UN calls for immediate investigation into Saudi role in Jeff Bezos hack

A 2018 spyware attack on Jeff Bezos’ phone escalated into an international scandal on Wednesday, as United Nations human rights experts issued a stern statement criticizing the government of Saudi Arabia for allegedly conducting the hack.

“The information we have received suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post’s reporting on Saudi Arabia,” the statement reads. “The alleged hacking of Mr. Bezos’s phone, and those of others, demands immediate investigation by US and other relevant authorities.” The Saudi government has denied any role in the hack.

“This reported surveillance of Mr. Bezos, allegedly through software developed and marketed by a private company,” the statement continues, “is, if true, a concrete example of the harms that result from the unconstrained marketing, sale and use of spyware.”

The report also mentions two former Twitter employees who were charged with spying on behalf of the Saudi government, which investigators take as evidence of a broader campaign by the country.

According to the report, the hack was part of a broader campaign to blackmail Bezos into softening The Washington Post’s coverage of Saudi Arabia in the months leading up to the killing of Saudi journalist Jamal Khashoggi. Private messages and photos from Bezos were later leaked to the National Enquirer, something Bezos described in a public Medium post as part of an attempted blackmail scheme.

The technical evidence for Saudi Arabian involvement comes from a report by Bezos’ personal security consultants, which was published in full by Motherboard and reported on further by The New York Times and Financial Times. According to the report, Bezos met Saudi Crown Prince Mohammed bin Salman in Los Angeles in April 2018 and exchanged phone numbers. About a month later, he received an unexpected video from Salman, which the report alleges was infected with targeted spyware.

Immediately after viewing the video, large amounts of data began to export from Bezos’ phone, an activity that could not be explained by cloud backups or other normal activity.

The following November, just over a month after Khashoggi’s killing, Salman sent Bezos another strange WhatsApp message. It was a single picture of a woman resembling Lauren Sánchez, Bezos’ mistress and the subject of the subsequent National Enquirer piece, bearing a cryptic caption: “Arguing with a woman is like reading the software license agreement. In the end you have to ignore everything and click I agree.”

A separate message sent in February after Bezos’ Medium post seems to seek to deescalate the situation. “It’s not true,” Salman wrote, “there is nothing against you or Amazon from me or Saudi Arabia.”

The consultants’ report suggests Bezos’s phone may have been hacked using Pegasus spyware, a powerful private malware offered without judicial oversight by the Israeli firm NSO Group. NSO is one of the most notorious current vendors of spyware for hire, and it has been the subject of widespread criticism for its role in undermining cybersecurity on behalf of oppressive regimes.

In a statement provided to The Verge, NSO Group denied any involvement with the hack. “NSO is shocked and appalled by the story that has been published,” the company said. “We can say unequivocally that our technology was not used in this instance. These types of abuses of surveillance systems blacken the eye of the cyber intelligence community and put a strain on the ability to use legitimate tools to fight serious crime and terror.”

In October, WhatsApp brought a lawsuit against NSO for allegedly hacking users through unreported vulnerabilities. “WhatsApp will continue to do everything we can within our code, and within the courts of law, to help protect the privacy and security of our users everywhere,” WhatsApp chief Will Cathcart said at the time.

Update 11:55AM ET: Updated with a link to the full report, obtained by Motherboard.

Update: 1/23 1:37PM ET: Updated with statement from NSO Group.

Why the NYT thinks Russia hacked Burisma — and where the evidence is still shaky

The disastrous Democratic National Committee hack in 2016 was a wake-up call for anyone worried about international chaos campaigns, and on Monday night, we got a new reason to be worried about 2020. The New York Times and cybersecurity firm Area1 broke the story of a new hack by Russian intelligence services targeting Burisma, the Ukrainian natural gas company at the center of President Trump’s ongoing impeachment. For months, Republican operatives have been hinting at some horrible corruption inside the company, and if Russian spies really did hack the company, it raises frightening possibilities.

