Open Sourced logo

A new investigation suggests that the hacking of Amazon CEO Jeff Bezos’s phone stems from a WhatsApp account linked to Saudi Arabia’s Crown Prince Mohammed bin Salman and one seemingly innocuous video file. The alleged hack shows that security online is never guaranteed, even on this very popular Facebook-owned encrypted messaging app. And that’s something to keep in mind even if you aren’t a billionaire.

How Jeff Bezos allegedly got hacked, explained

First reported by the Guardian and the Financial Times, the investigation found that an iPhone X belonging to Bezos was hacked after it received a video file in a WhatsApp message in May 2018. The business advisory firm FTI Consulting, which conducted the investigation, claims with “medium to high confidence” that the video file came from a WhatsApp account belonging to Mohammed bin Salman, also known as MBS.

According to a copy of the full report, compiled by FTI and obtained by Vice, the video itself could not be studied due to WhatsApp’s encryption feature, so it remains unclear if it contained malware. Nevertheless, investigators observed that, shortly after the video was sent, abnormally large amounts of data were exfiltrated from the phone. (Data exfiltration occurs when a malicious actor transfers data off of a device, usually without the owner’s knowledge.) This exfiltration continued at a high rate for several months.

The video was sent to Bezos, who owns the Washington Post, at the same time as the Saudi government was, according to the report, “very concerned” about Washington Post columnist Jamal Khashoggi. Khashoggi was murdered in October 2018. CIA officials later concluded that the killing took place with MBS’s approval, an allegation the Saudi prince has denied.

Meanwhile, suspicions that the Saudi government had hacked Bezos’s phone began in February 2019, after the National Enquirer reported that Bezos was having an extramarital affair. That report appeared to rely on information that could only have been obtained through Bezos’s phone. Bezos’s security team hired FTI Consulting to investigate his phone shortly after. (The National Enquirer claims its information came from Bezos’s girlfriend’s brother and that the Saudi government was not involved.)

Further adding to the evidence that MBS hacked Bezos’s phone: A few days after Bezos was told on the phone that he may have been hacked by the Saudi government, MBS sent him a message over WhatsApp saying (all sic): “Jeff all what you hear or told to it’s not true and it’s matter of time tell you know the truth, there is nothing against you or amazon from me or Saudi Arabia.”

The release of the FTI report also caught the attention of two United Nations Human rights experts, who called for further investigation into allegations that MBS hacked into Bezos’s phone. Meanwhile, the potential link between the phone hacking and Khashoggi’s murder does not appear to be lost on Bezos, who tweeted this the day after the FTI report emerged:

MBS allegedly uses WhatsApp to communicate with many high-profile figures, including Boris Johnson, Richard Branson, and President Trump’s son-in-law Jared Kushner. One Silicon Valley executive told Recode that other leaders and executives in the tech industry are worried about undiscovered attacks. After all, MBS met with several of them — including Sergey Brin, Tim Cook, and Peter Thiel — when he visited the region in April 2018.

If it happened to Bezos, it could happen to you — so here’s what you should keep in mind

It’s easy to dismiss this maze of revelations involving Bezos and MBS as just another high-profile hack. What’s notable here, however, is that the hacking happened within WhatsApp, a service that promotes itself as the safe option for people who are concerned that their messages will be intercepted by hackers. WhatsApp even says in its FAQ, “Privacy and security is in our DNA.” (WhatsApp did not respond to a request for comment.)

Thanks in part to this promise of privacy and security, WhatsApp is one of the most popular apps in the world, with about 1.5 billion active users worldwide as of February 2018. Its primary security feature is end-to-end encryption, which means messages can only be seen by the sender and receiver while they’re in transit — anyone who intercepts them will receive an unreadable encrypted file. Not even WhatsApp can read users’ messages.

However, this added layer of protection should not be confused with absolute security, as the Bezos hack shows. Assuming the report’s conclusions are correct, the end-to-end encryption worked just fine: FTI was unable to decrypt the file apparently sent by the account linked to MBS. But good encryption didn’t prevent Bezos’s phone from sending gigabytes worth of data to a malicious actor for weeks after the video file was sent.

It’s worth pointing out that a default setting in WhatsApp allowed Bezos’s phone to download the video file — and any malware therein — automatically. You can opt out of this feature to help protect against something like this happening to you.

As alarming as the Bezos hacking story seems, WhatsApp users concerned about security might not want to delete the app just yet. Even with WhatsApp’s checkered history, several security experts told Recode they don’t think the app is particularly problematic.

“This is not indicative of a vulnerability in WhatsApp,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, said. “There is nothing they can do when a trusted contact sends you a carefully crafted malicious link.”

Maya Levine, a security engineer at cybersecurity company Check Point, said it’s not so much that WhatsApp is especially flawed. The Facebook-owned app is simply an attractive target, which makes its vulnerabilities much more likely to be exposed.

“It’s encrypted messages, so you can get a lot of information if you are able to hack WhatsApp successfully,” Levine said. “WhatsApp is probably the most popular encrypted messaging app worldwide and because of that, it’s maybe targeted a little bit more by hackers. But I wouldn’t say it’s less secure.”

The best takeaway for the average person is not to be lulled into a false sense of security and assume they’ll be left alone because they aren’t a typical hacker target, said Paul Ducklin, principal research scientist at cybersecurity firm Sophos. Even apps packed with privacy features, he added, aren’t completely safe.

“Unfortunately, when it comes to cybercriminality these days, nobody’s immune and no software that you use is likely to be 100 percent free of bugs,” Ducklin said. “Sometimes people get a program like WhatsApp or any of its many competitors, and once they find out it’s got all this encryption, they assume that encryption means that the message is secure forever hereafter, when the encryption is about securing the content while it’s going between you and the other person. It’s important not to hear about a technology and assume that it protects you more than it does.”

And while nothing is foolproof, there are some things you can do to minimize your risk.

“Keep up to date on your updates,” Levine said, “both on your phone’s operating system itself and your apps.” Updates will contain security patches that fix flaws and vulnerabilities, and often roll out soon after they are discovered.

Despite WhatsApp’s security issues — and WhatsApp is hardly the only encrypted messaging app to have this problem — Galperin doesn’t think users should abandon it. Last May, she wrote about a different WhatsApp vulnerability and recommended that people continue to use end-to-end encrypted messaging apps, which she said are one of “the most effective ways to protect the contents of your messages,” at least for “most people most of the time.”

Ducklin, meanwhile, said the best way to prevent sensitive information from being taken from your phone is the time-honored method of not putting it there in the first place. That, and thinking twice about what you’re sharing and who you’re sharing it with.

“Sometimes, the best way to avoid that problem is simply to go, ‘Okay, I’m going to share less information,’ or, ‘I’m not going to share this particular photograph,’ or, ‘I’m not going to talk about secret personal stuff on this channel. Maybe I’ll wait until I meet up with this person face to face,’” Ducklin said. “Modulating your own behavior a little bit is often a lot better than fretting about which of many potentially equal apps you’re using to communicate.”

Bezos may be a unique and desirable hacking target, but the dangers of putting all your trust in an app — even a reasonably secure one — apply to everyone.

“The app can’t save you from yourself,” Ducklin said.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.