‘If Jeff Bezos isn’t safe, no one is’. ‘We should all be terrified’. Those were common themes after additional details emerged on the techniques hackers used to exfiltrate personal and sensitive information from Jeff Bezos phone and leak it to a tabloid. While there’s some truth in the first reaction — if you present a juicy enough target to a nation state or person of virtually unlimited resources, they can probably find a way to compromise your phone and its data.
However, the second is hyperbole since few of us are sufficiently interesting (or threatening) to warrant spending the kind of money required to mount a targeted attack with the requisite social engineering, spear phishing and zero-day payloads. Nevertheless, the Bezos hack is instructive since it illustrates the modes of attack and types of vulnerabilities capable of reaching a knowledgeable user along with the ramifications of a fully compromising a phone.
Reported in January 2019, the Bezos hack in itself is old news, but the topic resurfaced last week after details from a forensic report, commissioned by Bezos, were leaked to the Financial TImes and subsequently referenced in a statement from the UN Human Rights Commission. The Guardian and the UN report have handy timelines of the events, but for those that haven’t been following the twists and turns, here are the key talking points:
- Saudi Crown Prince Mohammed bin Salman is accused of ordering the murder of journalist Jamal Khashoggi for his frequent columns critical of the Kingdom in the Washington Post.
- MBS (as he is colloquially known) comes to the US in the spring of 2018 for a charm offensive with President Donald Trump and major business leaders. Bezos meets him at a Hollywood dinner where they exchange contact information.
- MBS and Bezos have a chat exchange via WhatsApp, MBS’s preferred means of private communication.
- The report contends that one of the messages MBS sends is loaded with malware that exploits a since-discovered WhatsApp vulnerability (likely this one) delivered via an encrypted video file (MP4). The phone of two Saudi human rights activists who frequently communicated with Khashoggi are also infected this same way.
- The phone of an Amnesty International official is infected via the same technique, but later discovered to be compromised. Subsequent forensic analysis finds data implicating an Israeli software company, NSO, expert in crafting phone malware that often exploits unreported and unknown software vulnerabilities. NSO is frequently used by law enforcement and others to thwart phone privacy technology or surreptitiously gather evidence.
- The National Enquirer publishes and publicizes a story of Bezos's extra-marital affair that includes intimate text messages from his hacked phone.
- Bezos publishes a blog accusing the Enquirer of extortion with excerpts from their email exchange detailing the tabloid’s demands.
- Saudi Arabia is accused of complicity in and denies any involvement in the Bezos hack.
- A security expert hired by Bezos claims he is confident the Saudis had access to Bezos’ phone.
- And finally, last week’s details of the forensic analysis into Bezos’s phone are leaked and published by the media and UN Human Rights Commission.
While the full report hasn’t been publicly released, the leaked portions and UN summary lack many critical technical details, it does indicate the basics of the attack and how flaws in the WhatsApp video downloaded can be exploited to deliver malware to a phone. However, the report does not conclusively tie the hack to the Saudi government, MBS or NSO, since it didn’t decrypt the malware-carrying video file and examine it for malicious software.
So what does this all mean to me and my company?
It’s easy to be alarmed by the Bezos hack since it illustrates the vulnerability of a tech-savvy, but busy, executive using a closed, highly secure device — the iPhone with iOS — to rootkit-level access. However, one can’t get paranoid over the attack since it required a lot of planning and money for the targeted execution and code payload. While the leaked forensics report didn’t include details about the payload, I agree with the UN assessment (paragraph 9) that it is probably very similar, if not identical to NSO’s Pegasus spyware, which works like this (similarities highlighted):
To monitor a target, a government operator of Pegasus must convince the target to click on a specially crafted exploit link, which, when clicked, delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. Once the phone is exploited and Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.
The reason most organizations have little to worry about is that you don’t become a target of something like Pegasus unless you are a high-value target since according to an NSO Group contract reviewed by the New York Times, the company typically does 8-figure deals with foreign governments or domestic law enforcement agencies. Even a minimal deal to spy on 10 iPhones runs $1.15 million, $650,000 for the phone software, plus a $500,000 setup fee.
The takeaway for enterprise IT is that your average user won’t be the target of such a sophisticated attack, although your CEO and senior executives might be if they run a multi-billion dollar global enterprise with lots of competition, particularly if some of it is in China or other nations with loose definitions of intellectual property.
Good phone security hygiene like restricting the apps on employees’ phones, segregating phone users into a VPN with tightly controlled access to other enterprise networks and enforcing two-factor authentication for all accounts will prevent most security problems. However, organizations should enforce these policies on any device, company- or employee-owned, connecting to its network via an MDM (mobile device management) system. These can be as complicated as a third-party security suite or simple as using the Apple Business Manager or enabling mobile devices controls on the Google admin console for organizations using GSuite.
Organizations needing more elaborate protections of the kind that likely would have detected and quarantined the Bezos phone before it could have exfiltrated data or spread malware over internal networks should investigate mobile threat defense (MTD) products. These typically work by monitoring mobile devices and detecting anomalous behavior that indicates a compromised device. Most organizations aren’t convinced they need an MTD product, with Gartner estimating that only 15 percent of organizations have one deployed. Incidents like the Bezos hack might bolster sales, however, since Gartner expects a doubling of MTD penetration to 30 percent this year. Most will likely be a part of a more comprehensive endpoint management suite from established vendors like BlackBerry, IBM, Microsoft, MobileIron and VMware.
There are enterprise security lessons anytime a famous person’s sensitive texts, pictures and emails are splashed across the Internet. Whether it is due to personal naïveté or mistakes, structural security problems with a particular app or service or, as in the Bezos case, a carefully executed plan targeting a particular person or small group. The latter, i.e. the extensively-planned, expensive-to-execute targeted attacks, are the most successful and dangerous, but also the least likely to create a broad threat to the average enterprise. Nonetheless, the incident offers lessons for both enterprise IT and individual phone users.
- Individuals must be highly skeptical of unsolicited communications, particularly those with file attachments, even when they come from a peripheral acquaintance over a supposedly secure private channel like WhatsApp. Furthermore, WhatsApp has such a poor security record that users should avoid it in preference to something like iMessage or Signal.
- Enterprises should enforce basic mobile security policies via MDM software and investigate MTD or comprehensive endpoint management suites for high-risk or high-value employees.