Jan 24, 2020

The Bezos hack's shockwaves

Illustration: Eniola Odetunde/Axios

If Jeff Bezos' phone can be hacked, anyone's can.

Driving the news: Reports emerged this week alleging that Jeff Bezos's iPhone was compromised in 2018 after the Amazon founder and Washington Post owner received a video file in a WhatsApp message sent by Saudi crown prince Mohammed bin Salam (MBS). The news sent tremors through Washington and Silicon Valley.

What happened: According to a forensic report Bezos commissioned and that informed a statement from U.N. human rights officials, soon after Bezos received the message from MBS his phone began transmitting large quantities of data.

  • Months later, the billionaire's private messages and photos turned up in the hands of the National Enquirer, which then, according to a statement Bezos published, tried to blackmail him.
  • Saudi Arabia has denied any role in hacking Bezos' phone and disputes any involvement by MBS.

Of note: The hack came just months before the killing of journalist Jamal Khashoggi, whose sharp criticisms of the Saudi government ran in Bezos' Washington Post. The CIA concluded that MBS ordered Khashoggi's death.

  • Some security experts are questioning the thoroughness of the forensic report's work and its attribution of the attack to MBS, per CyberScoop.

Our thought bubble: Bezos isn't a clueless newbie — he's been online since Amazon opened its website 25 years ago.

  • It's not even clear from the forensic report whether he ever clicked on the video.

Background:

  • The 2014 Sony Pictures hack exposed the vulnerability of companies to having all their emails and files dumped on the open internet.
  • The 2016 hacks of the DNC and the Clinton campaign exposed the similar vulnerability of political organizations.
  • Now, it's dawning on executives, managers, and everyday people that, if the richest person on the planet — who is also a veteran technologist — can't protect himself and his data, everyone is vulnerable.

Between the lines: It's one thing to think of cyber-attacks as devious operations against factories and power plants or spammy barrages of suspicious come-ons. In the world the Bezos/MBS caper shows us, the most commonplace and mundane communications are becoming weaponized.

Yes, but: Most of us aren't billionaires and aren't receiving texts from Saudi princes. If we're not as important as Bezos, maybe we won't be targeted.

  • That thinking represents one version of what experts call "security through obscurity" — and it makes sense, up to a point.
  • The comfort it offers, though, is hardly reliable, and only applies while the tools for targeting individuals remain costly. Most software gets cheaper over time.

Winners: Nobody.

Losers:

  • WhatsApp, the service owned by Facebook. WhatsApp originated as a privacy-oriented, fully encrypted messaging channel, and it was initially embraced by activists and dissidents. But it's not looking very secure right now.
  • NSO Group, the Israel-based security firm whose Pegasus tool is cited by the forensic report as the most likely culprit in the Bezos hacking. Saudi Arabia is widely believed to have used NSO software to spy on Khashoggi and other critics, and Facebook has sued the company for its role in hacking hundreds of people's phones through WhatsApp. NSO, which has tried to pivot toward human rights over the last year, "unequivocally" denies its software played any role.
  • The Saudis, who may find a lot of their messages sitting unread in recipients' inboxes.
  • Friends of the Saudis, including Jared Kushner, who is widely reported to be WhatsApp pals with MBS, and President Trump, whose casual approach to smartphone security has troubled security experts going back to the administration's early days.

The bottom line: For business and government leaders realizing that their counterparts can hack their phones, it's not just their own data that's at risk. Everyone they communicate with needs to worry now, too — and the idea that it's even possible to have a private "high-level conversation" over the internet looks quaint.

Go deeper: The hack heard round the world (Pro Rata podcast)

Go deeper

Apple's closed security model is great until it isn't

Photo: Alex Tai/SOPA Images/LightRocket via Getty Images

Last week's report that Jeff Bezos' iPhone was allegedly hacked via a WhatsApp message from Saudi Crown Prince Mohammed bin Salman discomfited a lot of Apple customers who long believed that one of the features of their high-priced phones was invulnerability.

The big picture: The flaw in this case was in WhatsApp, not the iPhone itself. But the larger lesson is that in a networked world full of incentives for digital mischief, there's no such thing as perfect security — only varying degrees of relative risk.

Go deeperArrowJan 30, 2020

Khashoggi's fiancée to attend Trump's State of the Union

Hatice Cengiz speaks during an exclusive interview in the U.S. on May 18, 2019. Photo: Yasin Ozturk/Anadolu Agency/Getty Images

Rep. Gerry Connolly (D-Va.) announced Monday that he's taking researcher Hatice Cengiz, the fiancée of slain Washington Post columnist Jamal Khashoggi, as his guest to this week's State of the Union.

Driving the news: It's an attempt to press President Trump to step up action against Saudi Arabia for its role in his death. A CIA report concluded in November 2018 that Saudi Crown Prince Mohammed bin Salman ordered Khashoggi's killing. The prince denies doing so.

Go deeperArrowUpdated Feb 4, 2020 - Politics & Policy

Jeff Bezos writes a short climate mystery

Bezos announces the co-founding of an earlier initiative, The Climate Pledge, in September. Photo: Paul Morigi/Getty Images for Amazon

The most striking thing about Jeff Bezos' new climate philanthropy is the size. A close second is the information void about what it will actually do.

Catch up fast: The Amazon founder on Monday announced a $10 billion fund to help scientists, nonprofits and activists — and then dropped the mic.