Technology & Science

After Jeff Bezos hack, calls for greater controls on hacking tools

The recent revelation that Amazon founder and Washington Post owner Jeff Bezos fell victim to smartphone hacking — allegedly involving Saudi Arabia's crown prince — has cast a light on the shadowy world of cyber weapons sales, and amplified calls for better controls on the way digital arms and private surveillance tools are sold.

United Nations expert warns 'nobody is safe' from cyber surveillance

The hacking of Jeff Bezos's iPhone has raised questions about commercially-produced spyware, sold to governments around the world. (Shutterstock/iHaMoo)

The recent revelation that Amazon founder and Washington Post owner Jeff Bezos fell victim to smartphone hacking — allegedly involving Saudi Arabia's crown prince — has cast a light on the shadowy world of cyber weapons sales.

Organizations as prominent as the United Nations and Amnesty International have demanded better controls be implemented over the way digital arms and private surveillance tools are sold.

But those calls have come before, and experts say the attack on Bezos, one of the wealthiest people in the world, highlights how journalists and free speech activists, among other groups, remain at risk.

"These allegations demonstrate that nobody is safe from the use of this kind of technology," the UN's point person on free speech, David Kaye, told CBC News in an interview. He warned that people "should understand the reach of the private surveillance industry."

Kaye and Agnès Callamard, both UN special rapporteurs, on Wednesday published details of the Bezos hack, stemming from a private consulting firm's forensic analysis of the billionaire's iPhone. 

The company, hired by Bezos, assessed with "medium to high confidence" that his device had been infected with spyware when he received a video file from the account of Saudi Crown Prince Mohammed bin Salman on the Facebook-owned instant messaging service WhatsApp.

The analysis found "unprecedented" data transmission from the iPhone began within hours of Bezos receiving the suspect video — apparently allowing hackers to steal gigabytes of files from his device over "some months."

Amazon CEO Jeff Bezos is seen with Hatice Cengiz, fiancée of murdered Washington Post columnist Jamal Khashoggi. (Umit Bektas/Reuters)

The incident, on May 1, 2018, came months ahead of the killing of Jamal Khashoggi, a prominent critic of the Saudi regime — and columnist for Bezos's newspaper — at the Saudi consulate in Istanbul. The hack also came before the National Enquirer tabloid obtained private texts and photos revealing Bezos's extramarital affair. His longtime wife later filed for divorce.

Norway-based human rights activist Iyad el-Baghdadi, a friend of Khashoggi's, told CBC hacking tools are being handed "to governments that are simply irresponsible."

"Given the current state of affairs, I think we need a moratorium on the sale and transfer of this technology," he said.

Saudi officials called claims of the Kingdom's involvement in the hack "absurd."

The UN report calls for national and international authorities to institute export control regimes on private surveillance technology. Conventional weapons, by contrast, are subject to worldwide agreements such as the UN-brokered Arms Trade Treaty. Involving more than 100 countries, the treaty sets norms for cross-border arms sales and seeks to prevent human rights abuses.

The NSO Group logo is seen on a building in Herzliya, Israel, in 2016. (Daniella Cheslow/The Associated Press)

How'd they do it?

Although analysts found no malware in Bezos's smartphone, experts said it's possible the malicious code could have hidden its own tracks after the infection. The UN report pointed to two types of spyware "that can hook into legitimate applications to bypass detection and obfuscate activity."

The first, known as "Pegasus," created by the Israeli-based NSO Group, was suspected of being used by Saudis before, to spy on critics abroad. The second "less likely" option, according to the report, is that hackers employed Galileo, otherwise known as "Remote Control Service," developed by the Hacking Team. The Milan-based group was reported to have sold cyber tools to the FBI in the past.

Hacking Team did not reply to a request for comment. NSO, however, vigorously defended its work in an emailed statement, saying "our technology was not used in this instance … our products are only used to investigate terror and serious crime."

Saudi Arabia was previously reported to have spent $55 million US on Pegasus.

The hack targeting Bezos involved the WhatsApp account tied to Saudi Crown Prince Mohammed bin Salman, according to a UN report. (Bandar Algaloud/Courtesy of Saudi Royal Court via Reuters)

The Israeli firm, though, claimed this week its tools cannot be used on U.S. phone numbers. It did not explain whether the apparent measure was included in its code, or whether it could be modified by a client after its sale.

Challenged in court

It's not the first time NSO distanced itself from similar allegations.

In October, WhatsApp sued the firm in U.S. federal court, claiming NSO had helped governments spy on 1,400 users around the world. NSO said at the time it denied the allegations and vowed to "vigorously fight them."

Separately, WhatsApp's developers recently said they had fixed a bug that allowed for malicious code to be inserted into an MP4, the same type of video file believed to have been sent to Bezos.

The alleged targets were not named in court. Quebec resident Omar Abdulaziz, however, is among Saudi Arabia's critics believed to have been hit with spyware — likely NSO's Pegasus, according to research carried out by the Citizen Lab at the University of Toronto.

New York Times journalist Ben Hubbard, who wrote a book on the Saudi crown prince, also said on Twitter this week that "operators linked to Saudi Arabia" tried to hack his phone a month after the attack on Bezos. He thanked Citizen Lab for having "checked it out."

This week's UN report said Saudi Arabia targeted Bezos principally in his role as owner of the Post, which published Khashoggi's criticism of the regime.

'Global security problem'

Ronald Deibert, the director of Citizen Lab, said the Bezos case serves as "a reminder that the proliferation of commercial spyware is a global security problem for all sectors, from government and businesses to civil society."

He said his group had identified "hundreds of journalists, human rights defenders, politicians, and others who have been targeted with these technologies."

Citizen Lab stressed it was not part of the private analysis of Bezos's iPhone, but published recommendations for how the consulting firm could further investigate the source of the hack.

Amnesty International is also involved in court action in Israel, where activists are attempting to get the country's defence ministry to block NSO from exporting its products.

A legal team attends a court hearing on Amnesty International's legal bid to have Israel revoke the export licence of the NSO Group. (Corinna Kern/Reuters)

"NSO continues to profit from its spyware being used to commit abuses against activists across the world and the Israeli government has stood by and watched it happen," said Danna Ingleton, deputy director of Amnesty's tech division.

Kaye, the UN special rapporteur, said Citizen Lab's work has shown spyware is all too often used by rogue regimes to silence or intimidate activists, dissenters and reporters.

He said it's been illustrated so many times it's "no longer surprising, but still shocking."

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.