Attack on Bezos' phone shows spyware becoming more powerful

Asked to diagnose a suspected cyberattack on an iPhone owned by Amazon Chief Executive Jeff Bezos, forensics experts detected a massive spike in data being siphoned from the device hours after he received a WhatsApp message from a Saudi royal.

The malware behind the hack remains a mystery. But it's clear Bezos was hit by a potent combination: advanced code, capable of grabbing gobs of information quickly, along with an encrypted delivery system that helped it evade detection.

Over the past decade, spyware has gained wider acceptance, become more lucrative and, when transmitted via encryption, increasingly effective. It has evolved from a surveillance tool available for download on the dark web, often by consumers seeking to pry into a partner's private life, into a pricey product passed off as a way for law enforcement to root out illegal behavior.

The market for mobile surveillance technology is valued at about $12 billion and remains less than 10% penetrated, according to Moody's.

The alleged attack on Bezos would be one of the most high-profile examples of spyware being used by government officials against an individual, and it has elicited calls for greater regulation of the industry.

The two United Nations experts — Agnes Callamard, U.N. special rapporteur on summary executions and extrajudicial killings, and David Kaye, U.N. special rapporteur on freedom of expression — said they want a moratorium on the sale and transfer of surveillance technology from private companies.

They also called the allegations involving Bezos's phone "a concrete example of the harms that result from the unconstrained marketing, sale and use of spyware."

The U.N. experts and the forensic analysis of Bezos's mobile phone, which was published by Vice, identified two electronic-surveillance companies that could have developed the technology used to execute the hack. Israel's NSO Group and Italy's Hacking Team both sold products to Saudi officials before the 2018 attack, according to FTI Consulting, which conducted the analysis.

Saudi Arabia spent $55 million in 2017 for NSO's Pegasus software, the Israeli newspaper Haaretz reported in November.

Hacking Team didn't respond to requests for comment, and NSO denied involvement in the attack.

"Our technology was not used in this instance; we know this because of how our software works and our technology cannot be used on U.S. phone numbers," the company said in a statement, while declining to say whether it has done business with Saudi Arabia. "Our products are only used to investigate terror and serious crime."

As the industry has grown in profitability, so has its reputation as a clean and credible business, said Jack Cable, an independent security researcher and a student at Stanford University. Even so, software makers can't guarantee that their products won't be used for ill intent, he said.

Spyware is essentially a type of malware that is unwittingly loaded on the device and then takes over.

Once it's installed, spyware like NSO's Pegasus can begin sending back the phone user's private data, including passwords, contact lists, calendar events, text messages and live voice calls from mobile messaging apps, according to the Pegasus manual.

In some cases, the operator of the spyware can use the phone's camera or microphone to take photographs or record audio without the target's knowledge.

On its website, NSO Group notes that terrorists, drug traffickers, pedophiles and other criminals have access to advanced technology that makes them harder to monitor and track.

"NSO Group develops best-in-class technology to help government agencies detect and prevent a wide-range of local and global threats."

Hacking Team promotional materials describe how the company's technology — its flagship system is called "Galileo" — was designed to gain access to people's Skype calls, social media messages, mobile phone locations, text messages and other data. The company said in a video posted online that the technology could be "deployed all over your country" and could hack devices belonging to "hundreds of thousands of targets."

There is a constant cat-and-mouse game played between spyware developers and the companies responsible for mobile operating systems and applications.

When a new spyware tool is discovered, developers from companies such as Apple and Facebook work to release a software patch that blocks the tool from working. Then the surveillance manufacturers will work to upgrade their tools to bypass the latest security updates.