Security Expert Gavin de Becker on Jeff Bezos Getting His Phone Hacked

And so you go from this to, I mean I don't want to make this big leap into the Jeff Bezos thing but it is, it's very fascinating to me. You were involved in finding out how Jeff Bezos' phone got hacked and you were involved in connecting it to the Saudis and that whole thing. How did this all come about? Well I have promised, I wrote one op-ed for The Daily Beast about this and in that op-ed at the end I say I'll never say another word on this case because I'm turning it over to the federal government. Now it's a few years ago. So what I can share is only that which has been public and a lot wasn't public but the circumstance did involve MBS who's the prime, you know the prince of Saudi Arabia and he did send a text with a video to Jeff Bezos. They knew each other, they had met, they had exchanged phone numbers and embedded in that video was a system that downloaded something that then later connects to a website and downloads something more sinister like Pegasus 2 which is a system that governments around the world use to get into your phone and then they have full control of your phone. So it doesn't immediately connect to it? It doesn't download immediately because it's a bigger package. What you're getting in your first incursion into a phone or laptop or iPad or whatever, you're getting a very small file, a little executable file that then later reaches out via the internet. And that executable file could be a website, it could be... And does it exist only on the physical phone itself or is it in the operating system and if you change phones and like upload to the cloud and then re-upload or re-download on a new phone, does that spy software make it onto your phone again? Probably not but we don't know completely. Whether it does or it doesn't when a government wants you like the US government or Saudi or... Basically there are two kinds of countries in the world when it comes to incursions into smartphones. There are original developers, the United States, China, Soviet Union and Israel. So there are original developers of programs that do these things. And then there are the purchasing countries, Mexico, Saudi Arabia and all 190 other countries. By the way, I say 190. Do you know there isn't even a consensus about the number of countries in the world? Countries can't even agree on that. Is that because of like Taiwan and... Taiwan is a good example. Yeah. So the best way I can put it to you is that if a government wants you from an informational point of view, wants to get into your phone, they have you. These systems are extraordinarily robust, powerful as I learned more and more about them. It's not actually my area of expertise, cybersecurity, but as I had to learn more about it for myself and for clients, when the Saudis wanted to get into a phone, they could. What if you're communicating rather only through direct encryption devices or applications rather like Signal? Yeah. It's a very good question. So if Signal encrypts the package going back and forth between the two devices over the internet. So if you have a interception between device A and device B, it'll be encrypted. But that's not what happens with things like Pegasus 2. Pegasus 2 is a very high end system and it's in your phone just like you're in your phone. Everything you can do on your phone, I can do from 7,000 miles away in some Saudi government office. Wow. And so Signal doesn't help you with that. I do think however, by the way, Signal is a foundation. It's not a for-profit company, so I'm glad to promote it. I do think they have something very valuable on Signal and that is disappearing messages, which is if you and I were exchanging Signal communications, we could set in one week, make all this disappear. In one hour, make all this disappear up to four weeks. That's very valuable because otherwise our text messages, look, I was tasked to do this for myself when the Saudi thing started, which is I have to think about everything that's on my phone. Holy shit. Every communication I had for years, every text I sent, every photo, every argument, every joke that would be taken out of context, it's a very hard thing to do because we're like a mind. We're collecting all of this data in the phone. And so Signal is valuable. I think Signal's a good service, but it doesn't solve the problem if a government wants you. If a government wants information, they can get it through programs like Pegasus 2. Right. Well, how does Pegasus 2 get on your phone? Well, different ways. There is a no-click incursion, meaning you don't have to click on anything. Typically you would get a text and you would open that text and that would download the little executable file or you would watch a video and it would be in the video. But now the newest Pegasus systems, they don't even need you to do anything. They can send you a message on WhatsApp and even if you delete it, even if you never open it, they can get in your phone. But what if you don't use WhatsApp? That's a help, by the way. I don't recommend WhatsApp. Why is that? Because WhatsApp has had a – for some reasons that I don't want to share and for some reasons that I do want to share, WhatsApp has had a particularly vulnerable circumstance with regard to people getting into other people's phones. Now, having said that, there are thousands of people right now all over the world working on nothing but getting into the new iPhone operating system. And then there's thousands of people at Apple working on nothing but being sure that the new operating system is impenetrable. And this just is an arms race that's going to go on forever. So you were saying that if you get a message through WhatsApp, but what if you don't get a message through WhatsApp? Is that ex-subcutable of just a blank text message comes your way and you don't open it? Less than that, unfortunately. You can get nothing at all with Pegasus 2. You can get nothing at all. They can enter a telephone number and they can get into your phone. Nothing at all. No text message so you have no idea whatsoever. That's correct. And that's a problem with zero-day exploits, which is you don't know what happened and you go on for months and months and months not knowing that somebody's in your phone is a problem. And how do you find out if someone's in your phone? Well, it depends on the circumstance. In the case you described, I was notified by – originally by somebody in CIA, then notified eight times by the FBI about what information they had learned. And then we began to do work on the phone itself and you learn about it in those ways, which is very difficult by the way because Pegasus 2 – I feel like I'm giving a commercial for Pegasus 2, but most people can't buy it anyway. But Pegasus 2 is not sitting in an armchair waiting for you to arrive. Hey, I'm over here. It is extremely well hidden, right down at the very core levels of a phone or an iPad. But