Anyone can be a target of a Jeff Bezos-level data hack. Here’s how to keep your phone protected.
In January, the world was surprised when the news broke that Amazon CEO Jeff Bezos had his phone hacked by the Crown Prince of Saudi Arabia, Mohammed bin Salman. But people are still buzzing about it because the idea that a corporate executive would be the target of a government is a perfectly legitimate, albeit shocking concept.
What happened with Bezos is that the Saudi royal family member, whom everyone calls MbS, supposedly sent a booby-trapped video to Bezos via a WhatsApp message on May 1, 2018. The two men had met at a small dinner in April 2018, exchanged phone numbers, and four weeks later, Bezos received a 4.22 MB video through WhatsApp. The video allegedly exploited a WhatsApp bug to download and install malware on Bezos’ personal iPhone, which then exfiltrated data from it. Why would this have happened? Well, the Amazon CEO is the owner of The Washington Post, the newspaper that employed Jamal Khashoggi, who was murdered by Saudi agents later in 2018.
Always stay alert to potential security attacks on mobile devices
No one ever knows who is trying to spy on a company, or what information they’re seeking. So it’s always necessary to stay on guard, and protect your company’s secrets, and the privacy of your executives. While you’re at it, protect yourself as well.
Aaron Turner, president and chief security officer of Highside, a distributed identity and secure collaboration technology company, said hardened Android devices are preferred over iOS devices, because iOS devices rely on a single-point-of-failure security model and don’t allow users to select which encryption roots their device trusts.
Turner explained, « In our own research we have shown that it is conceivable that the roots of trust pre-installed in all iOS devices can be a very fertile ground for attacking mobile devices in the way that the FTI Consulting report outlined. It is also very convenient that Apple does not allow for third party monitoring of their devices or operating systems, allowing attackers to completely remove any forensic evidence by merely forcing a shutdown of the device, with nearly all evidence destroyed once it is finished rebooting. »
But, you can’t stop some cyberattacks from happening. « Unfortunately, in the case of zero-day exploits like the ones that were probably used in the Bezos case, even the best threat defense tools cannot protect users from that class of attacks. We have worked with several organizations to build programs to protect executives from these types of attacks, but they require resources and operational discipline to be effective, » he said.
Turner said that anyone without a properly maintained mobile device, meaning security updates installed within three weeks of release, is at risk. First and foremost, get rid of WhatsApp on anyone’s phone at your company. Facebook is also a risky app to have on devices used within your company, given that it is monitoring and monetizing all data flowing through its platform.
If a suspicious file is received, leave it alone, don’t open it. « Verify with the other party that sent the file via another channel to investigate what the content of the file is. It doesn’t matter what file type (Excel spreadsheet, photo, video, whatever). If you didn’t expect to receive the content, then just move on, » Turner said.
Tips for a user who thinks their phone has been hacked
If you suspect your phone has been compromised, Turner offers these tips:
- Contact the enterprise IT security team to let them know that all passwords and mobile application MFA tokens need to be reset
- Take an inventory of all applications installed on the device
- Perform a factory reset of the device
- Assure that all operating system updates are installed. If the device is incapable of installing the latest updates, purchase a new device.
- Reset the OS-associated username and password (iCloud or GMail) from another computer
- Reset all of the passwords associated with the user IDs of the applications that were on the device
What an IT department should do if an employee’s phone has been hacked
Harold Li, vice president of ExpressVPN, said, « It’s prudent for IT departments to assume this is an inevitability and act accordingly. Mitigation measures include minimizing sensitive data on devices, securing accounts with hardware multi-factor authentication, SIEM systems that are monitoring for anomalous activity, and of course staff education and training. Then, assuming the worst, IT departments should also have clear disaster recovery and business continuity plans in place. »
It’s also important to decommission and uninfect a phone before giving it back to any employee. This often involves a factory reset, said Ray Walsh, cybersecurity expert at ProPrivacy.com.
No one is safe from a cybersecurity attack
Overall, the Bezos hack drives home the message that everyone already should know – no one is invulnerable to a security attack.
Walsh said, « The Jeff Bezos phone hacking incident highlights the susceptibility of mobile devices to attack and is a reminder that anybody can potentially be victimized no matter which device they use or how safe they think they are. The problem with this kind of attack, is that the victim is caught unaware by the fact that it is one of their genuine contacts that is attacking them. »