Last year, an investigator hired by Jeff Bezos accused Saudi crown prince Mohammed bin Salman of hacking Bezos' iPhone. Last week, two UN experts released a statement after reviewing the investigator's report. They said they found it credible and called for an official investigation. Whatever happens next, there's an important lesson here for anyone who ever uses a smartphone.
In 2018, Jeff Bezos had his iPhone hacked. He was still married at the time, and the hackers obtained some sexy photos and texts he sent to his girlfriend Lauren Sanchez. That event led directly to a joint announcement from Bezos and his wife Mackenzie that they were ending their marriage, as well as some memorably salacious National Enquirer headlines.
Bezos hired a security firm to investigate the hack, apparently believing that the Enquirer had done it. Instead, the security firm came to a stranger-than-fiction conclusion: The hack had come from a phone belonging to Crown Prince Mohammed bin Salman of Saudi Arabia. Last week, the United Nations issued a statement from two independent investigators and human rights experts who reviewed the security report, found it credible, and called for an official investigation.
Why would the Saudi crown prince want to hack Jeff Bezos' phone? Bezos owns The Washington Post. Jamal Khashoggi, a journalist who had fled Saudi Arabia, was a columnist for the Post, and frequently wrote columns criticizing the crown prince. Right up until Saudi officials murdered and dismembered him in Istanbul, giving a chillingly literal meaning to the Post slogan "Democracy dies in darkness." The Post immediately launched an investigation into the death of its slain columnist.
Bezos' phone was hacked in May 2018, five months before Khashoggi's murder on October 2. The UN statement says:
According to the forensic analysis, following the hacking of Mr. Bezos' phone, the Crown Prince sent WhatsApp messages to Mr. Bezos, in November 2018 and February 2019, in which he allegedly revealed private and confidential information about Mr. Bezos' personal life that was not available from public sources. During the same period, Mr. Bezos was widely targeted in Saudi social media as an alleged adversary of the Kingdom. This was part of a massive, clandestine online campaign against Mr. Bezos and Amazon, apparently targeting him principally as the owner of The Washington Post.
For its part, the Saudi Arabian Embassy has flatly denied that the crown prince was responsible for the hack, tweeting:
Recent media reports that suggest the Kingdom is behind a hacking of Mr. Jeff Bezos' phone are absurd. We call for an investigation on these claims so that we can have all the facts out.
May I have your phone number?
It will be fascinating to see how the Bezos vs. crown prince narrative plays out, but in the meantime there are some important lessons for anyone who uses a smartphone. The private investigators found that in April 2018, during a dinner in Los Angeles, Bezos gave his mobile phone number to the crown prince.
Over the next couple of weeks, the crown prince (or someone using his phone) initiated several WhatsApp conversations with Bezos, before sending a short video on May 1, the investigators found. They did not say whether Bezos actually clicked on the video to watch it -- apparently some forms of malware can install themselves on a phone without the user opening an infected file. They do say that within hours of receiving the video, Bezos' phone began sending out large amounts of data, about 30 times as much as normal. Which is, of course, what you would expect to see happen if someone was stealing his data.
In other words, it may be that Bezos got hacked simply because he gave someone his phone number. That basic piece of information that most of us print on business cards and hand out to anyone who asks can be a huge security flaw.
Admittedly, SIM swapping. SIM swapping consists of convincing your mobile carrier that you've got a new phone or new SIM card and you need to switch over your mobile number. It's a little labor-intensive, but requires no special technical skills. Wired reports that SIM swappers have made off with thousands and thousands of dollars, using imposter phones to drain people's bank accounts. In one case, they were able to steal more than $23 million worth of bitcoin.Bezos is a very special individual, and whoever hacked him used a sophisticated piece of malware to do it. If you're not a billionaire or a high-profile journalist you may not need to worry about that kind of targeted attack. But there's a much easier and more widespread type of attack that can come from anyone who has your mobile number:
To avoid SIM swapping, security experts recommend asking your mobile carrier to attach a PIN to your number so that only someone who knows the PIN will be able to make changes to your account. You might want to set up an additional number to use for two-factor authentication on particularly important accounts, such as your bank account.
You should probably also consider whether you want to openly list your mobile number and make it freely available. You obviously can't keep it a secret -- many businesses will use it to identify you, and people won't be able to call or text you without it. But you might want to think carefully about who you share it with, and what they might do with it.