On the first of May in 2018, Amazon founder and chief executive Jeff Bezos received on WhatsApp an unsolicited video file message from Saudi Arabia’s de facto ruler, Crown Prince Mohammed bin Salman Al Saud.
According to the later investigations, the MP4 video file was weaponized to exploit an unknown-at-the-time vulnerability in WhatsApp application running on Bezos’s iPhone, giving perpetrators broad access to Bezos’s phone and its contents. Following the penetration, tens of times more data than usually was transferred from Bezos’s phone to an unknown destination. The open source reports covering the incident suggest that the perpetrators continued to have a foothold in Bezos’s phone for months.
While Bezos, one of the richest persons in the world, can be considered to be a prime target for criminals, and while his command over Amazon makes him one of the most powerful persons in the world of global technology markets, his targeting by a nation state raised questions about the motivation behind the attack.
Two key motivations raise above others, first of all, Bezos’s ownership of the Washington Post. This American news outlet has been critical towards the Saudi leadership and published columns written by Saudi dissident and journalist Jamal Khashoggi, who was according to the US intelligence sources murdered in October 2018 at the Saudi embassy in Istanbul, Turkey. Second, a more speculative motivation is linked with an idea of Saudi crown prince courting President Trump’s support by attacking one of his enemies. This line of thinking is supported by the fact that the materials that have most probably also been part of the collection effort from Bezos’s phone became later available for a media outlet known for its staunch support for Trump.
According to the private investigation conducted by FTI Consulting on Bezos’s case and the UN independent experts’ call for further investigations, both point towards the direction of NSO Group and their Pegasus 3 platform having been used in the attack against Bezos. While some cyber experts have been critical over the depth of the released forensic work and the lack of “smoking gun” in the report, there are other streams of evidence that point towards the same source of technology and point of infection.
In October 2019, almost one and half years after Bezos’s original compromise, Facebook, owner of WhatsApp, announced a lawsuit against the NSO Group stating that NSO Group’s technology had been used in more 1400 hacking attempts of WhatsApp users. Later in November, it was confirmed that MP4 files were used as a method to install spyware on devices having WhatsApp installed. Nevertheless, the exact timing of exploiting that particular vulnerability was not released. But such vulnerability was not the only one, as 2019 alone WhatsApp disclosed 12 vulnerabilities out of which seven were considered to be critical.
While there have been political, legal, and reputational pressures set against Saudi leadership and the NSO group, both parties have continued to state that they had nothing to do with the hacking of Bezos’s phone. Ownership of NSO Group changed in February 2019 from Francisco Partners to a consortium of two founders of NSO Group and a European private equity fund, Novalpina Capital, who bought a majority stake in the company.
Lessons learned
- The nation states and their leaders have access to surveillance technologies that exploit previously unknown vulnerabilities, or so-called zero days, to gain remote access to target systems and devices, such as smartphones.
- Typical use cases for such technologies are fighting terrorism and other threats to national security by collecting actionable intelligence, such as digital content of all sorts, list of geographic locations, communications patterns, and information on people networks and command and control structures.
- Potential targets for intelligence collection include in addition to suspected terrorists and members of the military, also high-power individuals, such as political leaders and other key decision-makers. In addition to legitimate targets, sophisticated surveillance technologies that have fallen into the wrong hands can be used against illegitimate targets, such as human rights activists, opposition leaders, journalists, and like in Bezos case, business leaders with a global footprint and ability to influence views and opinions worldwide.
- The goals for penetrating and compromising the target devices vary depending on the rationale and motivation behind the decision to gain access to the target. In addition to information collection for later use, for example, in support of one’s own decision making, the collected information can be used to disrupt the activities of the targets, or to be able to influence their decision making. In the worst-case scenario, the access to the target’s device and its information may be a deciding factor in the success of an elimination operation launched against the target.
