This weekend, an investigator working to uncover how details of Jeff Bezos’s personal life found their way to the National Enquirer made a startling allegation: Hackers tied to Saudi Arabia had gained access to the Amazon CEO’s phone.
“Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’s phone and gained private information,” investigator Gavin De Becker wrote in the Daily Beast. “As of today, it is unclear to what degree, if any, [Enquirer publisher American Media Inc.] was aware of the details.”
In a statement, American Media strenuously denied that the Saudis played any role in getting information about Bezos’s affair with newscaster Lauren Sanchez, saying all information came from Sanchez’s brother Michael. “There was no involvement by any other third party whatsoever,” according to the company.
And it did raise some questions. Was it really possible that the tech-savvy, security-conscious, richest man in the world could have had his personal cell phone hacked? After all, he can afford to wall off every one of his selfies and texts behind multiple layers of encryption.
But whatever ultimately became of any data allegedly extracted by the Saudis, security experts contacted by Fast Company say there’s little doubt that Saudi-tied hackers have the technical ability to penetrate Bezos’s phone, and that the regime has recently demonstrated its determination to use hacking for espionage purposes.
“Would the Saudis use hacking like that?” says James Lewis, director of the Technology Policy Program at the Center for Strategic and International Studies. “The answer is yes, without a doubt.”
Saudi Arabia quickly beefed up its digital offense and defense capabilities after a massive cyberattack that struck state-owned oil giant Saudi Aramco around 2012, Lewis says, largely by importing hacking tools and techniques from overseas vendors. The nation has since been accused of using sophisticated hacking tools to spy on dissidents, including slain journalist Jamal Khashoggi, and automated accounts spreading pro-Saudi messages have been found on Twitter, which removed them from the platform.
According to De Becker, “The Saudi government has been intent on harming Jeff Bezos since last October,” due to the Bezos-owned Washington Post‘s coverage of the regime’s role in the death of Khashoggi, a Post contributor who was killed in the Saudi consulate in Istanbul that month.
Controversial Israeli firm denies any role
Smartphones, with their microphones, cameras, and troves of personal data, are a natural target for spies looking to monitor targets, says Mike Fong, founder and CEO of the Chandler, Arizona, security firm Privoro.
“Most very sensitive information is spoken well before it’s reduced to writing,” he says. “If you can have an ear or an eye in the room when that’s being discussed, obviously this can create enormous strategic advantage.”
And for deep-pocketed spy agencies able to buy spyware and undocumented security exploits on the black market, it can sometimes be very difficult for even sophisticated victims to resist or even detect hack attempts, he says.
“If you’re really dealing with a sophisticated threat actor, you really can’t keep people out, and often you’ll never even know it,” Fong says.
Saudi Arabia reportedly has worked with NSO Group, a controversial Herzliya, Israel-based company that offers phone-hacking tools it says can help governments track criminals and terrorists, though critics allege it can also be used to track political dissidents. Canada-based Saudi dissident Omar Abdelaziz filed a lawsuit in December claiming that NSO’s software, dubbed Pegasus, was used to track his communications with Khashoggi.
The company has strongly denied that its software was used to spy on Bezos.
“We can say unequivocally that our technology was not used in this instance,” a spokesperson said in a statement emailed to Fast Company. “We know this because our software cannot be used on U.S. phone numbers. Our technology, which is only licensed to prevent or investigate crime and terror, was not used by any of our customers to target Mr. Bezos’s phone.”
Researchers have in the past questioned the extent of the restriction on U.S. numbers: John Scott-Railton, a researcher with University of Toronto-based digital watchdog Citizen Lab told Fast Company that in 2016, researchers infected a phone with Pegasus that was located in the United States. Citizen Lab reported that wherever a particular link was clicked, it would trigger a Pegasus infection.
Bill Marczak, a senior research fellow at Citizen Lab, added that if there is a restriction on U.S. phones, users could still infect someone’s device by sending the user a link through media other than a telephone number, like an attack on the target’s network or a malicious link in an email.
Citizen Lab, which has studied NSO for years, reported in September that cross-border targeting with Pegasus is “relatively common.”
“We have identified several possible Pegasus customers not linked to the United States, but with infections in U.S. IP space,” Citizen Lab researchers wrote in a report. “While some of these infections may reflect usage of out-of-country VPN or satellite Internet service by targets, it is possible that several countries may be actively violating United States law by penetrating devices located within the U.S.”
At the time, NSO issued a statement citing “multiple problems” with Citizen Lab’s research and also denying any spyware activity in the U.S.
Zero-day exploits sell for more than $1 million
But even without NSO software, experts say Saudi hackers could still have gained access to Bezos’s phone, potentially using a phishing message linking to or embedded with an undisclosed, or zero-day, exploit circumventing the phone’s defenses. They’ve been for sale on the black market at prices out of reach for many run-of-the-mill fraudsters, but well within the budget of determined spy agencies.
“From an exploit perspective, the zero days for mobile devices are selling sometimes for more than $1 million, especially if you consider an iOS exploit or an iOS jailbreak,” says Domingo Guerra, senior director of modern OS security at Symantec.
Anti-malware tools won’t always spot these novel exploits, and malware can be designed to hide its activity amid normal phone behavior, he says.
High-profile targets like Bezos can take some steps to avoid government-backed hackers, like using temporary burner phones when traveling overseas or replacing or wiping devices they worry are compromised, says Michael Murray, chief security officer at mobile security firm Lookout. But ultimately, their smartphone security resources aren’t that different from those available to the rest of us, he says.
“For the most part they’re in the same boat as everybody else,” he says. “There’s no secret sauce you can put on an iPhone that the rest of the world doesn’t have access to.”
D.J. Pangburn contributed to this report.
Correction: An earlier version wrongly attributed to John Scott-Railton a statement by Bill Marczak.