Some in Congress are already predicting a replay of 2016, with Rep. Adam Schiff (D-CA) commenting, “It certainly looks like they are at it again with an eye towards helping this president.” It’s an alarming thought, and given Trump’s refusal to acknowledge Russian hacking the last time around, there’s no indication the White House would do anything to stop it.

But while the report painted a terrifying picture, the evidence is less definitive than it might seem. There’s strong evidence that Burisma was successfully targeted by a phishing campaign, but it’s much harder to be sure who was behind the campaign. There are real suggestions that Russia’s GRU intelligence service could be involved, but the evidence is mostly circumstantial, as is often the case with hacking campaigns. The result leaves the case against Russia frustratingly incomplete and suggests we may head into the presidential campaign with more questions than answers.

The bulk of Area1’s evidence is laid out in an eight-page report released in conjunction with the Times article. The core evidence is a pattern of attacks that have previously targeted the Hudson Institute and George Soros, typically using the same domain registrars and ISPs. Most damning, all three phishing campaigns used the same SSL provider and versions of the same URL, masquerading as a service called “My Sharepoint.” As Area1 sees it, this is the GRU playbook, and Burisma is just the latest in a long line of targets. (Area1 did not respond to repeated requests for comment.)

A chart from the Area1 report.

But not everyone sees that domain-based attribution as a slam dunk. When Kyle Ehmke examined earlier iterations of the same pattern for ThreatConnect, he came away with a more measured conclusion, assessing with only “moderate confidence” that the domains were involved with APT28, researcher shorthand for Russia’s GRU.

“We see consistencies,” Ehmke told The Verge, “but in some cases those consistencies aren’t consistent to a single actor.” This pattern of registrations and phishing attacks really does seem to be a GRU playbook, but it’s not its only playbook, and it’s not the only one running it.

In practical terms, that means that network operators should raise the alarm any time they see an attack that fits this profile, but making a definitive ruling on a single incident is much harder. The web infrastructure used in the campaign is all publicly available and used by lots of other parties, too, so none of it counts as a smoking gun. The most distinctive characteristic is the term “sharepoint,” which researchers have only seen in URLs closely linked to the GRU. But anyone can register a URL with “sharepoint” in it, so the connection is only circumstantial.

“It’s a notable set of consistencies to look for and potentially use to identify their infrastructure,” Ehmke said. “But that’s not to say that everything that has those consistencies has been and will be APT28.”

In the absence of specific information about a given outfit’s strategies and goals, it’s hard to make that attribution any stronger. But going the opposite direction — from a weak attribution to a presumption of intent — can be dangerous.

This kind of weak attribution is frustratingly common in the cybersecurity world, and it can cause real problems as countries struggle to figure out the international diplomacy of cyberwarfare. Farzaneh Badii, former executive director of Georgia Tech’s Internet Governance Project, classifies weak attribution as “circumstantial evidence that can be technically questioned.” She sees it as a global problem and has advocated for international attribution groups that could solve the deadlock, so observers wouldn’t have to rely on private companies or government intelligence agencies. Without that, the problem of trust can be difficult to solve.

“States mostly fund cyber attacks through individual contractors and do not carry them out themselves,” Badii says, making state actors and private criminals difficult to distinguish. If you’re worried about governments ginning up a case for war or private companies grasping for headlines, that problem only gets worse. “Attribution companies are not forthcoming and transparent about all of their methods for undertaking attribution so it is not easy to assess their attribution mechanism.”

If you’re concerned about Russian meddling in the 2020 election, none of this should be reassuring. The GRU really did hack the DNC in 2016, and there’s no reason to think it won’t try similar tricks again, whether or not it was behind this particular phishing campaign. There really is reason to think the GRU was involved. The lack of a smoking gun isn’t reassuring — if anything, it means whoever did this got away relatively clean. But if you just want to know whether Russia hacked Burisma, the real answer may be that we still don’t know.

