By Raphael Satter
WASHINGTON, Jan 24 (Reuters) – Allegations that Amazon.com boss and Washington Post owner Jeff Bezos had his phone hacked by Saudi Crown Prince Mohammed bin Salman have put a spotlight on the security of smartphones and the secretive tools used to hack them.
Smartphones are effectively pocket-sized computers that run apps on operating systems such as Apple’s iOS or Google’s Android. Those devices have enabled a new world of connectivity – unlimited free calls over WhatsApp, for example, or an atlas worth of up-to-the-second maps from Google – but also a parade of potential security problems.
Here is how smartphones can be hijacked and a look at the potential consequences and the thriving market in surveillance vendors helping the world’s spies get access to people’s secrets.
HOW IT WORKS
Smartphones operate through a collection of apps, sometimes scores of them, running over an operating system, which in turn runs on a complex piece of hardware embedded with receptors, lenses and sensors.
Each one carries potential flaws – sometimes called bugs – that can cause a system to crash or behave unexpectedly when sent a rogue command or a malicious file. Even small openings like that can allow hackers to take control of a device. It is akin to illicitly lowering a coat hanger through a tiny seam in the car door to unlock a vehicle.
Many developers work hard to ensure those seams stay sealed, but with millions of lines of code to choose from, it is virtually impossible to guarantee total safety.
“There is no software that is bugless,” said Oded Vanunu, a researcher with Israeli cybersecurity firm Checkpoint who often finds flaws in popular messaging programs.
Once hackers are in, the possibilities are vast – and frightening. Anyone with full control of a smartphone can turn it into a powerful surveillance device, silently tracking users’ locations while quietly copying their emails, instant messages, photos and more.
A 2015 technical document from NSO Group – one of the better known spyware vendors – outlines the capability of its Pegasus spyware program to monitor the smallest details of a target’s life, throwing up alerts if a target enters a certain area, for example, or if two targets meet, or if a certain phone number is called.
The document, made public as part of a lawsuit against NSO by communications firm WhatsApp, shows how keystrokes can be logged, phone calls can be intercepted and a feature dubbed “room tap” uses a phone’s microphone to soak up ambient sound wherever the device happens to be.
The document says the spyware can be installed by enticing targets to click malicious links or rogue text messages, but spies particularly prize the quieter “push message” installations that remotely and invisibly install themselves on users’ phones.
WHO IT TARGETS
NSO and other spyware vendors have long argued that their products are used responsibly – only sold to governments for legitimate purposes. NSO has denied any link to the alleged Bezos hack. Saudi officials dismiss allegations of their involvement as absurd.
Years of investigative work from internet watchdog group Citizen Lab – which has a well-documented record of exposing international cyber espionage campaigns – and a drumbeat of court cases and leaked documents have called such assertions as these of responsible use into question.
In October of last year messaging company WhatsApp sued NSO in California, alleging that the spyware firm had taken advantage of a bug in the app’s video calling protocol to hack 1,400 users around the world in the period between April 29 and May 10, 2019, alone.
Disclosures from other companies such as Italy’s now-defunct Hacking Team and the spyware company now known as FinSpy have also raised questions about the business. Hacking Team’s spyware was implicated in spying campaigns against dissidents in Ethiopia and the Middle East, for example, while researchers have recently found evidence that FinSpy’s software was used in Turkey.
Both companies’ tools work similarly to NSO’s — using flaws in smartphones to subvert the devices entirely. (Reporting by Raphael Satter; Editing by Howard Goller)
Add Comment