Analysis of private investigators, which formed the basis of a forthcoming United Nations report, says the phone of Jeff Bezos, the world’s richest man, was hacked after receiving a WhatsApp message sent by the Crown Prince of Saudi Arabia, Mohammed Ben Salman. Since the revelation of this extraordinary piracy, many users have been wondering about the security of their phone.
- How was Jeff Bezos’ phone hacked?
We largely ignore it. Investigators mandated by Jeff Bezos were able to observe that the telephone had sent very large amounts of information just after the American billionaire received a video message sent by the Saudi crown prince. But investigators failed to locate spyware on the phone, which may have self-destructed or escaped analysis – the phone could not have been fully examined by the researchers. It is therefore unclear exactly how the data was extracted. And if the investigators say they are very confident that the piracy is directly linked to this video, they do not have, as often in this type of file, irrefutable evidence. As for Saudi Arabia, it denies any role in this hacking.
Suspicions of investigators and part of the computer security community are focused on a particular software: Pegasus, a powerful spy system designed by the Israeli company NSO Group, of which several uses by the Saudi services have been documented in the past, including against relatives of the journalist Washington Post (owned by Jeff Bezos) Jamal Khashoggi, murdered at the Saudi Arabian consulate in Istanbul in 2018.
- Can my phone be hacked just by sending me a video?
It is technically possible, but for the overwhelming majority of the population, the answer is no. Spyware like Pegasus takes advantage of so-called zero-day security vulnerabilities – vulnerabilities that have not yet been discovered by software developers. These flaws, relatively rare and often complex to exploit, are minted with companies specializing in more or less legal hacking like NSO Group, which use them until they are made public and corrected.
It is therefore possible that spyware capable of hacking a phone by simply sending a video exists today, but if it is the case, their use is very expensive, and is reserved for intelligence services or for very specialized companies. These technologies are, for example, beyond the reach of a jealous ex-spouse or an indelicate employer. They are, however, part of the tools that can target lawyers, journalists, political opponents or human rights activists in a totalitarian country.
- Does this case mean that WhatsApp is not secure?
In the absence of all of the technical details that led to the hacking of Jeff Bezos’ phone, it is not known if the flaw used is now corrected. In May 2019, WhatsApp announced that it had corrected a major security flaw affecting the management of audio calls, which had been exploited by NSO Group for hacks. Another flaw, which affected the sending of MP4 files, was corrected at the end of 2019. The company announced in October that it had filed a complaint against NSO Group.
The WhatsApp application, owned by Facebook, is considered to be adequately secure; apart from the discovery of specific vulnerabilities, which can exist in any software, instant messaging meets conventional security standards.
- Are there any special precautions to be observed to avoid being hacked?
While Jeff Bezos’ phone hacking is out of the ordinary by its level of sophistication and the alleged involvement of a member of the Saudi royal family, other much more basic tools can be used to spy on a phone, and are at the scope of “everyday” actors (spouses, employers, private detectives, etc.).
Most “accessible” spyware requires physical access to the victim’s phone: the hacker installs an application that is camouflaged on the device, and regularly sends data – sometimes in real time – to the hacker. Classic prevention measures include avoiding leaving your phone unattended, and the use of a complex or biometric lock code (fingerprint, Face ID, etc.).
In messaging, or by e-mail, it is recommended to be careful before opening a link which is sent to you by an unknown correspondent or which arouses your suspicion; spyware but also many scams trick you into opening a web page that contains malicious software. Other trapped links take you to a site that looks like a “legitimate” website (bank, Google or Facebook account …) but which is actually controlled by a hacker.
In case of doubt, it is recommended to check, on Android, whether the option “Allow unknown sources” (generally in the “Settings” menu, “Security” section) is deactivated; most spyware requires this option to be enabled in order to be installed. But this is not an absolute guarantee against piracy.
- Is an iPhone safer than an Android?
The question is recurrent: yes, in general, iPhone phones are more protective than Android phones. Partly because of the more careful management of the app store, and also because the security settings are standardized and high level on iOS, while they can vary from one version of Android to another. Mobile operators and manufacturers also do not apply Android updates with the same speed that fixes identified vulnerabilities. The use of an iPhone is not, however, an absolute guarantee, especially when the hacker has considerable technical and financial means – it is an iPhone that Jeff Bezos was using at the time of the hacking.
For Android users, it is strongly recommended to carry out security updates as soon as they are available, and to prefer when buying a phone with the latest version of the operating system (Android 10 currently). More generally, whether you’re using an iPhone or Android phone, it’s very strongly recommended that you apply application updates as soon as they are offered – they often contain important security updates.