Microsoft CEO says encryption backdoors are a ‘terrible idea’

As Apple squares off for another encryption fight, Microsoft CEO Satya Nadella offered mixed messages on the encryption question. In a Monday meeting with reporters in New York, Nadella reiterated the company’s opposition to encryption backdoors, but expressed tentative support for legal and technical solutions in the future.

“I do think backdoors are a terrible idea, that is not the way to go about this,” Nadella said. “We’ve always said we care about these two things: privacy and public safety. We need some legal and technical solution in our democracy to have both of those be priorities.”

Along those lines, Nadella expressed support for key escrow systems, versions of which have been proposed by researchers in the past.

Apple’s device encryption systems first became a point of controversy after a 2016 shooting in San Bernardino, which led to a heated legal push to force Apple to unlock the phone. That fight ultimately ended in a stalemate, but many have seen the recent shooting at a naval base in Pensacola as a potential place to restart the fight. Committed by a Saudi national undergoing flight training with the US Navy, the shooting has already been labeled a terrorist act by the FBI, and resulted in 21 other Saudi trainees being disenrolled from the program. Two phones linked to the assailant are still subject to Apple’s device encryption, and remain inaccessible to investigators.

But Nadella stopped short of simply saying companies could never provide data under such circumstances, or that Apple shouldn’t provide a jailbroken iOS modification under the circumstances. “We can’t take hard positions on all sides… [but if they’re] asking me for a backdoor, I’ll say no.” Nadella continued, “My hope is that in our democracy these are the things that arrive at legislative solutions.”

That’s a significantly milder tone than Microsoft took during the San Bernardino case in 2016. At the time, Microsoft expressed “wholehearted” support for Apple’s position in the case, and joined Apple in opposing some of the encryption bills pushed in the wake of the trial.

Correction 9:43PM ET: Due to a transcription error, Nadella’s two priorities were listed as privacy and national security. He said they were privacy and public safety. This has been corrected.

Samsung’s Device Care app is sending data back to China — but it’s less scary than it sounds

On January 6th, a post appeared on Reddit’s largest Android forum with alarming news: “Chinese spyware pre-installed on all Samsung phones.”

“I know the title is rather sensational,” the author explained, “however it couldn’t get any closer to the truth.”

The problem was a utility in Samsung’s Device Care application, a mandatory feature that comes preinstalled as part of Samsung’s Android implementation that cannot be removed. Using packet analysis tools on a Galaxy S10, the author discovered some strange traffic coming out of Device Care’s storage scanner, which looks for junk files that can be deleted to free up space. That scanner was sending data back to Chinese domains — and because storage scanners generally need access to all of the files on your computer, the data could include almost anything.

There was an immediate explanation in the post, but it wasn’t entirely reassuring. The scanner utility was made in collaboration with Qihoo 360, a Chinese security company that has occasionally made headlines for complying with national censorship directives. But it wasn’t clear from the scan which data was being sent back to Qihoo and why, which led the Redditor to worry about spyware. And since the app was built into Samsung’s operating system, there is no way for concerned users to remove it.

According to Samsung, the truth is less alarming than it appears. The company says the only data sent back to Qihoo is generic information needed to optimize storage — specifically naming OS version, phone model, and storage capacity, among other data. Qihoo’s main contribution is a reference library for identifying junk files, but that library is stored locally in the utility, and Qihoo never receives data that would allow it to identify a particular file on a user’s device.

“Samsung takes the protection of our users’ data very seriously, and we design our products with privacy and security top-of-mind,” a company representative told The Verge. “The storage optimization process, including the scanning and removal of junk files, is fully managed by Samsung’s device care solution.”

Still, the fight is a reminder of the intense fears surrounding Chinese tech companies and the broader concerns around international antivirus firms, similar to the scandal that engulfed the Russia-based Kaspersky Labs in 2017. As concerns about Huawei and other Chinese hardware companies come to a peak in Washington, it’s only natural that Qihoo partnerships might turn a few heads. And while Samsung’s explanation checks out, it may not be enough to quiet all of the doubts on /r/Android.

