Jeff Bezos phone hack highlights how hackers can use WhatsApp to spy
Saudi Arabia’s use of WhatsApp to allegedly hack Jeff Bezos’ phone has sparked a huge amount of backlash, including from the United Nations. But the fact is that the technique used—sending infected files via the popular messaging service—is an increasingly common way to spy on high-profile targets, according to security experts.
The hack involves sending a video or file that exploits a vulnerability in WhatsApp. When opened, it triggers a smartphone to run malicious code that gives hackers access to nearly everything on a smartphone, without the target having a clue.
“Once you have root access to the phone, you have access to whatever is on the phone,” says David Schwed, professor and founding director of the cybersecurity program at Yeshiva University in New York.. “Text messages, the camera roll—whatever a person is saying on WhatsApp.”
Bezos’ phone was likely hacked after he opened a seemingly benign WhatsApp video sent in 2018 from the account of Saudi Crown Prince Mohammed bin Salman, The Guardian reported on Tuesday. It gave hackers access to private messages and photos exchanged between Bezos and his girlfriend, Lauren Sanchez.
Those messages were allegedly later used by the Saudis as leverage to quash reporting at the Bezos-owned Washington Post about murdered journalist Jamal Khashoggi.
It’s unclear which vulnerability the hackers used against Bezos, the billionaire founder of Amazon. But last year, WhatsApp, owned by Facebook, patched a bug that had been used to track 1,400 journalists, human rights activists, and civil servants worldwide, according to WhatsApp.
That exploit involved sending a video call that would allow hackers to take control of a WhatsApp account, even if the target didn’t answer. WhatsApp said it stopped the “highly sophisticated cyber attack” in May 2019 and notified the affected individuals.
In October, WhatsApp filed a lawsuit in the U.S. federal court in Northern California against the NSO Group, an Israeli firm known for its Pegasus smartphone spyware. WhatsApp alleged that the NSO Group was unable to break its encryption as part of its surveillance efforts, so it instead downloaded malware on phones of 1,400 targets.
The NSO Group denies the allegations.
In July, at the annual Black Hat hacking conference in Las Vegas, researchers from security company Symantec showed off another vulnerability in WhatsApp. Hackers, the researchers said, could manipulate WhatsApp videos, photos, and messages, potentially undermining confidence users have in content sent through the app.
Separately, WhatsApp announced in November that it had patched a bug that would have let hackers send mp4 files, which include GIFs, that could place malware on a target’s phone. The bug was labeled “critical,” however it’s unclear whether it was ever used by hackers.
The exploits are an example of a kill chain, a technical term for a series of actions that bad actors can take to gain increasing access to a target, account, or device, said Tim Mackey, principal security strategist at Synopsys.
“Identifying when an attack is underway is challenging, and whether you’re a high-profile individual or John Q Public, often the warning signs become apparent after the attack, and not before,” Mackey said.
The National Enquirer published private texts in January 2019 about Bezos’ affair with Sanchez. Bezos also said he was contacted with details about additional intimate texts and racy photos in an “extortion and blackmail” attempt by the outlet.
The Saudi Embassy in the United States has denied that it played any role in the hacking of Bezos’ phone.
“Recent media reports that suggest the Kingdom is behind a hacking of Mr. Jeff Bezos’ phone are absurd. We call for an investigation on these claims so that we can have all the facts out,” said a tweet from the Saudi Embassy in the United States.
More must-read stories from Fortune:
—A.I. in China: TikTok is just the beginning
—Inside big tech’s quest for human-level A.I.
—Medicine by machine: Is A.I. the cure for the world’s ailing drug industry?
—A.I. breakthroughs in natural-language processing are big for business
—A.I. is transforming the job interview—and everything after
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.