Exercising a suitable level of operational security is the key to protecting yourself from the consequences of sophisticated cyber attacks, according to Lionel Laurent at Bloomberg. Reports emerged last week that Amazon CEO Jeff Bezos’s iPhone may have been hacked in 2018 via a malicious video file sent by, or through, or on behalf of, Mohammed bin Salman, the Crown Prince of Saudi Arabia.
While evidence of the hack so far remains circumstantial, sophisticated commercial spyware is the primary suspect and the security consultants hired to investigate thought the Crown Prince (or at least his WhatsApp account) to be a possible source of the attack.
It’s not clear if Bezos had to interact with anything to trigger the alleged spyware. Indeed, much about the incident remains unclear, and further investigation will be required before observers can confidently understand what happened. But it’s worth considering that expensive, high-end spyware deployed by nation-states sometimes makes use of zero-day vulnerabilities, which allow attackers to gain access to devices without any action on the part of the victim. As a result, it’s not always possible to defend yourself against every attack, especially if you’re a high-profile or high-ranking individual like a CEO.
Even so, Laurent notes that there are measures you can implement to minimize the effects of such an attack.
“We know from the technical report that Bezos doesn't use a burner phone, keeps personal selfies on his system, and might not even know his iTunes password,” Laurent writes. “The icing on the cake, though, is personal trust. The ‘last mile’ of the hack seems to have simply come down to getting Bezos’s number and sending him a message. Access, not technology, was the key.”
Laurent emphasizes that Bezos isn’t to blame here. If the allegations are true, then the event is an example of the highest level of social engineering combined with nation-state-level hacking capabilities.
“The fact that the infamous 4.22 MB video file landed in Bezos’s phone on May 1, 2018 — just four weeks after the pair exchanged numbers — suggests the hack really began when they first met in April 2018,” Laurent adds. “In the hierarchy of scams, if a phishing hack is disseminated to unsuspecting members of the public, and spear-phishing targets one individual, then securing this kind of personal connection surely tops both.”
Regardless of whether or not the Crown Prince was behind the hack, the incident should motivate people to reassess where their data are stored, how sensitive the data are, and who could potentially gain access to the information.
It’s also worth mentioning that while high-profile figures are particularly likely to be targeted by sophisticated attackers, many of the same defensive measures apply to everyone. They can mitigate more common types of attacks as well. New-school security awareness training can help your employees implement appropriate measures to protect themselves against both sophisticated and unsophisticated attacks.