On Friday, Facebook's vice president of global affairs and communications, Nick Clegg, said that the hacking of Jeff Bezos's phone wasn't the fault of WhatsApp, pointing instaed to the Apple iOS that powers the iPhone X Bezos was using. Or, at least, that's presumably what he was trying to say, though his answer when asked by the BBC was largely incomprehensible.
"We're as sure as you can be that the technology of end-to-end encryption cannot be hacked into" - Facebook's @nick_clegg says he's "very, very confident" that Jeff Bezos wasn't hacked via Whatsapp #r4Today | @MishalHusain | https://t.co/NHsmYG4H4W pic.twitter.com/E4Cf4h1Viu-- BBC Radio 4 Today (@BBCr4today) January 24, 2020
Clegg's explanation was that WhatsApp couldn't be at fault because its messages are end-to-end encrypted, meaning they can't be hacked. Rather, he argued, "It sounds like something on the, you know, what they call the operate, operated on the phone itself." To be clear, he didn't specifically mention Apple by name, however it had been previously known that Bezos was using an iPhone X at the time he was hacked.
"It can't have been anything on the, when the message was sent, in transit, because that's end-to-end encrypted on WhatsApp," Clegg said.
As a reminder, the allegation is that the Saudi Crown Prince, Mohammad bin Salman, sent a message to Amazon's CEO using WhatsApp. That message included a relatively small video file that contained malware that was used to access the contents on the iPhone.
Security vulnerabilities in WhatsApp have been widely reported in the past, including in this column. In fact, in 2019, security researchers disclosed a flaw that would allow a hacker to take control of your device using a video file sent in a chat message. Sounds familiar.
Which is why it's strange that a Facebook executive would be going to such lengths to try to dismiss the idea that someone actually took advantage of a vulnerability that WhatsApp itself has already acknowledged was an issue and issued a fix. It's even more confusing that he attempted to pass the blame to Apple.
In fact, it appears Clegg is unsure about how end-to-end encryption works, and why that's pretty much irrelevant in this case. Encryption keeps WhatsApp message secure as they travel from device to device, protecting their content from prying eyes. If, however, one of those messages contains malware, that software can certainly cause other issues.
In this case, for example, it appears that the video file flaw allowed an attacker to access messages and files contained within WhatsApp and send them back to the attacker. Encryption has nothing to do with it, and doesn't protect against this sort of hack.
Clearly Facebook is feeling the pressure with this attack. That makes sense when you consider it involves the world's richest man, the Crown Prince of Saudi Arabia, and the company's wildly popular "secure" messaging platform. Earlier in the week, another Facebook executive passed the blame to "the potential underlying vulnerabilities that exist on the actual operating systems on phones," in an interview on Bloomberg TV.
Apple, for its part, declined to comment.