- A U.N. report, based on research commissioned by Amazon CEO Jeff Bezos, paints a complicated picture of how the Saudi government allegedly hacked his phone using software from NSO Group.
- The Saudis and NSO Group deny the allegations, but software like this does exist and is sometimes used against politically controversial and powerful figures.
- Here's how to protect yourself.
The report, which is based on research Bezos commissioned, alleges that Saudi Crown Prince Mohammed bin Salman may have personally been involved in a complex hacking campaign against Bezos, which started with a friendly dinner and exchange of phone numbers between the two in 2018.
The report shows how outsiders can monitor seemingly private phone messages. However, while tools like those described in the report exist, they are costly and rarely used against normal citizens. Moreover, it's worth keeping in mind that Bezos himself commissioned the report and there may be alternative explanations for how information about his personal life leaked.
According to the allegations, Bezos' phone was hacked using malicious software delivered in a WhatsApp message that came directly from Crown Prince Mohammed's phone in November 2018. The two of them had met and exchanged phone numbers in the spring of that year.
In November of 2018, Bezos allegedly received a text from Crown Prince Mohammed's WhatsApp number again, this time with a picture of a woman resembling Sanchez "months before the Bezos affair was known publicly," according to the report. Bezos would later preempt a National Enquirer story on the affair in a post on Medium, which also was the first time he mentioned a possible connection between the hack and Saudi Arabia.
The Saudis apparently targeted Bezos because he owns The Washington Post, which published work from Jamal Khashoggi, a Saudi dissident. Saudi agents murdered Khashoggi in the Saudi consulate in Istanbul in October 2018 at the direction of the crown prince, according to the CIA. After initial denials, the Saudis have acknowledged the murder and sentenced several people to death for it, but denied that Crown Prince Mohammed knew about it.
The report says the hack used the software of an Israeli company called NSO Group, which sells a software platform known as Pegasus. This platform allows governments to access internet-connected devices.
The company says it only sells its products to government agencies pursuing information from the devices of criminals and terrorists. Human rights activists, however, have said the software is used much more widely and to target attorneys, journalists and dissidents who oppose various governments that have contracted with NSO Group, an allegation put forth in the report today.
NSO Group has denied its software was involved.
"As we stated unequivocally in April 2019 to the same false assertion, our technology was not used in this instance. We know this because of how our software works and our technology cannot be used on U.S. phone numbers. Our products are only used to investigate terror and serious crime. Any suggestion that NSO is involved is defamatory and the company will take legal counsel to address this."
Saudi Arabia has called the allegations "absurd" and has also characterized the killing of Khashoggi as a "rogue operation."
NSO Group isn't the only company that makes this type of software. There are numerous other companies that have used differing versions of malicious code, delivered via text or call. These programs let outsiders compromise mobile devices by sending errant information through loopholes in these communication programs.
In some cases, respondents don't even need to answer the call or text in order for the phone to be compromised. Once the phone is compromised, the attackers can download a wide array of information from it. This seems to be what happened in the case of Bezos' phone, as subsequent messages suggested that Crown Prince Mohammed was aware of Bezos' affair and impending divorce, according to the U.N. report.
While real, these types of hacks are exceedingly rare. The software required to carry them out is extremely costly, and companies such as Facebook, which owns WhatsApp, and Apple are usually quick to patch the holes that these programs exploit.
These types of hacks have targeted attorneys and other professionals representing controversial figures, however. Anyone in a position connected to politically controversial figures — including bankers, accountants, political advisors, speechwriters and so on — should be concerned about having their communications monitored in this way.
If you're in this boat, make sure you routinely update your phone and all its software, especially with all security-related updates, and consider consulting with a cybersecurity expert who can help you tailor a security plan. Share your phone number very selectively only with people who absolutely need it, and consider conducting private or sensitive business on a device that's separate from your day-to-day phone.
But for most of us, these types of hacks are a very remote concern and easily remedied by updating messaging software on a regular schedule.
It's worth keeping in mind that the report may not tell the whole story.
While sophisticated tools and hacking methods like those described in the U.N.'s letter today do exist, so do programs that can spoof phone numbers and device ownership, as well as a wide range of programs that can make it appear quite convincingly that information is being sent from an individual's device or location when it is not.
There are other possible alternative explanations for what happened. Some other entity could have spoofed Crown Prince Mohammed's credentials, or Bezos' information could have leaked in more ways than a single hack. For instance, The Wall Street Journal reported last March that Sanchez's brother sent incriminating pictures from her phone to the National Enquirer.
It's also worth keeping in mind that Bezos commissioned the investigation. The report spins a very complex story of a vast technological conspiracy against him and bolsters previous claims of Saudi involvement from an investigator he hired, Gavin de Becker. An investigation independent of either Bezos or the Saudis, which the U.N. has called for, would hopefully include a completely objective view of the timeline and facts presented in today's report.