Analysis | The Cybersecurity 202: Bezos hack reveals dangerous escalation in use of commercial hacking tools, experts warn
By Joseph Marks
Saudi Crown Prince Mohammed bin Salman and Amazon founder and chief executive Jeff Bezos in Riyadh. (Bandar al-Jaloud/AFP/Getty Images)
An alleged Saudi hacking campaign that compromised the cellphone of Amazon founder and Washington Post owner Jeff Bezos is a chilling example of how even the world's richest person can be hacked with tools that were likely bought off the shelf.
It marks a significant escalation in the way nations use commercial hacking tools -- and is fueling calls from officials and experts to ban the international sale of spyware.
“This should be a wake-up call for the international community,” Agnes Callamard, a U.N. investigator who urged such a moratorium in light of the Bezos hack, told me. “We need to take action before we are completely unable to control this technology.”
The breach underscores how the spread of commercial spyware is allowing a new generation of nations to engage in the sort of high-stakes hacking and espionage that was once the exclusive domain of a handful of countries including the United States, Russia and China.
“It’s become a free-for-all, and anyone can acquire [these tools] now,” former FBI agent and cybersecurity expert Clint Watts told me.
The hacking occurred several months before the murder of Washington Post contributing columnist Jamal Khashoggi, who was critical of the Saudi regime and whose killing the CIA linked to the Saudi government in a December 2018 congressional briefing. The malware appears to have arrived in a WhatsApp message from the personal account of Saudi Crown Prince Mohammed bin Salman, investigators found.
The hack also appears to have been the source for leaked texts between Bezos and his girlfriend, Laura Sanchez, that appeared in the National Enquirer, according to a forensic investigation commissioned by Bezos which was published yesterday by Motherboard.
Saudi Arabia’s foreign minister, Prince Faisal bin Farhan Al Saud, disputed the U.N. report, saying “the idea that the crown prince would hack Jeff Bezos’s phone is absolutely silly,” as my colleague Marc Fisher reported.
Researchers have fretted for years about the way Saudi Arabia and other authoritarian regimes use commercial hacking and surveillance tools to spy on journalists and activists. Facebook even sued a major spyware vendor, Israel's NSO Group, in October for allegedly helping governments hack at least 100 journalists, political activists and human rights defenders across 20 countries using a technical flaw in its WhatsApp messaging service. Cost appears to be no object: Saudi Arabia paid NSO Group $55 million for use of its spyware in 2017, the New York Times has reported citing Israeli news reports on government authorizations for the sale.
But this marks the first known instance of it being used to target a figure as prominent as Bezos.
The hack also raises troubling questions about the role the U.S. government should play in a hack against a private citizen that nevertheless has major implications for the First Amendment, Watts told me.
Watts compared it to North Korean’s 2014 hack against Sony Pictures Entertainment, which U.S. officials said was sparked by leader Kim Jong Un’s ire at the gross-out buddy comedy “The Interview.” In the wake of the hack, Sony pulled the movie from theaters, leading to criticism it was caving to an adversary that wanted to curtail free speech. The Obama administration imposed new sanctions on North Korea following the hack, pledging to defend U.S. businesses and citizens and respond to foreign attempts to undermine U.S. values.
“This is one of those gray zones we have not thought through,” Watts said. “There’s no war game in the U.S. military here when a foreign government hacks an important U.S. business and media leader and dumps his information to the National Enquirer. What’s our responsibility in that case? What’s our counter response?”
Investigators hired by Bezos did not find traces of the malware itself but said its effects were similar to sophisticated hacking tools that are commercially available to intelligence and law enforcement agencies. They noted specific similarities to NSO tools, but the company vehemently denied it was the source of the tools in a statement on its website.
Investigators believe the malware was so sophisticated, in fact, that it did not require Bezos to click on the malicious video the crown prince sent him before it started extracting data.
“I think we’re just at the beginning of seeing these tools used in this way, and it’s very frightening,” Kaye told me.
The fact that a figure as prominent as Bezos was compromised also underscores how vulnerable most people without his resources are to spyware, Kaye said. “How does a regular person who doesn’t have their own personal security outfit...protect themselves?" he said. "It’s a pretty grim situation."
PINGED, PATCHED, PWNED
Apple CEO Tim Cook and President Trump tour an Apple manufacturing plant Nov. 20 in Austin. (Evan Vucci/AP)
“I think we should … start finding some of the bad people out there that we can do with Apple. I think it’s very important,” Trump said in an interview with CNBC’s Joe Kernen yesterday morning.
Trump’s comments echoed a tweet he posted last week slamming the tech giant for not complying with the FBI’s requests to help it crack into the iPhones.
Privacy advocates have come to Apple’s defense, warning that government efforts to undermine encryption could hurt national security by making it easier for hackers to compromise encrypted communications. That includes the security of U.S. elections.
“It is vital that our nation’s election systems have the strongest possible shield against malicious hackers, especially given the resources that hostile foreign powers could deploy to undermine confidence in our democracy,” a coalition of groups led by the nonprofit watchdog Project on Government Oversight wrote in a letter to Attorney General William P. Barr.
A customer holds an iPhone. (Chris Ratcliffe/Bloomberg News)
The office of Manhattan District Attorney Cyrus R. Vance Jr., for instance, who has long called for an encryption back door, spent at least $200,000 on phone-cracking tools from Israeli company Cellebrite.
The number of law enforcement agencies using the technology is probably greater than Hayes was able to confirm because a number of agencies did not respond to his public records requests or claimed they were exempt, he noted.
The Huawei logo is seen at the IFA consumer electronics fair last year in Berlin. (Hannibal Hanschke/AP)
Strayer did not push for a full ban on Huawei but accused the company of being a potential tool for Chinese spying. Data theft by China “happens on a regular basis,” Strayer said. Huawei has steadfastly denied aiding Chinese espionage.
The European Union has declined to recommend that members ban Huawei from their 5G buildouts. So far, Poland is the only European Union nation to do so.
PUBLIC KEY— Defending Digital Campaigns, a nonprofit organization that offers free and reduced-price cybersecurity tools to federal election campaigns, announced this morning it's offering services from 11 new companies including Microsoft and the security-key company Yubico. Other new services come from the web security company Cloudflare and the app security firm Kryptowire among others.
DDC began offering cybersecurity help to campaigns in May after winning a Federal Elections Commission ruling that it could do so without violating campaign finance laws. Other companies working with DDC include the anti-phishing firm Area 1 Security and the encrypted messaging platform Wickr.
— More cybersecurity news from the public sector:
PRIVATE KEY— Leading Internet Service Providers and global cybersecurity organizations including Deutsche Telekom, Korea Telecom and the Global Cyber Alliance signed on today to a new set of security principles released by the World Economic Forum Center for Cybersecurity. The principles include protecting customers from cyberattacks "by default" and working with manufacturers to raise the minimum level of cybersecurity for the products.
— More cybersecurity news from the private sector: