The hacking of Jeff Bezos’ phone should serve as a smartphone security wake-up call

The UN is calling for an investigation into reports that the owner of the Washington Post may have had his phone hacked by the Saudi Crown Prince.

The story was broken by The Guardian, which seems to have been given details of a forensic analysis commissioned by Amazon boss and owner of the Washington Post Jeff Bezos, after details of his personal life were obtained by the US publication National Enquirer. The investigation concluded it was highly probable that the information was obtained from a hack of Bezos’s phone initiated by an infected video file sent via the WhatsApp account of Saudi Crown Prince Mohammed bin Salman.

It looks like the findings of the investigation were also shared with a couple of UN special representatives – Agnes Callamard, UN Special Rapporteur on summary executions and extrajudicial killings, and David Kaye, UN Special Rapporteur on freedom of expression – who have called for an investigation into the matter.

Callamard investigated and reported to the Human Rights Council in 2019 evidence showing the role of the Government of Saudi Arabia in the murder of journalist Jamal Khashoggi. Kaye reported to the Council at the same time on the growing and lawless use of malicious spyware to surveil and intimidate journalists, human rights defenders, and others in civil society. They issued the following joint statement on the latest development.

“The information we have received suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post’s reporting on Saudi Arabia. The allegations reinforce other reporting pointing to a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities, including nationals and non-nationals. These allegations are relevant as well to ongoing evaluation of claims about the Crown Prince’s involvement in the 2018 murder of Saudi and Washington Post journalist, Jamal Khashoggi.

“The alleged hacking of Mr. Bezos’s phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents.

“This reported surveillance of Mr. Bezos, allegedly through software developed and marketed by a private company and transferred to a government without judicial control of its use, is, if true, a concrete example of the harms that result from the unconstrained marketing, sale and use of spyware.

“Surveillance through digital means must be subjected to the most rigorous control, including by judicial authorities and national and international export control regimes, to protect against the ease of its abuse. It underscores the pressing need for a moratorium on the global sale and transfer of private surveillance technology.

“The circumstances and timing of the hacking and surveillance of Bezos also strengthen support for further investigation by US and other relevant authorities of the allegations that the Crown Prince ordered, incited, or, at a minimum, was aware of planning for but failed to stop the mission that fatally targeted Mr. Khashoggi in Istanbul.

“At a time when Saudi Arabia was supposedly investigating the killing of Mr. Khashoggi, and prosecuting those it deemed responsible, it was clandestinely waging a massive online campaign against Mr. Bezos and Amazon targeting him principally as the owner of The Washington Post.”

In an annex to the UN statement, the methods used in the forensic analysis are detailed and come to the following conclusion: “Experts advised that the most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group’s Pegasus or, less likely, Hacking Team’s Galileo, that can hook into legitimate applications to bypass detection and obfuscate activity.”

NSO Group has published a press release entitled ‘NSO is shocked and appalled by the story that has been published with respect to alleged hacking of the phone of Mr Jeff Bezos’, in which it states “we can say unequivocally that our technology was not used in this instance.” Techcrunch reports that NSO has also said its software can’t be used on US phones and threatened legal action against anyone who says otherwise.

Towards the end of last year, however, WhatsApp publicly accused (in the Washington Post) NSO of being the company behind just the kind of spyware that seems to have been used to hack Bezos’ phone. In addition it filed a complaint in a US federal court, the result of which is unknown. The second annex to the UN report gives a detailed timeline of explicitly conflating the hacking of Bezos’ phone with the murder of journalist Jamal Khashoggi, much of whose reporting was published by the Washington Post.

This whole thing reads like some kind of Jason Bourne plotline and serves to highlight just how critical the issue of smartphone security is. These tiny devices now contain so much information about us that even one of the richest people in the world is helpless in the face of a determined hack. The smartphone now occupies the pivotal position in the tension between state interests and individual privacy and the conclusion of this case could tip that balance decisively.

Indian state says it can intercept any communications and hack any device it wants

In response to a question about WhatsApp hacking in parliament, the Indian home affairs Minister revealed the apparently limitless snooping power at his disposal.

The information comes courtesy of TechCrunch, which also helpfully linked to the source material. The Indian government was asked to comment on the following:

  • Whether the Government does tapping of WhatsApp calls and messages and if so, the details thereof;
  • The protocol being followed in getting permissions before tapping WhatsApp calls and messages;
  • Whether it is similar to that of mobile phones/telephones;
  • Whether the Government uses Pegasus software of Israel for this purpose;
  • Whether the Government does tapping of calls and messages of other platforms like Facebook Messenger, Viber, Google and similar platforms and if so, the details thereof.

While it didn’t address each point individually the Indian home affairs Minister, Kishan Reddy, answered with the following statement:

Section 69 of the Information Technology Act, 2000 empowers the Central Government or a State Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted, any information generated, transmitted, received or stored in any computer resource in the interest of the sovereignty or integrity of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

There followed some vague stuff about government agencies not having blanket permission to hack electronic communications and devices, and that they would have to ask really nicely before they were allowed to do what they want. But the long and short of it is that anything you say or do in India can be viewed by the government whenever it fancies it.

Pegasus software refers to spyware made by NSO Group, which WhatsApp has openly accused of hacking its service. The government response didn’t address that question at all but it’s beyond question that there is a growing industry around the production of malware designed to help governments spy on their citizens.

Five years ago the India based Software Law and Freedom Centre said the Indian government was issuing over 100,000 telephone interception orders per year. It seems safe to assume that number has grown considerably since then and when you factor in all the other agencies that have a piece of this action you’re looking at a lot of state spying.

In India, as elsewhere, claimed interference in the electoral process, be that through misinformation or more sinister means, is being used as the justification for state interference in private matters. Any time a government claims it needs to spy in its citizens in the name of safety, the correct response is to ask whose safety it has in mind.

Google exposes massive iPhone hacking operation

Google’s Project Zero security team has revealed a vulnerability in iOS that exposed large numbers of users to a hack that allowed the installation of a monitoring implant.

This kind of hack is called ‘zero-day’, the definitions of which vary, but which refers to a vulnerability in a piece of software that leaves it open to exploitation by outside actors. The stated aim of Project Zero is to make zero-day hard and it goes about doing so by trying to find such vulnerabilities. Apparently it always publishes these findings after giving the owner of the software time to address the vulnerability and Apple was told about this one back at the start of February this year.

“Now, after several months of careful analysis of almost every byte of every one of the exploit chains, I’m ready to share these insights into the real-world workings of a campaign exploiting iPhones en masse,” wrote Ian Beer of Project Zero in the blog post detailing the findings. “Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”

This is at best very embarrassing for Apple, which prides itself on the relative lack of malware on its close software platforms. The malware was able to install itself on iOS devices if they merely visited an infected website, with no manual download required. Upon successful installation the malware apparently granted the bad guys access to everything on the phone, including passwords, chat histories, etc.

Google is, of course, Apple’s sole rival in the mobile operating system space, so it does seem pretty convenient that it should be discovering iOS vulnerabilities and publicising them. Project Zero’s policy, it seems, is to publish all such findings after an appropriate delay to allow for patching, which it should be stressed Apple did immediately, but you have to wonder whether it’s quite as keen to bring Android’s failings into the public domain.

Matrix themed virus infects 25 million smartphones

A new variant of mobile malware, dubbed ‘Agent Smith’, which re-directs advertising funds to cybercriminals, has been identified and its infected 25 million smartphones already.

Discovered by Check Point, this is a sneaky virus to deal with. Like ‘Agent Smith’ in the Matrix trilogy, the virus has the ability to consume a downloaded app and assume control.

Right now, the user is not being exploited in a direct manner. The presence of the virus does present dangers in terms of eavesdropping or credit fraud, but currently, the cybercriminals are using the virus to collect cash off advertisers through various trusted applications. The application is forced to display more adds than designed with the attackers collecting the additional credits.

“In this case, “Agent Smith” is being used to for financial gain through the use of malicious advertisements,” Check Point said on its blog.

“However, it could easily be used for far more intrusive and harmful purposes such as banking credential theft and eavesdropping. Indeed, due to its ability to hide its icon from the launcher and impersonate existing user-trusted popular apps, there are endless possibilities for this sort of malware to harm a user’s device.”

Check Point estimate that 25 million devices have been infected to date, the majority are in India and other Asia nations, although there have been identified devices in the US, UK and Australia. Although Check Point has not directly stated it, some have suggested the virus can be traced back to Guangzhou, China.

Agent Smith VirusThe virus itself works in three phases. Firstly, the user is encouraged to download a simplistic, free app (usually a minimal function game or sex-app) which contain an encrypted malicious payload. At this point, the malware searches the user’s device for any popular apps on a pre-determined list which can be targets at a later date.

During the second phase, the malicious payload is decrypted into its original form and then abuses several known vulnerabilities without giving any clues to the user. Finally, the malware then attacks the pre-determined applications, extracting the innocent application’s APK file and then patches it with extra malicious modules.

‘Agent Smith’ was first detected in 2016 and the cybercriminals have seemingly been laying the groundwork for a larger attack for some time. It has certainly evolved over this period, and although Check Point has reported the malicious apps to the Google Security team, who is to say there are not more. The danger of ‘Agent Smith’ is that it is incredibly difficult to identify in the first place.

Perhaps this is an oversight in the security world which we will have to address before too long.

As it stands, numerous parties around the world are constantly on the look out for nefarious activity, however, in most cases the assumption is that it will be a state-sponsored attack. This does not seem to be the case here and perhaps why it is very difficult to detect the malware in the first place; everyone is looking for the wrong clues.

In this example, Check Point seem to have caught the suspect firm ahead of time, informing the Google Security team before any genuine damage has been done. That said, 25 million devices is still a substantial number but with the source identified it should be limited.

Smartphone spyware FinSpy is back and thriving

Cybersecurity vendor Kaspersky has reported that FinSpy, a piece of malware that allows private information to be stolen from smartphones, has made a reappearance.

FinSpy spyware is apparently made by German company Gamma Group and sold by its UK sub-division Gamma International to governments and state agencies so that they can spy on their citizens. It has been around for a few years but seems to be experiencing a renaissance, with activity recorded in Myanmar last month.

The recent appearance of FinSpy has brought to light the IOS and Android mobile implants that can install this spyware on mobile devices. This now enables the FinSpy spyware to collect personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from some of the most used messenger services including Facebook, WhatsApp and Skype among others.

The greatest cause for concern is FinSpy’s ability to gain this information even if the phone’s user is running an encryption program. Talking about encryption, FinSpy’s developers have been improving their own encryption to reduce the risk of traceable activity being discovered, the Kaspersky report claims.

“The developers behind FinSpy constantly monitor security updates for mobile platforms and tend to quickly change their malicious programs to avoid their operation being blocked by fixes,” Alexey Firsh, a security researcher at Kaspersky Lab, told Cyberscoop. “We observe victims of the FinSpy implants on a daily basis.”

Kaspersky has also claimed that these implants were detected in almost 20 countries however it’s likely the real number is higher. These new implants appear to be a real threat, with the developers constantly updating the spyware by reducing its trace while improving it to the point where it can break through encryption. FinSpy along with Gamma group are thriving although Kaspersky says it is conducting further investigations to tackle this issue.

Nokia, Cisco, BT, Telefónica and Microsoft among new cybercrime-fighting cabal

34 tech and telecoms companies have signed a pledge to fight cyberattacks from criminal enterprises and nation-states.

The thing they signed is called the Cybersecurity Tech Accord and its creation seems to have been prompted by the growing trend of cyber-horridness coming from places like Russia and the apparent need for great global coordination to combat it. Microsoft seems to be taking the lead on this project, which is fair enough since its OS is the recipient of most of this aggro, but a fairly broad range of major tech companies have jumped on-board.

“The devastating attacks from the past year demonstrate that cybersecurity is not just about what any single company can do but also about what we can all do together.” said Microsoft President Brad Smith. “This tech sector accord will help us take a principled path towards more effective steps to work together and defend customers around the world.”

Here are the four cornerstones to this group effort as detailed in the announcement:

Stronger defense

The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online.

No offense

The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution.

Capacity building

The companies will do more to empower developers and the people and businesses that use their technology, helping them improve their capacity for protecting themselves. This may include joint work on new security practices and new features the companies can deploy in their individual products and services.

Collective action

The companies will build on existing relationships and together establish new formal and informal partnerships with industry, civil society and security researchers to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace.

“The Tech Accord will help to protect the integrity of the one trillion connected devices we expect to see deployed within the next 20 years,” said Carolyn Herzog, General Counsel at Arm. “It aligns the resources, expertise and thinking of some of the world’s most important technology companies to help to build a trusted foundation for technology users who will benefit immensely from a more security connected world.”


Intel hit with class action suit over CPU defects

Law firm Doyle APC has filed a class action lawsuit against Intel for the design defect found in all of Intel’s x86-64x CPUs.

2018 has not been a great year for Intel so far, as the last week or so has simply been a tsunami of bad news concerning security vulnerabilities in its x86-64x CPUs. Considering the extent of the Intel’s woes, it wasn’t going to be too long before a class action appeared, and here it is; Garcia, et al. vs. Intel Corp, Case No. 18-cv-00046, (ND Cal).

The case itself aims to represent any US purchaser of Intel CPUs containing the defect, or purchasers of a device containing one of these Intel processors. The defect is actually down to what Intel must have through was a clever bit of engineering. The kernel mode attempts to guess what the user will do next, known as ‘speculative execution’, having certain programmes on stand-by to increase speed and performance. This action potentially exposes kernel data, one of the most sensitive parts of a computer.

Since the vulnerability was initially exposed, Intel has been rushing to develop a patch, essentially closing the threat, though it is believed it will degrade performance at the same time. Intel claims 90% of processor products introduced within the past five years will be fixed by the end of this week, and for the average user, the impact on performance will be minimal. This has also been echoed by Intel’s customers:


“Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.”


“The majority of Azure customers should not see a noticeable performance impact with this update. We’ve worked to optimize the CPU and disk I/O path and are not seeing noticeable performance impact after the fix has been applied.”


“On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”


“We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads.”

This has been disputed by some commentators as the ‘speculative execution’ feature is believed to be one of the primary drivers of increased performance. Only time will tell.

Doyle APC’s ambulance chaser impersonation should of course been expected, though Intel has been the main recipient of attention so far. AMD and ARM are two other suppliers who have also admitted to vulnerabilities, though neither has gotten anywhere near the same amount of consideration. The flaw may not impact these products as much as Intel, or the severity of AMD and ARM defects has not been truly uncovered just yet.

Android ransomware is biggest mobile malware threat – Nokia

Nokia has published its latest Threat Intelligence Report, which shows that ransomware attacks went through the roof this year, largely via Android devices.

The Nokia report looks at malware infections found in mobile and fixed networks by its NetGuard security produce, which by no coincidence whatsoever announced a major new version today. It derives data from over 100 million devices.

The biggest security issue faced by mobile networks this year has been ransomware, as typified by WannaCry and NotPetya. Two thirds of mobile malware comes via Android devices – mainly smartphones – which Nokia attributes this to the prevalence of side-loading apps from third party app stores. Third party app stores account for 96% of the app market in China, apparently.

Nokia malware device breakdown


Nokia malware android breakdown


Nokia malware China app store breakdown

This is an issue because it bypasses Google’s own efforts to clean up the Play Store by enabling side-loading, which makes it much easier to trick users into downloading malware hiding as a Trojan within apparently legit apps. This is in addition to traditional ways of getting people to install dodgy software vie links in emails and text messages.

Nokia, of course, reckons it has the answer to all this cyber-misery. The latest version of NetGuard Security Management Center is going big on automation and analytics to try to make is a more predictive process for CSPs. We’re told the volume of security incidents is just too great for mere human beings to stay on top of and we need some artificial intelligence to help us out.

“More sophisticated attacks, growing network complexity and the proliferation of IoT and other devices make it nearly impossible for security teams to monitor, react to and resolve today’s threats quickly and effectively,” said Ron Haberman, head of Emerging Products in Nokia’s Applications & Analytics business group.

“Nokia’s extensive heritage and expertise in network communications technologies and network-based security uniquely positions us to address these unprecedented security challenges. Our Security Management Center helps service providers streamline business processes, reduce costs and proactively address security threats before they impact end users or businesses.”

The clear vested interest in combining these two pieces of news doesn’t diminish the underlying point. It’s hard not get the feeling that we’re losing ground in the battle against cyber-baddies and clearly need to raise our game. Technologies such as Nokia’s may be part of the solution but companies need to prioritise security more than they currently are.