It's been more than a month since the news broke that Amazon CEO Jeff Bezos had his phone hacked by the Crown Prince of Saudi Arabia, Mohammed bin Salman. But people are still buzzing about it.
According to reports, the Saudi royal family member supposedly sent a booby-trapped video to Bezos via a WhatsApp message on May 1, 2018. The video allegedly exploited a WhatsApp bug to download and install malware on Bezos' personal iPhone, which then exfiltrated data from it.
How to protect your own CEO from cyber hacks
If you want to avoid having your own company's CEO be the star of a similarly sleazy story, then there are certain things that you can do to protect your C-level executives from such cyber attacks. Of course, no-one is completely safe. But you can limit the risk.
Aaron Turner, president and chief security officer of Highside, a distributed identity and secure collaboration technology company, said, "We have been recommending that executives and other high-value travelers like researchers and diplomats use hardened Android devices while traveling through regions where the mobile network operators should be considered hostile actors. This is due to the fact that iOS relies on a single-point-of-failure security model and has not allowed users to select which encryption roots their device trusts. With Android, Google has at least allowed users the option to de-trust the surveillance certificates that are injected into Android devices. iOS has no such capability, requiring users to jailbreak their device to de-trust surveillance roots in a similar fashion. This is especially concerning due to the number of authoritarian regimes which Apple has collaborated with to allow surveillance on all iOS devices."
Turner also said that moving away from the use of WhatsApp is key, as there are more attacks than ever flowing through that platform.
To reduce the risk, Turner said that for one client, "we are in the process of designing communications filtering technology that essentially removes direct-to-executive communications from mobile phones, with all publicly-attributable numbers associated with executives on a protected virtual communications platform, and an obfuscated number on the actual handset that they carry. This essentially creates a mobile firewall to allow inspection of all files before they get to the executive's phone. This is expensive and operationally intensive now, but we hope to make it easier over time."
Harold Li, vice president of ExpressVPN, said that an IT department can provide essential advice to C-suite executives. "In addition to the essentials -- such as good password hygiene, multi-factor authentication, timely patching, and encryption -- I would highlight two additional areas that don't get enough focus today."
"First is social engineering, which is on the rise and can enable a criminal to circumvent even the most stringent security measures with the help of their unwitting target. Make sure you educate your C-level staff about these types of attacks and give them clear escalation channels for checking and reporting potential attacks," Li said.
"Second, in addition to reducing the risk of a hack, operate on the assumption that devices, particularly those belonging to high-level targets, will inevitably be compromised. With that in mind, consider how to mitigate that eventuality: What policies and measures can you put in place to minimize the amount of confidential information on the device at any given time? How do you ensure that compromising a single device isn't sufficient to access the most sensitive data and infrastructure? What level of monitoring prevents hacked devices from staying hacked for too long?" Li said.
What to do if a suspicious file is received
If all of the precautions offered by a company's IT department have failed, and a suspicious file has made it to your phone, there are certain steps to take.
"Don't open suspicious files. Certainly do not install apps from a source other than the main app store or another safe location. If you have IT or security staff that handle these incidents, you should ask them what policy to follow. These things are a bare minimum to try to stop an attacker from running malicious software on your device," said Justin Cappos, associate professor at NYU Tandon School of Engineering.
Li said, "If you want to check the file in case it is legitimate, do so in a sandbox, such as a virtual machine, or ask your IT department to do so for you."
What to do if a phone has been compromised
Li said, "First, they should isolate their device so that the hacker cannot communicate with it -- this can mean turning it off, taking out the battery if removable, ejecting the SIM card, or even putting it in a Faraday bag. Second, they should change the credentials on any accounts that could have been compromised through the device and end any active sessions. Third, they should alert their IT department and turn over the device for inspection."
And remember, everyone can be a victim of cybersecurity hacking. Li said, "Cybersecurity has always been about risk management, as we recognize that it's impossible to eliminate risks altogether short of living completely off the grid. The hacking of Jeff Bezos' phone underlines this principle that there is always some degree of risk -- and reminds us that we must take proactive measures to protect ourselves."