools are developed by third parties who also sell to others, they could in theory be used against any of us to bypass iOS’ security. But the effort and expense makes it unlikely.
If anything can help to protect you from a determined attacker, it’s following standard advice. Don’t click unknown links and don’t open unexpected attachments. And think twice about owning a newspaper.