Amid reports that Amazon CEO Jeff Bezos’s phone was allegedly hacked by Saudi Arabia — with the direct involvement of Crown Prince Mohammad Bin Salman via the popular chat app WhatsApp — some users may be wondering: Can I be hacked the same way?
Investigators have “medium to high confidence” that Bezos’s device was compromised after the chief executive received a mysterious video file from Bin Salman, also known as “MBS,” via WhatsApp, according to a report from FTI Consulting, a firm that has investigated Bezos’ phone. After that file was received, Bezos’ phone started sending unusually large amounts of outbound data. Around six months later, Bin Salman sent Bezos messages that suggested he had knowledge of the CEO’s then-secret affair with Lauren Sanchez, details of which became public in January of last year. The report, first published by Motherboard, concludes that gigabytes of photos, text messages, and perhaps audio recordings made using Bezos’ iPhone microphone may have been sent to whomever conducted the attack.
So is it time to delete WhatsApp, a popular chat app used by at least 1.5 billion people worldwide? Probably not, if you’re worried about this specific incident.
Some in the forensics community have taken issue with FTI’s report, claiming it leaves important questions unanswered. Chris Sanders, a network security instructor and expert in a tool used by FTI during its investigation, says the evidence laid out in the report fails to credibly support its conclusion.
“The report didn’t express that the forensic examiners found any malware on the system, didn’t identify any concrete malicious communication, and didn’t find any malicious code in the video,” Sanders says. He also notes that the report didn’t specify which app was responsible for the iPhone’s surge in outbound data transmissions. “The iPhone tracks the volume of outbound data per application,” he says. “However, the report doesn’t identify the application associated with this outbound data. Why?”
Former Facebook CISO Alex Stamos has also questioned how FTI came to its conclusion. He called for a more thorough investigation of Bezos’ iPhone to better understand what happened. “The idea that this report is the furthest you can go with access to the phone is wrong,” tweeted Stamos. “The circumstantial evidence is reasonably compelling, but since this is a major national security issue now more eyes need to be on the evidence.”
“All FTI Consulting client work is confidential,” an FTI spokesperson said. “We do not comment on, confirm or deny client engagements or potential engagements.” WhatsApp, which was acquired by Facebook in 2014, has not responded to TIME’s request for comment.
That said, security experts say that, if accurate, the Bezos report suggests the existence of a particularly nasty flaw in WhatsApp, at least at the time of the incident. “If you want to use WhatsApp … and there is a bug in, say, the video player? Boy, you’re already hosed,” says Carl Livitt, principal researcher at cybersecurity firm Bishop Fox. While it’s generally a good idea to avoid opening mysterious files, FTI’s report doesn’t mention Bezos or the investigators actually opening or playing the suspicious video that seems to have led to the data breach. That means there’s a potential that, with this exploit, “you literally don’t need to do anything except open WhatsApp for it to be triggered, it requires no user intervention,” Livitt says.
Still, orchestrating an attack like this would cost millions of dollars, according to Livitt. That should put everyday WhatsApp users at ease. “For your average consumer, that’s not really much of a problem because you have to be pretty darn important for a nation-state to exercise that level of effort to target you,” Livitt says. But there could be a risk to people like business leaders, dissidents and others who might be targeted by state actors.
Livitt adds that there’s a silver lining in the Bezos incident: it has likely gotten lots of people to think twice about their cybersecurity practices. “I would be very surprised if a lot of high profile business leaders have not looked at the Bezos incident and are right now speaking to their security experts, asking them the questions you’re asking me: What do we do to prevent this?” Livitt believes Bezos’ security hygiene could be improved by simply carrying a second phone, making his primary device less of an attractive target. “We tend to advise going away from these technological fixes and maintaining a separation of duty for the devices that you use.”
Moreover, monitoring the traffic your phone is sending and receiving can help you notice anything that may be amiss. For monitoring your smartphone’s memory use or network activity, apps like Omnistat 2 and System Panel 2 can reveal those details and provide real-time updates, along with widget support to keep that data easily accessible. You can take other steps, too. “Updating your OS, reviewing what data apps access by going into their security and privacy settings, these are excellent things to do to make sure you understand what they’re accessing,” says Carnegie Mellon Professor Yuvraj Agarwal, who recommends both increased awareness on the part of consumers when it comes to data sharing, as well as a stronger, more privacy-centric approach on the part of developers.
“The platforms themselves, I think are fairly robust, in my opinion,” says Agarwal, who’s turned his research into Internet-of-Things security and data privacy into a proof-of-concept tool designed to provide real-time feedback on potential privacy issues to developers during the coding process. “Over the past few years they have been adding more and more controls for letting those users know and decide whether they want to give access to certain data to these apps.” Apple and other companies’ work in detecting and fixing security exploits is helping, too. But, Agarwal says, there will likely always be bad actors searching for and finding new ways to infiltrate digital devices. “Ultimately, there’s money in it,” he says. “And if other people are buying these exploits, then there’ll be people and entities that are going to be looking for them.”