Explainer: Bezos allegations put phone hacking
technology in the spotlight
Send a link to a friend
[January 25, 2020] By
WASHINGTON (Reuters) - Allegations that
Amazon.com boss and Washington Post owner Jeff Bezos had his phone
hacked by Saudi Crown Prince Mohammed bin Salman have put a spotlight on
the security of smartphones and the secretive tools used to hack them.
Smartphones are effectively pocket-sized computers that run apps on
operating systems such as Apple's iOS or Google's Android. Those devices
have enabled a new world of connectivity - unlimited free calls over
WhatsApp, for example, or an atlas worth of up-to-the-second maps from
Google - but also a parade of potential security problems.
Here is how smartphones can be hijacked and a look at the potential
consequences and the thriving market in surveillance vendors helping the
world's spies get access to people's secrets.
HOW IT WORKS
Smartphones operate through a collection of apps, sometimes scores of
them, running over an operating system, which in turn runs on a complex
piece of hardware embedded with receptors, lenses and sensors.
Each one carries potential flaws - sometimes called bugs - that can
cause a system to crash or behave unexpectedly when sent a rogue command
or a malicious file. Even small openings like that can allow hackers to
take control of a device. It is akin to illicitly lowering a coat hanger
through a tiny seam in the car door to unlock a vehicle.
Many developers work hard to ensure those seams stay sealed, but with
millions of lines of code to choose from, it is virtually impossible to
guarantee total safety.
"There is no software that is bugless," said Oded Vanunu, a researcher
with Israeli cybersecurity firm Checkpoint who often finds flaws in
popular messaging programs.
Once hackers are in, the possibilities are vast - and frightening.
Anyone with full control of a smartphone can turn it into a powerful
surveillance device, silently tracking users' locations while quietly
copying their emails, instant messages, photos and more.
A 2015 technical document from NSO Group - one of the better known
spyware vendors - outlines the capability of its Pegasus spyware program
to monitor the smallest details of a target's life, throwing up alerts
if a target enters a certain area, for example, or if two targets meet,
or if a certain phone number is called.
[to top of second column]
Jeff Bezos, president and CEO of Amazon and owner of The Washington
Post, speaks at the Economic Club of Washington DC's "Milestone
Celebration Dinner" in Washington, U.S., September 13, 2018.
REUTERS/Joshua Roberts/File Photo
The document, made public as part of a lawsuit against NSO by communications
firm WhatsApp, shows how keystrokes can be logged, phone calls can be
intercepted and a feature dubbed "room tap" uses a phone's microphone to soak up
ambient sound wherever the device happens to be.
The document says the spyware can be installed by enticing targets to click
malicious links or rogue text messages, but spies particularly prize the quieter
"push message" installations that remotely and invisibly install themselves on
WHO IT TARGETS
NSO and other spyware vendors have long argued that their products are used
responsibly - only sold to governments for legitimate purposes. NSO has denied
any link to the alleged Bezos hack. Saudi officials dismiss allegations of their
involvement as absurd.
Years of investigative work from internet watchdog group Citizen Lab - which has
a well-documented record of exposing international cyber espionage campaigns -
and a drumbeat of court cases and leaked documents have called such assertions
as these of responsible use into question.
In October of last year messaging company WhatsApp sued NSO in California,
alleging that the spyware firm had taken advantage of a bug in the app's video
calling protocol to hack 1,400 users around the world in the period between
April 29 and May 10, 2019, alone.
Disclosures from other companies such as Italy's now-defunct Hacking Team and
the spyware company now known as FinSpy have also raised questions about the
business. Hacking Team's spyware was implicated in spying campaigns against
dissidents in Ethiopia and the Middle East, for example, while researchers have
recently found evidence that FinSpy's software was used in Turkey.
Both companies' tools work similarly to NSO’s — using flaws in smartphones to
subvert the devices entirely.
(Reporting by Raphael Satter; Editing by Howard Goller)
[© 2020 Thomson Reuters. All rights
Copyright 2020 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content.