The FBI has asked Apple to unlock another shooter’s iPhone

The FBI has asked for Apple’s help in unlocking two iPhones linked to a shooting at a Pensacola naval base in December, according to a report by NBC News. In a letter sent to Apple on Monday, FBI general counsel Dana Boente said the bureau has obtained court approval to search the device, but was unable to unlock the device using available tools.

“Investigators are actively engaging in efforts to ‘guess’ the relevant passcodes but so far have been unsuccessful,” Boente told the company.

Such requests have been a sore point for Apple, which cannot produce local data from locked phones without attacking the fundamental elements of iOS security. The company routinely provides iCloud data in response to court orders, which often includes backups of the phone’s local hard drive — but without the password for a specific device, Apple can’t provide data stored locally on the phone. The failure to provide that data has become a sticking point for law enforcement and the FBI in particular, which has often lobbied for increased access to locally encrypted data.

Apple’s failure to decrypt local data last came to a head with the San Bernardino shooting, in which the FBI sought to decrypt a phone linked to another domestic shooting. In particular, the FBI hoped to force Apple to create a modified, encryption-free version of iOS, which would then be signed by Apple and installed on the San Bernardino phone. After months of legal fighting, the FBI abruptly withdrew its case when a vendor solution became available.

When the phone was finally unlocked, it produced no additional leads. A subsequent Inspector General report found that the bureau had failed to explore its internal vendor resources before bringing the case.

Reached by The Verge, Apple declined to confirm the existence of the letter, but said it had turned over all available data related to the case in response to a court order. “We have the greatest respect for law enforcement and have always worked cooperatively to help in their investigations,” a company representative said. “When the FBI requested information from us relating to this case a month ago we gave them all of the data in our possession and we will continue to support them with the data we have available.”

Apple sues security vendor for DMCA violations

Apple is suing an iOS virtualization vendor called Corellium for trafficking under the Digital Millennium Copyright Act (DMCA). Apple initially sued the company for copyright infringement in August, alleging that Corellium’s virtualization of iOS was violating Apple’s ownership of the code. The more recent filing expands the case, alleging that Corellium’s sale of the virtualization software counts as trafficking in copyright-protected goods.

“Corellium’s business is based entirely on commercializing the illegal replication of the copyrighted operating system and applications that run on Apple’s iPhone, iPad, and other Apple devices,” Apple’s revised complaint alleges. “Corellium simply copies everything: the code, the graphical user interface, the icons—all of it, in exacting detail…providing its users with the tools to do the same.”

The software in question allows users to run a facsimile of iOS in a controlled desktop environment. With no conventional connectivity, the program cannot be used as a phone, but it allows researchers to examine how specific software performs on iOS in minute detail. It is particularly useful when researching malware, and it was most recently used to uncover surveillance-related protocols in the United Arab Emirates’ ToTok app.

In a statement after the filing, Corellium described the motion as part of a broader crackdown against jailbreaking by Apple.

“Apple is using this case as a trial balloon in a new angle to crack down on jailbreaking,” said Corellium CEO Amanda Gorton. “Across the industry, developers and researchers rely on jailbreaks to test the security of both their own apps and third-party apps – testing which cannot be done without a jailbroken device…. Not only do researchers and developers rely on jailbreaking to protect end users, but Apple itself has directly benefited from the jailbreak community in a number of ways.”

Apple declined to comment.

Consumer jailbreaking was widespread in early versions of iOS, but it has declined significantly in recent years, and some of the most prominent jailbreak-reliant app sources have closed down as a result. The most common way of installing non-authorized software is now through Apple’s enterprise certificate system, which leaves the basic architecture of iOS intact. Still, there’s significant competition for finding gaps in Apple’s software control systems, most recently with a bootrom exploit called Checkm8 that was released publicly in September.

Correction: An earlier version of this piece stated that Apple had filed charges against Corellium; in fact, Apple is suing the company in civil court. The Verge regrets the error.