As much of the world continues to hunker down at home in response to COVID-19, threat actors continue to find ways of exploiting the crisis to gather sensitive and valuable information from individuals. But while we’re busy making sure that our primary computers and cloud-based accounts are locked down, it’s often the devices we least suspect – our smartphones – that provide the opening that hackers need. The 2018 hacking of Jeff Bezos’s iPhone X, perhaps the most famous example of smartphone hacking, provides an important reminder that these most personal of devices should be used with appropriate caution, especially in this time of upheaval.
In January, an investigation into the Bezos hack found that his phone had most likely been attacked after he received a WhatsApp message from the account of Mohammad bin Salman, the crown prince of Saudi Arabia. With powerful spyware installed on Bezos’s smartphone, the threat actors responsible were likely able to access just about any information on it – from text messages to location data – and also surreptitiously initiate audio and video recordings using the device’s cameras and microphones. To me and many other observers, revelations around the Bezos hack have laid bare an important truth about commercial smartphones: that if the phone of the world’s richest person can get compromised, everybody’s mobile device is fair game.
At the same time, it can be tempting to see the Bezos incident as confirmation that only the rich and powerful need to worry about being targeted by resourceful threat actors. In Bezos’s case, it’s possible that he was targeted because of his ownership of The Washington Post, which has been critical of the kingdom’s repression against activists and dissidents. It’s also possible that the hack was an act of corporate espionage designed to get information about whether Bezos’s Amazon was planning on establishing a major Amazon Web Services center in Saudi Arabia.
But recent history has shown that you need not be a captain of industry or a high-level government leader to be a victim of spyware or other forms of targeted smartphone hacking at the hands of a determined adversary. You can be a journalist who writes unflattering stories about the powerful. You can be a satirist known for punching up. You can be a researcher for a non-governmental organization that frequently rankles governments. You can be a television personality. You can be a child who happens to be related to a person of interest. You can be selected seemingly at random.
And while the spyware used to snare Bezos was in all likelihood a top-of-the-line, commercially available offering from one of the many cyberarms dealers operating around the globe, the truth is that there are a number of ways for these types of tools to be made available to a larger audience. Intelligence-grade exploits can be leaked, as was the case with the NSA’s EternalBlue and the CIA’s Hive, giving everyday hackers access to powerful capabilities. It’s also not uncommon for highly capable hacking tools shared within developer forums and code repositories for educational purposes to be repurposed for real-world attacks. And on the commercial side, a loose regulatory environment for offensive hacking tools means that spying frequently occurs on targets far outside the scope of normal government investigations, even crossing borders.
I write this not to scare you – there’s already far too much fear-mongering in the world of security – but because I want to shatter what I believe is a collective complacency when it comes to mobile security. This complacency comes from many places. Partly it’s because smartphones are highly personal extensions of ourselves, so enmeshed in our day-to-day lives that the thought of compromise may seem foreign. Partly it’s because mobile security is largely handled by smartphone makers through the operating system, creating an “out of sight, out of mind” mentality. And partly it’s because it’s easy to forget that the devices we use for texting and playing games are indeed incredibly powerful computers with the ability to collect and store loads of valuable information.
If you’re concerned about being targeted, experts recommend bolstering your defenses at both the software level (by keeping your phone’s operating system up to date) and the human level (by staying vigilant against requests to download malicious files or open untrustworthy links). But as the Bezos hack shows, even a tech-savvy person using the best software-based security on the market can only do so much in the face of the most sophisticated threats.
Cybersecurity is one of the defining issues of our time, and it will continue to grow in importance as our lives become increasingly digital and mobile. The ExoComputer concept promises to give users the ability to fight back against technology’s worst features. Today’s technologists have only started to scratch the surface of what this new technology can do for the everyday smartphone user. We can only hope that the future holds a safer digital world for every individual citizen.