Amazon CEO Jeff Bezos’ phone hack: Is it because of WhatsApp video files flaw?

Pegasus spyware is made by Israeli cyber-security firm NSO Group. In October 2019, WhatsApp sued the NSO Group for violating its terms of service and using its platform to spread the spyware. The cyber-security firm has always denied the charge, including the recent one about the Amazon founder’s phone hacking.

Amazon CEO Jeff Bezos in this file photo (Image source: Reuters)

WhatsApp MP4 file flaw

On November 14, 2019, an issue with video files was acknowledged by Facebook and WhatsApp. The UN report on Bezos’s phone-hacking cites the date and says: “Facebook confirms that ‘sending a specifically crafted MP4 file to a WhatsApp user,’ is a method for installing malicious spyware.

WhatsApp had described the vulnerability or flaw in its system as “a stack-based buffer overflow”, which could “triggered” by “sending a specially crafted MP4 file to a WhatsApp user”. This kind of attack could allow a remote attacker to take complete control of the phone’s operating system, and steal and access all data on the device, as has happened in the case of Bezos.

However, Bezos’s phone was likely hacked around May 2018, nearly a year before Facebook and WhatsApp even discovered the issue.

The UN report says: “Records showed that within hours of receipt of the video from the Crown Prince’s WhatsApp account, there was an anomalous and extreme change in phone behavior, with cellular data originating from the phone (data egress) increasing by 29,156 per cent. Data spiking then continued over the following months at rates as much as 106,031,045 per cent higher than the pre-video data egress base line.”

An exert analysis of “likelihood of cyber weapons as methods for anomalous stimulation and capture of data egress”, found that the “most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group’s Pegasus or, less likely, Hacking Team’s Galileo, that can hook into legitimate applications to bypass detection and obfuscate activity.”

The report added that “following the initial spike of exfiltration after receipt of the suspect video file, more than 6GB of egress data was observed using exfiltration vectors”.

WhatsApp had asked users to update their apps in order to be on the latest versions, and avoid being impacted by the flaw. The company has also said at the time that it did not think any users were impacted by the issue.

A WhatsApp source told indianexpress.com that there is no technical evidence that connects the alleged hacking to the bug that it fixed last year. “Attacks of this nature often take advantage of vulnerabilities within the underlying operating system that powers our mobile phones.”

WhatsApp had two major issues reported in 2019, the first in May when the Pegasus attack took place, and the second one in November, 2019. (Image source: Reuters)

WhatsApp flaw on video/voice call

In addition to the MP4 file flaw, another bug on WhatsApp was used to deploy Pegasus and carry out unlawful surveillance. The issue was actually reported in May 2019, though the full scale only became evident in October 2019, when WhatsApp began informing users who were impacted by this campaign.

With Pegasus, the key is that it is licensed only to governments or law enforcement agencies and not some software that anyone can buy, given there is also an exorbitant cost attached to it. In this case, the spyware exploited a flaw in voice and video protocol of WhatsApp to eventually take over the victim’s phone.

Explained: How Saudi Prince Mohammad bin Salman hacked Amazon founder Jeff Bezos  

A missed voice or video call made to the victim’s WhatsApp number was enough and Pegasus would get deployed. Once installed on the phone, it has complete control over the device and could be used to track and steal all data from phone calls, messages. It could even be used to remotely turn on the camera or microphone and spy on the user.

WhatsApp had initially said that the attack had targeted a “select number” of users. The lawsuit against NSO Group revealed that nearly 1400 mobile phones and devices were targeted. The surveillance was carried out “between in and around April 2019 and May 2019” on users in 20 countries across four continents.

India was also one of the countries where Pegasus was deployed and used to spy on journalists and human rights activists. The Indian Express had first reported that close to two dozen academics, lawyers, Dalit activists and journalists in India were contacted and alerted by WhatsApp that their phones were under the high tech surveillance for nearly two weeks until May 2019.

Is WhatsApp still safe for you?

Given WhatsApp has over 2 billion users across the world and nearly 400 million of those are in India, the concerns about its safety are legitimate. The link to Whatsapp in hacking of Bezos’s phone obviously raises a lot of uncomfortable questions about the platform as well. Keep in mind though that the popularity of WhatsApp also makes it an easy and popular target.

The voice/video call flaw used to exploit WhatsApp was a zero-day vulnerability, meaning even the company did not know the flaw existed, though it pushed out the patch to fix this once it discovered about the problem. These are often found in software, and really there’s no way to protect yourself until the developer or the company are alerted about the flaw and fixes it for all users. The MP4 video file issue it seems was ‘discovered internally’ by Facebook and WhatsApp teams.

Dark Mode is finally there on WhatsApp? Check out all the steps to activate this

All software is vulnerable to being hacked, considering cybersecurity experts and hackers are constantly trying to find flaws that they can exploit. And this applies to Apple’s iOS or Google’s Android or Microsoft’s Windows as well. For users, the only assurance when it comes to such flaws is that they should stay on top of updates as they are rolled out to avoid their systems or devices getting compromised.