If Jeff Bezos' phone can be hacked, so can yours: What you need to know
Lessons from what happened to the world's richest man.
Do you spend millions a year protecting yourself from cyberattacks as Amazon does? No?
It might not matter anyway. Last month brought the news that an iPhone X used by Jeff Bezos, CEO of Amazon and one of the richest men in the world, may have been hacked as part of an effort to blackmail him.
The "hack" has been blamed on Saudi Arabia, although the Saudi government has denied the allegations that a WhatsApp message from Crown Prince (and de facto ruler) Mohammad bin Salman resulted in Bezos' iPhone being compromised.
Beyond the geopolitical implications of the alleged hack, this story has much to tell us about the vulnerability of smartphones — even those owned by billionaires.
Whether the hack happened or not — and some cybersecurity experts remain unconvinced — the story is also bad news for WhatsApp, which has been the subject of many similar reports in recent months.
We've recently seen a WhatsApp flaw that lets hackers see your messages, the rise of WhatsApp spyware and a fake version of WhatsApp downloaded more than a million times. Just this week, there was a WhatsApp flaw that would have let hackers infect your PC or Mac.
But because we don't know exactly what kind of spyware, if any, infected Bezos' phone, we can't blame WhatsApp (or Apple) just yet, and we can't tell you if one of the best Android antivirus apps would have caught it.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Let's dive into how Bezos' phone may have been compromised, what it might mean for cybersecurity as a whole, and how you can avoid becoming a victim of a similar attack.
What happened between Bezos, the Saudis and the National Enquirer?
On May 1, 2018, Mohammad sent Bezos a WhatsApp message containing a video clip. Bezos opened the message, but the video clip apparently did not play.
On Oct. 2, 2018, Jamal Khashoggi, a Saudi dissident and Washington Post columnist, was killed inside the Saudi consulate in Istanbul, Turkey. The Post, which Bezos owns, covered the story extensively.
In January 2019, text messages between Bezos and his mistress appeared in the National Enquirer. Bezos hired a security consultant, Gavin de Becker, to find out how the Enquirer got the texts.
In February 2019, the Enquirer's lawyers sent emails to de Becker's firm threatening the publication of intimate photos of Bezos and his mistress unless Bezos ended the investigation.
Instead, Bezos went public, admitted the affair, said he and his wife were divorcing and challenged the Enquirer to publish what it had.
Bezos' team now says the photos and texts were stolen from his smartphone by spyware delivered by the WhatsApp message sent by Mohammad, who was reportedly angry about the Post's coverage of Khashoggi's murder.
What's up with WhatsApp?
The report detailing the supposed hack of Bezos' iPhone comes from the forensics-consulting firm FTI, which was hired by de Becker to examine the smartphone. The report blames the leak of Bezos' private information on a type of phishing attack.
FTI says the video clip that Mohammad sent Bezos was actually spyware that was likely executed as soon as Bezos opened the WhatsApp message.
It might sound surprising that such a basic attack could compromise the phone of a presumably tech-savvy billionaire. Equally surprising is the idea of a state-sponsored attack through WhatsApp, as opposed to apps such as Gmail that might hold far more valuable data. But these two facts are less strange than they appear.
One has to assume that Bezos would not open many unsolicited messages, even if the messages had made their way through his (presumably) rigorous malware-protection filters.
But here's the point: This message wasn't just from anyone. It was from a trusted associate who happened to be the acting ruler of an economically and strategically important sovereign state. Phishing attacks today rely more on social engineering than on technical knowledge, and in this context, it becomes less surprising that Bezos became a victim.
So why did the Saudis (allegedly) use WhatsApp? Wouldn't it have made more sense for them to try to compromise Bezos' emails or any private computers or servers he may have had?
Saudi Arabia, by all accounts, scores very poorly on the scorecard of internet freedom, regularly blocking news websites such as Fox News and the CBC. Gaining access to Bezos' computer or emails would be a logical first step, right?
Well, yes and no. Today, the increasingly networked relationships among our online accounts mean that one account being compromised can easily lead to others being breached as well.
At a basic level, monitoring Bezos' WhatsApp account would be a great way of collecting information on him. This information could then have been used to launch further attacks, to blackmail Bezos or to simply to collect more intelligence.
The context
Perhaps we shouldn't blame just WhatsApp. Instead, we should look at the ways our digital information systems, and particularly our smartphones, are secured. The alleged Jeff Bezos-WhatsApp hack provides a reason to do just that.
Sam Bocetta, a former security analyst for the U.S. Navy, said that one of the problems with smartphones is that they are not compartmentalized sufficiently.
"We've tried to make smartphones as easy to use as possible," Bocetta said. "But to do that, we've made a system where apps can easily read data from each other, and authentication happens rarely ... if it happens at all.”
That, in turn, has given rise to a situation in which smartphone apps can be a major source of infection for other systems, such as the computers and smart devices on a home or office network.
We should not blame users for this. Ultimately, devices have been designed to encourage the integration of various systems. You can use Facebook to log in to e-commerce shopping platforms, your phone number can authenticate your online banking login, and roughly 71% of people will leave a public Google review under their personal names and email addresses if asked to do so.
Protecting yourself
So, what can you do to prevent yourself becoming a victim of a similar phishing attack?
You don't need to spend millions on cybersecurity to make yourself safer. You can set up firewalls as a buffer between yourself and outside intruders, keep your browsers up-to-date to escape security loopholes that hackers may exploit, and use open-source privacy tools that will hide and protect your data from hackers.
"Everyday users can actually achieve quite a lot when it comes to locking down access to their phone," said Gary Stevens, a cybersecurity analyst and founder of Hosting Canada. "The problem is that many of us are unwilling to do that because we want our apps to open quickly."
Taking the time to reenter a password, Stevens said, is often too much work, even for people who claim they care about data privacy.
Perhaps the biggest lessons that can be learned from the alleged Bezos hack, though, are not technical. Rather, the incident reminds us that most phishing attempts rely on an implicit trust between attacker and recipient.
Bezos clicking on a link, in this context, is a refreshing reminder that even the world's richest man is human and trusts his business associates.
Tips to keep your secrets safe
With all that said, here are some guidelines.
- As NPR noted in a guide released shortly after the attack, don't "jailbreak" your phone or install apps from outside the supported app stores run by Apple, Google and Amazon.
- Use your common sense. Be suspicious of vague and general-sounding messages asking you to open a file or click on a link. Even if the message comes from someone you know, that person's account may have been compromised.
- Compartmentalize your apps and online accounts as much as possible. It might be easy to sign into Spotify with your Facebook credentials, but it also creates a huge security risk. The more accounts you have linked together, the easier it is for hackers to move between them.
- Finally, review your app permissions from time to time. You'll probably notice that some apps ask for permissions that they really shouldn't get. For example, a silly game may ask for access to your contacts. If in doubt, don't grant the permission.
Looking toward the future
In the end, the alleged Bezos hack might actually end up being useful. Smartphones are hacked every day, but this reveals just how easily it can happen to even supposedly well-protected individuals.
If the incident raises awareness of the importance of good security practices, it will have had a positive outcome for consumers, if not for Bezos.
As we've shown, it's also worth looking behind the headlines. Many people focused on WhatsApp after the news broke of the alleged hack.
Although Facebook can certainly make its WhatsApp service more secure, and perhaps should prioritize that over the introduction of a dark mode, in truth WhatsApp and Facebook are no more to blame for this than any other company. We should avoid making WhatsApp a scapegoat for the security issues that affect smartphones as a whole.
Ultimately, the most important lesson the hack can teach us is that when we are online, we shouldn't trust anyone — even if that person is a prince.