In the wake of news from The Guardian this week that Amazon (AMZN) - Get Report founder and CEO Jeff Bezos’s iPhone was likely hacked in 2018, the natural question for the average individual is, have I also been hacked?
The answer is possibly, though not necessarily. The thing about Apple’s (AAPL) - Get Report iPhone, as well as phones built on Alphabet’s (GOOGL) - Get Report Android operating system, is that they are a common software platform that can be a target for bad actors, in the same way that the personal computer has for decades been a target for computer viruses.
“Smartphones are small computers, which can be hacked like any big computer,” explained Neil Mawston, executive director with technology market research firm Strategy Analytics, in an email exchange with TheStreet.
A lot is still unknown about what may have happened to Bezos’s phone, but the bits and pieces are reminiscent of hacks of PCs that have gone on for years. Anyone can be a target, not just the world's richest person.
To recap, The Guardian first reported on Tuesday that unnamed sources claimed a forensic analysis was performed on Bezos’s iPhone that concluded that a phone belonging to Saudia Arabia’s Crown Prince Mohammed bin Salman sent a malicious video file to Bezos’s phone that resulted in gigabytes worth of data being “exfiltrated” from Bezos’s phone, meaning, being extracted from the phone and transmitted over the internet.
A subsequent article by the Financial Times claimed that the forensic analysis was by FTI Consulting, a business advisory firm, and that bin Salman and Bezos had initially exchanged phone numbers after a friendly dinner in Los Angeles during a visit to the U.S. by bin Salman. And then Wednesday, Motherboard reported that it had obtained the FTI forensic report, and posted the document.
Analyzing Bezos' iPhone X in a secure facility, FTI's forensic team, led by Anthony J. Ferrante, found no evidence of malicious code on the phone. However, they found something suggestive: They were able to examine a video file sent by bin Salman to Bezos via WhatsApp in May of 2018. Although the WhatsApp transmission was encrypted, preventing its inspection, the time of arrival of the file coincided with a sudden spike in cellular data traffic that Ferrante and the investigators noticed when examining the phone's files. That sudden spike showed the iPhone sending gigabytes worth of data out onto the network following the receipt of the video.
The report concludes that there’s no way to be sure, but it looks like the video may have been used to deliver a piece of malicious code onto the phone, which Ferrante and team hypothesize could be something called “Pegasus,” a program used to take control of a phone.
And that's the big takeaway for average smartphone users: malicious programs such as Pegasus, if that’s what it was, can arrive in the course of engaging in normal activity such as messaging via WhatsApp. The programs are able to gain control of phones by exploiting bugs in the phone’s operating system before those bugs have been found by the vendor -- in this case, Apple -- or by security researchers. The bugs are known as “Zero Day exploits” because attackers exploit the weakness before they’re found out.
Bill Harrod, Federal chief technology officer with mobile security firm MobileIron (MOBL) - Get Report, told TheStreet that such an attack is a way to take advantage of the everyday usage of the phone.
“It’s hard to detect and remediate malicious activity that often mimics typical patterns of common activity,” said Harrod. Even though Apple’s iOS and Google’s Android were built with protections that PCs never had, such as “sandboxing” code, meaning restricting what they can do, that can be circumvented if an attack can look normal just long enough to exploit the zero day weakness.
But how common are such attacks for ordinary individuals? The mobile industry generally works on the assumption that 1% to 2% of all smartphones worldwide carry active or dormant malware, according to Strategy Analytics’s Mawston. “That is potentially millions of devices,” he notes.
And such attacks can happen to anyone, from high-value targets like Bezos to everyday users like you and me.
“We see a significant amount of attempts at spreading malware,” to all phones, according to Harrod -- what he calls “spray and pray,” rather like spam emails.
As far as how to avoid being compromised, Harrod advised practicing “common hygiene” with smartphones, such as, “being aware to not click on untrusted [web] links” in messages (in Bezos' case, it's unclear if he interacted with the video file in question or simply received it). Of course, using software like MobileIron's that can analyze devices in real time to detect malicious code and suspicious behavior is another alternative for corporations to use for their employees.
In the end, the possibility of being compromised is simply the nature of modern times, said Strategy Analytics’s Mawston, as technology democratizes vulnerabilities.
“Even the German Chancellor, Angela Merkel, has had her phone calls hacked,” he pointed out. “If the EU’s most powerful leader and the world’s richest man are not safe, then the average person on the street will not be secure, either.”
“The era of privacy is disappearing -- anyone can peer into your pocket,” Mawston said.