Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s CTO Andy Brown. Follow #brownsbytes
24th January 2020
Regular readers can probably guess what I would be talking about this week. There is one story this week that stands massively above the usual noise – the story about the hacking of Jeff Bezos’ phone.
Unless you’ve been living under a rock this week you will no doubt already be aware of this – the story has been on all the major news outlets all over the world following the exclusive first publication by the Guardian here.
I’m not going to go into minute detail here, but the highlights (or lowlights really) were:
- Jeff Bezos was targeted with malware embedded in a video file
- The payload was delivered by WhatsApp
- Once infected attackers basically appear to have had full access to the data on the device
- “Large amounts” of data has then been taken from the device
- The device remained infected and in use for some considerable time (possibly months)
To anyone working in the mobile security world, none of this is especially new or surprising… we’ve been saying threats precisely like these are out there for years.
Take out all the mobile wow factor and sensational headlines and at its heart, this is simple – spear-phishing of a CEO that went undetected (and could have been prevented with Mobile Threat Defence).
There are a couple of myths that need to be explored now that all this is out in the open.
Myth 1 – iOS is secure
From what I’ve seen, it seems Jeff Bezos was using an iPhone X at the time. A single piece of malware has been able to gain access to the device and insert new processes to exfiltrate data from it. iOS is arguably the most secure OS out there, but the idea that it is perfect is madness – just look at the release notes for every iOS release to see how many security fixes are in it… each of these was a vulnerability before it was released!
Myth 2 – This is an extreme of what’s out there
Or to put it another way – only nation state-level hackers could do this kind of thing. I do suspect this was actually a pretty sophisticated piece of malware for its time and the origins of it seem murky at present, but the idea that only some kind of super experts can do this kind of thing is frankly a bizarre way to look at risks. Just the payload delivery mechanism used in this case makes an interesting point – it was a WhatsApp video; has it been forwarded on? A great many of us get viral videos over WhatsApp chat groups, imagine if something like this got (even accidentally) spread that way.
To be clear – mobile threat defence would have caught this
You spend money on solutions like this for precisely these scenarios. Some of you still reading will, I suspect, be there saying “yeah, but we’re not really being targeted”. My simple response to that is HOW DO YOU KNOW!!?? And I would also bet your email phishing filters say otherwise!
I can’t imagine what the combined IT security spend across Jeff Bezos’ empire is, but it’s not going to be a small number. Yet, it didn’t catch that the CEO got hacked – and he remained hacked for some considerable time. Until you put a security solution such as Mobile Threat Defence in place you are simply flying blind to the risks – just like they were. Seriously – get in touch, we have a number of solutions that we can help you get deployed to control and mitigate this massive area of risk.