The news that Saudi Crown Prince Mohammed bin Salman personally sent malware to Amazon CEO Jeff Bezos, which led to the compromise of massive amounts of data from Bezos’ phone, has taken the tech world by storm. While the spotlight has been focused on the plot’s outlandishness, in recent days the attention has shifted to WhatsApp, the app used to send the malware, and its parent company, Facebook.
Facebook Vice President of Global Affairs and Communications, Nick Clegg, was asked about the Bezos incident in a recent interview with the BBC. While Clegg probably intended to shed light on the issue, he ended up giving a rambling and confusing answer that only managed to do one thing: say it wasn’t WhatsApp fault because end-to-end encryption is unhackable and pin the blame on Apple’s operating system.
"We're as sure as you can be that the technology of end-to-end encryption cannot be hacked into" – Facebook's @nick_clegg says he's "very, very confident" that Jeff Bezos wasn't hacked via Whatsapp #r4Today | @MishalHusain | https://t.co/NHsmYG4H4W pic.twitter.com/E4Cf4h1Viu
— BBC Radio 4 Today (@BBCr4today) January 24, 2020
“It sounds like something on the, you know, what they call the operate, operated on the phone itself,” Clegg said. “It can’t have been anything on the, when the message was sent, in transit, because that’s end-to-end encrypted on WhatsApp.”
Clegg went on to compare the hack to opening a malicious email, saying that, “It only comes to life when you open it.” That’s not entirely accurate, by the way, given that nowadays, in general, your device can’t get infected by simply opening an email (unless your email client allows scripting.) Email hacks often involve clicking on malicious links or downloading infected attachments.
Of course, Clegg could have meant that your device can get compromised when you click on a file, but that’s not clear given his answer.
Facebook’s policy chief added that “something” must have affected the phone’s operating system. According to a technical report on the hack, Bezos’ was using an iPhone X when he received a suspicious video file from the Saudi prince on WhatsApp, which investigators later determined was the source of the malware.
When asked how he could be sure of his statements, Clegg fumbled again but managed to get out that it’s because end-to-end encryption is unhackable.
“As sure as you can be that the technology of end-to-end encryption cannot, other than unless you have handset, or you have the message at either end, cannot be hacked into,” he said.
Some members of the technology community have criticised Clegg’s response to the Bezos hack. According to the BBC, cybersecurity researchers pointed to two WhatsApp security flaws in 2019 to demonstrate that the messaging app wasn’t infallible. In one case, hackers developed malware that was activated when attackers called another person via WhatsApp. Facebook later sued the Israeli-based NSO Group, which is accused of making the malware.
In another case, hackers found a security flaw that could have let them access people’s messages by sending a malicious video file.
This isn’t the first time Facebook has blamed operating systems for the hack this week. During an interview with Bloomberg, Nicola Mendelsohn, Facebook’s vice president for Europe, the Middle East, and Africa, said that the Bezos hack highlights one of the “potential underlying vulnerabilities that exist on the actual operating systems on phones.”
Apple declined to comment on Facebook’s statements.
Although Facebook has not named Apple specifically in the comments made by Clegg and Mendelsohn, the report revealing that Bezos was using an iPhone X was published by news outlets before both made their comments.
The role of WhatsApp in the Bezos hack is the latest chapter of a story that can sometimes resemble an alarming and tragic TV drama. Experts believe that Bezos was targeted by Saudi Arabia because he is the owner of the Washington Post, which published critical articles about the crown prince. The author of those articles was Jamal Khashoggi, who was killed by the Saudi government in 2018.
Saudi Arabia has denied claims that bin Salman was behind the Bezos hack. It has called for an investigation concerning the accusations.