The hacking of Jeff Bezos should serve as a smartphone security wake-up call
Written by Scott Bicheno | 23 Jan 2020
The story was broken by The Guardian, which seems to have been given details of a forensic analysis commissioned by Amazon boss and owner of the Washington Post Jeff Bezos, after details of his personal life were obtained by the US publication National Enquirer. The investigation concluded it was highly probable that the information was obtained from a hack of Bezos’s phone initiated by an infected video file sent via the WhatsApp account of Saudi Crown Prince Mohammed bin Salman.
It looks like the findings of the investigation were also shared with a couple of UN special representatives – Agnes Callamard, UN Special Rapporteur on summary executions and extrajudicial killings, and David Kaye, UN Special Rapporteur on freedom of expression – who have called for an investigation into the matter.
Callamard investigated and reported to the Human Rights Council in 2019 evidence showing the role of the Government of Saudi Arabia in the murder of journalist Jamal Khashoggi. Kaye reported to the Council at the same time on the growing and lawless use of malicious spyware to surveil and intimidate journalists, human rights defenders, and others in civil society. They issued the following joint statement on the latest development.
“The information we have received suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post’s reporting on Saudi Arabia. The allegations reinforce other reporting pointing to a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities, including nationals and non-nationals. These allegations are relevant as well to ongoing evaluation of claims about the Crown Prince’s involvement in the 2018 murder of Saudi and Washington Post journalist, Jamal Khashoggi.
“The alleged hacking of Mr. Bezos’s phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents.
“This reported surveillance of Mr. Bezos, allegedly through software developed and marketed by a private company and transferred to a government without judicial control of its use, is, if true, a concrete example of the harms that result from the unconstrained marketing, sale and use of spyware.
“Surveillance through digital means must be subjected to the most rigorous control, including by judicial authorities and national and international export control regimes, to protect against the ease of its abuse. It underscores the pressing need for a moratorium on the global sale and transfer of private surveillance technology.
“The circumstances and timing of the hacking and surveillance of Bezos also strengthen support for further investigation by US and other relevant authorities of the allegations that the Crown Prince ordered, incited, or, at a minimum, was aware of planning for but failed to stop the mission that fatally targeted Mr. Khashoggi in Istanbul.
“At a time when Saudi Arabia was supposedly investigating the killing of Mr. Khashoggi, and prosecuting those it deemed responsible, it was clandestinely waging a massive online campaign against Mr. Bezos and Amazon targeting him principally as the owner of The Washington Post.”
In an annex to the UN statement, the methods used in the forensic analysis are detailed and come to the following conclusion: “Experts advised that the most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group’s Pegasus or, less likely, Hacking Team’s Galileo, that can hook into legitimate applications to bypass detection and obfuscate activity.”
NSO Group has published a press release entitled ‘NSO is shocked and appalled by the story that has been published with respect to alleged hacking of the phone of Mr Jeff Bezos’, in which it states “we can say unequivocally that our technology was not used in this instance.” Techcrunch reports that NSO has also said its software can’t be used on US phones and threatened legal action against anyone who says otherwise.
Towards the end of last year, however, WhatsApp publicly accused (in the Washington Post) NSO of being the company behind just the kind of spyware that seems to have been used to hack Bezos’ phone. In addition it filed a complaint in a US federal court, the result of which is unknown. The second annex to the UN report gives a detailed timeline of explicitly conflating the hacking of Bezos’ phone with the murder of journalist Jamal Khashoggi, much of whose reporting was published by the Washington Post.
This whole thing reads like some kind of Jason Bourne plotline and serves to highlight just how critical the issue of smartphone security is. These tiny devices now contain so much information about us that even one of the richest people in the world is helpless in the face of a determined hack. The smartphone now occupies the pivotal position in the tension between state interests and individual privacy and the conclusion of this case could tip that balance decisively.