- As of now, the cost of the highest end of surveillance tools prohibit their wide use against targets other than high-value intelligence and military targets, members of the global elite, and those fighting against totalitarian regimes. Nevertheless, it is safe to assume that the production of such tools will continue, which in turn with time passing might push down the market price making the surveillance tools more widely accessible. Secondly, at the time of writing, it also seems that the price, whether reputational, political, or financial, paid for misuse of surveillance technologies has been somewhat limited, which may embolden the illegitimate uses of surveillance technologies. Thirdly, it is yet to be known, if there are going to be any real legal and financial implications for the producers of such tools for the illegitimate uses of their tools. Paradoxically, the current cases may actually have served as an advertisement and concrete show cases for the efficacy of the tools in question for the prospective buyers.
- On an individual level, there are a limited number of actions that can be taken against being targeted by sophisticated surveillance technologies. The first key course of action is to have a number of devices in use with a clear separation of duties between private and official matters. Some devices may be particularly hardened to enable working on official matters involving classified materials. Separation of duties on a device level should be combined with tight whitelisting of approved applications in use. Utilization of public communications platforms for the conduct of official duties should be allowed only after careful risk vs. benefit analysis. One course of action is also to limit the number of people, or in other words the circle of trust, allowed to communicate with certain devices taking into account that at times even allies spy on allies. Nevertheless, security versus efficiency and other potential benefits is a careful balancing act that demands an honest evaluation of risks, their likelihood, and their possible consequences for an individual and the organization that they present.
- On national and international levels, it is essential to have legislation in place that enables legal actions to be taken against the perpetrators misusing sophisticated surveillance technologies. In support of legal action, there needs to be in place access to private and public sector capabilities that can conduct a high level of forensic work against world-class players, such as nation states. On the international level, it is necessary to have collaborative networks in place that allow victims and targeted platforms, such as WhatsApp, to seek justice across the borders. Collaborative networks can also be utilized in sanctioning and exacting financial toll from the perpetrators, should legal action fall short in achieving its goals. Finally, sophisticated dual-use technologies that have been developed by private sector companies need to be carefully controlled before allowing their export. Particular scrutiny should be in place against exporting such tools to countries and organizations with history in misuse of them.
- If we look beyond uses of surveillance tools against singled out individuals, the same tools can be utilized in following up and tracking the developments taking place among the masses of people. One timely example is the alleged follow-up of Coronavirus carriers and people they encounter by Israel’s internal security agency, Shin Bet.
Featured in Sectra Newsletter, March 2020
References
- https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince
- https://www.ft.com/content/83dcdf74-3c9b-11ea-a01a-bae547046735
- https://www.vice.com/en_us/article/v74v34/saudi-arabia-hacked-jeff-bezos-phone-technical-report
- https://assets.documentcloud.org/documents/6668313/FTI-Report-into-Jeff-Bezos-Phone-Hack.pdf
- https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=25488&LangID=E
- https://www.ohchr.org/Documents/Issues/Expression/SRsSumexFreedexAnnexes.pdf
- https://www.theatlantic.com/politics/archive/2020/01/bezos-hack-amazon-saudi-mbs-whatsapp/605755/
- https://www.bloomberg.com/news/articles/2020-01-23/trump-s-silence-on-bezos-hack-shows-risk-of-close-ties-to-prince
- https://www.cyberscoop.com/jeff-bezos-mbs-hack-fti-report-questions/
- https://www.cnbc.com/2019/10/29/facebook-sues-nso-gropu-claims-it-helped-hack-whatsapp.html
- https://www.washingtonpost.com/context/read-the-whatsapp-complaint-against-nso-group/abc0fb24-8090-447f-8493-1e05b2fc1156/?itid=lk_inline_manual_4
- https://www.zdnet.com/article/attackers-using-whatsapp-vulnerability-triggered-by-video-files-can-remotely-execute-code/
- https://www.businessinsider.com/jeff-bezos-hack-whatsapp-disclosed-security-flaws-last-year-ft-2020-1
- https://www.reuters.com/article/us-usa-cyber-nso-exclusive/exclusive-fbi-probes-use-of-israeli-firms-spyware-in-personal-and-government-hacks-sources-idUSKBN1ZT38B
- https://thehill.com/policy/technology/479652-bezos-phone-breach-escalates-fears-over-saudi-hacking
- https://www.novalpina.pe/nso-group-acquired/
- https://www.bloomberg.com/news/articles/2020-03-17/israel-approves-30-day-tech-tracking-of-coronavirus-carriers