The nasty spyware likely used to hack Jeff Bezos lets governments secretly access everything in your smartphone, from text messages to the microphone and cameras - here's how it works

Advertisement
The nasty spyware likely used to hack Jeff Bezos lets governments secretly access everything in your smartphone, from text messages to the microphone and cameras - here's how it works

Jeff Bezos

Getty

Amazon CEO Jeff Bezos.

Advertisement
  • Amazon CEO Jeff Bezos had his phone hacked, and the primary suspect for the hacking is Saudi Crown Prince Mohammed bin Salman.
  • A UN report published Wednesday concludes that Bezos' iPhone was likely hacked using a notorious tool named Pegasus, created by the NSO Group - a secretive firm from Israel that bills itself as a leader in cyberwarfare. Saudi Arabian officials have been repeatedly connected to Pegasus hacks, according to a new UN report.
  • Pegasus enables hackers to remotely access everything in an infected smartphone, from text messages to location data - and it's next to impossible to know whether your phone was infected without a professional analysis.
  • In the case of Bezos, hackers had access to his phone for "months," according to the UN report.
  • Visit Business Insider's homepage for more stories.

Amazon CEO Jeff Bezos had his phone hacked for months, and gigabytes of his private data were stolen, according to a newly published UN report.

The primary suspect in the hacking: Saudi Crown Prince Mohammed bin Salman, a man he was exchanging WhatsApp messages with.

The how of the hack, according to a UN report published Wednesday morning, is maybe the wildest detail: "A 2019 forensic analysis of Mr. Bezos' iPhone that assessed with 'medium to high confidence' that his phone was infiltrated on 1 May 2018 via an MP4 video file sent from a WhatsApp account utilized personally by Mohammed bin Salman, the Crown Prince of the Kingdom of Saudi Arabia."

According to the UN report published on Wednesday, Bezos' phone was likely hacked using a notorious tool named Pegasus, created by the NSO Group - a secretive firm from Israel that bills itself as a leader in cyberwarfare.

Advertisement

So, how does Pegasus work? And how did it get inside the phone of the richest man in the world?

{{}}

What is Pegasus?

What is Pegasus?

What Pegasus actually does is relatively simple: Once your smartphone is infected with Pegasus, the tool provides full access to it, remotely and discreetly.

That includes text messages, as well as your smartphone's camera and microphone. The spyware was created by an Israeli company, the NSO Group, and it's nothing new.

Pegasus was first discovered in 2016 when a man in the United Arab Emirates named Ahmed Mansoor was targeted with "suspicious text messages," John Scott-Railton, a senior researcher at The Citizen Lab at the University of Toronto's Munk School, told Business Insider in an interview last May.

The Citizen Lab is an academic research group that is credited as the first to identify a particularly malicious spying application named "Pegasus."

"Those text messages actually came bearing some suspicious links," he said. "We thought they looked pretty dicey, so my colleague Bill [Marczak] borrowed a colleague's iPhone, clicked on the links, and was able to successfully get the phone infected with what was then a mystery piece of spyware."

That "mystery" spyware was actually Pegasus, and Mansoor was being targeted — most likely because of his work as a human-rights advocate. Mansoor is serving a 10-year prison sentence in the UAE for publicly criticizing the government.

Here's a photo of the smartphone-hacking hardware NSO Group sells.

Here's a photo of the smartphone-hacking hardware NSO Group sells.

Business Insider's Becky Peterson snapped a photo of the hacking hardware sold by NSO Group at a security conference in Paris. Read more about the photo here.

Advertisement

How was Bezos' phone hacked?

How was Bezos' phone hacked?

According to the UN report, Jeff Bezos and Saudi Arabia's Crown Prince Mohammed bin Salman "exchanged phone/WhatsApp numbers the month before the alleged hack."

It's through this connection, the report says, that the hack was performed.

"A 2019 forensic analysis of Mr. Bezos' iPhone that assessed with 'medium to high confidence' that his phone was infiltrated on 1 May 2018 via an MP4 video file sent from a WhatsApp account utilized personally by Mohammed bin Salman," the report says.

