Cyber experts to tech execs: Don’t be the next Bezos

In the wake of the latest high-profile hacking news, technology companies, financial institutions and government agencies find themselves nervous about the same thing: "They all have their own Jeff Bezos to protect," said JT Keating of Zimperium, a Dallas-based security firm.

Following allegations that Saudi Arabia likely hacked into Jeff Bezos' phone, mobile security companies said they have seen a spike in inquiries from companies and executives hoping to prevent similar incidents.

Lookout, a San Francisco-based security firm that helped uncover NSO Group's Pegasus spyware, has received about two to three times the normal volume of inquiries from its customers and business partners since the Bezos reports surfaced late last month.

"People are absolutely taking this seriously," said Lookout's chief strategy officer, Aaron Cockerill. "We've been very busy."

Corporate chief information security officers have asked Lookout about ways to protect their executives from similar attacks to the one that Bezos appears to have endured, and about how widespread the problem is.

Zimperium, which monitors phone behavior to detect and prevent mobile hacks, has received roughly three times the usual amount of inquiries over the same period, mostly from the technology industry, financial services sector and government agencies, said Keating, the company's vice president of product strategy.

"What has happened to Mr. Bezos has certainly been a wake-up call" for other high-profile executives, Keating said.

In a report from FTI Consulting that surfaced Jan. 22, investigators had "medium to high confidence" that the Amazon founder's iPhone X was compromised in May 2018 with malicious code sent from Saudi Crown Prince Mohammad bin Salman's WhatsApp account. Bezos' phone began transmitting a "massive" amount of data after it received a video file from Prince Mohammad's account, the report said.

United Nations experts who examined the report accused Prince Mohammad of surveilling Bezos to influence or silence reporting on Saudi Arabia. Bezos is the owner of The Washington Post, which published columns from Jamal Khashoggi, who was killed by Saudi agents in Istanbul in October 2018. Amazon did not reply to a request for comment.

Security experts said mobile devices have grown as a target for cybercriminals as people use them to store large amounts of personal as well as corporate information. Messaging apps, personal email, and text messages on phones can serve as points of access for cybercriminals.

"We've seen the bad actors identify that mobile devices are gold mines of information faster than enterprises have identified them as something they need to protect," Cockerill said.

Certainly the biggest tech companies have the budgets to protect executives. According to proxy statements filed to the U.S. Securities and Exchange Commission, Amazon spent about $1.6 million on personal security for Jeff Bezos in 2018. Facebook spent almost $10 million on personal security for Mark Zuckerberg that year.

Cockerill has some pragmatic advice for all companies to heed. The best way to protect against spyware and other mobile threats, he said, is to constantly update a device's operating system and applications. Some malware can be installed only if the attacker has physical access to the device, so Cockerill advises executives to never hand their phone over to a third party. (If they must, it's best to power off the device, he said.)

Additionally, if an executive is traveling to an area where there is a fear of digital surveillance, he recommends using a burner phone — a device with no sensitive information on it that is destroyed upon return.

Keating said people should avoid downloading applications from third-party app stores, which are much more likely to carry malicious software. And they should avoid casually connecting to public Wi-Fi networks, he said, because it is easy for cybercriminals to set up a network that appears to be coming from Starbucks, Marriott or another company.

Security experts cautioned that details surrounding the Bezos incident are murky: The FTI report did not specify what malicious software was allegedly used to hack into his phone, and the organization said it hoped to jailbreak the device to perform a more thorough forensic examination.

"We don't know the specifics of what happened to Bezos' phone, and without that, no one can tell you if they would be able to block it or not," Cockerill said. "If they do, they're selling you snake oil."