there are strategies for finding it and they're challenging and they're evolving all the time. There are whole organizations like Citizen Lab and a really great expert, Anthony Ferrante, who used to work for Obama at the White House on this kind of stuff. He's now in private practice. They've had a lot of success. They even have found Pegasus 2 in the wild, meaning before there was a reason to be suspicious, they've identified it. And it's a tricky game because it – let's say you were targeted by the Mexican government, which happened a lot to people. And you have it on your phone and you think you are being monitored in some way, so you get rid of your phone. You turn it off, you put it in the top drawer. Well, Pegasus will say, hey, this activity has just stopped, self-delete. It will self-destruct. So now you don't even have any evidence that it ever happened, even if you could get an FBI involved in it. So Pegasus sends a signal to the person that's using the spyware to tell you that that phone is not active any longer? Well, they know. They see immediately, hey, Joe isn't texting his friends anymore. So they know that right away. So they execute it independently? No, it can happen internally. Because what happens – remember when it's turned off or the battery is taken out or a wide variety of things can happen that, you know, with a, quote, suspect phone, it will self-destruct on its own after a few days of no contact. That's one of the things they market. I got all their marketing material. And at the time, you know, when we were really doing this investigation, we were getting a lot of content from around the world. It is sold by a company called NSO, which is in Israel, based in Israel. It's a very dark game all over the world involving governments and other powerful people. And you know, most people say, well, what do I care? Nobody wants to get into my phone. And they're right. But if you are a person who is subject to the interest of government anywhere in the world, it's very hard to have privacy. So if you don't get a message through WhatsApp, what are the other vulnerabilities? Like, could you get a message through Twitter? Yes, you could get a regular text. A regular text. Yeah. Pegasus 1, which did require that the user click on something, but Pegasus 2 is a no-click exploit. Nothing has to happen. So someone can just send you a text. You don't even have to open it? Not even send you less than that. What I'm saying is that the high-end Pegasus system that's used by Saudi Arabia and other countries, all they need to do is have your phone number. That's it. Nothing more. They have access to all your photographs, your messages, everything is sent. Turn on your phone as a microphone right now in this room. Turn on your phone as a camera right now. And even it's so smart. Let's say it makes an audio recording of a phone call. And it doesn't download it right now. It waits until the phone is quiet and it's late night in the target destination, like in your home. It's late night. And then it downloads it at night so that you don't even see a reduction in performance. And then people who are sort of watching the cost don't see spikes of all kinds of activity. In the case you talked about, gigabytes of data was taken out of that phone. Gigabytes? Yeah. How many gigabytes are on the phone? No idea. Don't know. So anyway, yeah, the short punchline on this is that there is no way to – there's a lot of products being sold that do the best they can. But depending on who wants you, there really is no way – if the Central Intelligence Agency wants to get into somebody's phone overseas, they can do it. Now is there a difference between operating systems? Is there more of a vulnerability to Android than there is to iPhone? I hear – again, not an expert – but I hear that there's more vulnerability to iPhone. But that might be because they are the ones that are targeted most often and that thousands of people are working on all the time. Yeah, that was my question. What about one of those de-Googled Android phones that are becoming more – Probably better, but I don't know. You don't know. Because there's a lot of people that are swearing by those now that have moved to these operating systems that have been manipulated to the point where they don't send information, you can't get tracked, GPS doesn't work, all that stuff. Yeah, it's good to have the least – the lowest number of apps you can have on a phone the better if you're talking about just using it for phone calls. The challenge I have – because I get – you can imagine every product is brought to me, usually given to me for free to try hoping that clients will want it or that my company will want it. I see everything. But the challenge is it's a moving target. So if somebody says today, oh, we've got something great for such and such, two weeks later, people have been able – adversaries have been able to work on it and it's an arms race. And so it's sort of like saying, hey, I got this great new thing, you know, a catapult and I can throw fiery bombs over the wall of a castle. That's not so interesting anymore now that we have tanks. These things continue to evolve. Do you anticipate there ever being a time where they can circumvent that and there will no longer be exploits like that? Or is this just a new reality that people have to live with? I anticipated going in the other direction, which is that it becomes far more accessible for far more people and that anything we do online is subject to being intercepted and seen more and more. A lot of people – like I have clients who could be targeted by China, could be targeted by Russia, could be targeted by France, could be targeted by the United States, by other companies, by powerful adversaries. And they often say, well, I just treat every communication as if it could be heard. But the reality is that as human beings on a phone call, we are unguarded. You don't want to have a phone call with me or a conversation that's completely guarded or like this all the time. And so the reality is that this is going to be a vulnerability in people's lives, period. And it's going to expand. Expand, sure. And do you think it's going to expand to the point where regular people have access to everyone else's phone and all their data? I think it will expand to where motivated people and not governments could get access to other people's data. And there are even laws – there's some in the UK where why should people be able to have a secret encrypted communication? What are they trying to hide? Government is challenged by it, right? Yeah, I've seen those. People in power are challenged by that stuff. And so, well, because we might want to have a communication that the government isn't part of. That would be the reason. But people in power don't like it. So slowly it will erode that way as well. And that's why we're here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here. And we're going to be here.