The Bezos hack's shockwaves
Illustration: Eniola Odetunde/Axios
If Jeff Bezos' phone can be hacked, anyone's can.
Driving the news: Reports emerged this week alleging that Jeff Bezos's iPhone was compromised in 2018 after the Amazon founder and Washington Post owner received a video file in a WhatsApp message sent by Saudi crown prince Mohammed bin Salam (MBS). The news sent tremors through Washington and Silicon Valley.
What happened: According to a forensic report Bezos commissioned and that informed a statement from U.N. human rights officials, soon after Bezos received the message from MBS his phone began transmitting large quantities of data.
- Months later, the billionaire's private messages and photos turned up in the hands of the National Enquirer, which then, according to a statement Bezos published, tried to blackmail him.
- Saudi Arabia has denied any role in hacking Bezos' phone and disputes any involvement by MBS.
Of note: The hack came just months before the killing of journalist Jamal Khashoggi, whose sharp criticisms of the Saudi government ran in Bezos' Washington Post. The CIA concluded that MBS ordered Khashoggi's death.
- Some security experts are questioning the thoroughness of the forensic report's work and its attribution of the attack to MBS, per CyberScoop.
Our thought bubble: Bezos isn't a clueless newbie — he's been online since Amazon opened its website 25 years ago.
- It's not even clear from the forensic report whether he ever clicked on the video.
- The 2014 Sony Pictures hack exposed the vulnerability of companies to having all their emails and files dumped on the open internet.
- The 2016 hacks of the DNC and the Clinton campaign exposed the similar vulnerability of political organizations.
- Now, it's dawning on executives, managers, and everyday people that, if the richest person on the planet — who is also a veteran technologist — can't protect himself and his data, everyone is vulnerable.
Between the lines: It's one thing to think of cyber-attacks as devious operations against factories and power plants or spammy barrages of suspicious come-ons. In the world the Bezos/MBS caper shows us, the most commonplace and mundane communications are becoming weaponized.
Yes, but: Most of us aren't billionaires and aren't receiving texts from Saudi princes. If we're not as important as Bezos, maybe we won't be targeted.
- That thinking represents one version of what experts call "security through obscurity" — and it makes sense, up to a point.
- The comfort it offers, though, is hardly reliable, and only applies while the tools for targeting individuals remain costly. Most software gets cheaper over time.
- WhatsApp, the service owned by Facebook. WhatsApp originated as a privacy-oriented, fully encrypted messaging channel, and it was initially embraced by activists and dissidents. But it's not looking very secure right now.
- NSO Group, the Israel-based security firm whose Pegasus tool is cited by the forensic report as the most likely culprit in the Bezos hacking. Saudi Arabia is widely believed to have used NSO software to spy on Khashoggi and other critics, and Facebook has sued the company for its role in hacking hundreds of people's phones through WhatsApp. NSO, which has tried to pivot toward human rights over the last year, "unequivocally" denies its software played any role.
- The Saudis, who may find a lot of their messages sitting unread in recipients' inboxes.
- Friends of the Saudis, including Jared Kushner, who is widely reported to be WhatsApp pals with MBS, and President Trump, whose casual approach to smartphone security has troubled security experts going back to the administration's early days.
The bottom line: For business and government leaders realizing that their counterparts can hack their phones, it's not just their own data that's at risk. Everyone they communicate with needs to worry now, too — and the idea that it's even possible to have a private "high-level conversation" over the internet looks quaint.
Go deeper: The hack heard round the world (Pro Rata podcast)