In short: The report contends that Crown Prince Mohammed sent Bezos a video file that, regardless of him clicking on the file, enabled Pegasus to infiltrate Bezos' iPhone.

"Within hours of receipt of the MP4 video file from the Crown Prince's account," the report says, "massive and (for Bezos' phone) unprecedented exfiltration of data from the phone began."

The contents of the video isn't clear, but The New York Times described it as having, "an image of Saudi and Swedish flags overlaid with Arabic text."

How do you know whether your phone is infected with spyware like Pegasus? If the hackers are doing their job right, it's extremely difficult to find out.

How do you know whether your phone is infected with spyware like Pegasus? If the hackers are doing their job right, it's extremely difficult to find out.

If your phone is infected with spyware like Pegasus, it's extremely difficult to know — even if you're Jeff Bezos.

The phone probably won't start suddenly overheating or ripping through battery life. If that were the case, "then the people who did it have not done their jobs right," Scott-Railton said.

In fact, if you're not a cybersecurity researcher, it's nearly impossible to know.

"It's quite tricky because the software is of course designed to be hard to find," Scott-Railton said. "What we did in the first instance was we actually captured the network traffic going into the phone after the [link] was clicked, and that gave us the infection."

Unless you're monitoring the network traffic going into your smartphone and also are savvy enough to know what type of network traffic could demonstrate malicious behavior, it's unlikely that you'd catch spyware like Pegasus running on your device.

That's exactly how investigators identified that Bezos phone was hacked. "The forensic analysis found that ... massive and (for Bezos' phone) unprecedented exfiltration of data from the phone began, increasing data egress suddenly by 29,156 per cent to 126 MB," a statement from the UN said. "Data spiking then continued undetected over some months and at rates as much as 106,032,045 per cent (4.6 GB) higher than the pre-video data egress baseline for Mr. Bezos' phone of 430KB."

Advertisement

Who makes Pegasus? And how is it used?

Who makes Pegasus? And how is it used?

Pegasus is intended as a cyberweapon for use by international governments.

An Israeli company named NSO Group operates it, and the Israeli Ministry of Defense is said to regulate sales of the software outside Israel.

"We are selling Pegasus in order to prevent crime and terror," NSO Group CEO Shalev Hulio told "60 Minutes" in an interview last year. "Intelligence agencies came to us and say: 'We do have a problem. With the new smartphones, we can't get valuable intelligence.'"

An unnamed European security official confirmed to "60 Minutes" that NSO Group software had been used to thwart terrorist attacks in Europe.

"It wouldn't surprise me to know that some of NSO's claims about being used to go after criminals are correct," Scott-Railton told Business Insider last May. "The issue is that the fact that it's used lawfully doesn't falsify all these abuse cases."

What are some alleged Pegasus "abuse cases"?

What are some alleged Pegasus "abuse cases"?

Pegasus has been linked to the death of the Saudi journalist Jamal Khashoggi, and it was reportedly used to track a student in Canada who was critical of Saudi Arabia's government.

"His name is Omar Abdulaziz," Scott-Railton said. "He's a Saudi critic going to college in Montreal. We found that his infected phone was bouncing back and forth between his home network and his university gym over last summer."

A similar story played out in Mexico in 2017, according to Scott-Railton:

"We had this crazy case that I found in Mexico back in 2017 where three people — a nutrition activist, a public-health researcher, and a consumer advocate — were all targeted with Pegasus in Mexico.

"The only thing that holds them in common is that they were all advocating to slightly increase the tax on soda beverages. So the most reasonable implication is that somebody from a private interest directed somebody from the government in order to target these people because they were pushing against the soda lobby in Mexico. State-grade malware — it'd be like targeting somebody with Stuxnet because they had suggested there be a 10-cent bottling fee on Coca-Cola."

In the case of Jeff Bezos, the UN report links his ownership of the Washington Post to being targeted by the Saudi Crown Prince. "This was part of a massive, clandestine online campaign against Mr. Bezos and Amazon, apparently targeting him principally as the owner of The Washington Post," it says.

For its part, NSO Group flatly denies that Pegasus software was used to hack Jeff Bezos. "We can say unequivocally that our technology was not used in this instance," a statement on the group's website says.

Advertisement