Jeff Bezos’ hacked iPhone had Apple’s vaunted security, and that may have helped its alleged hackers

A security report last week alleged that Amazon founder Jeff Bezos received a WhatsApp message laden with code that secretly hacked and snatched reams of personal data from his iPhone X. The message allegedly came from the crown prince of Saudi Arabia, Mohammed bin Salman.

Reed Albergotti, Craig Timberg, and Jay Greene for The Washington Post:

WhatsApp Bezos hack on an Apple iPhone X
Apple’s iPhone X
Security researchers say Bezos probably fell victim to the iPhone’s Achilles’ heel: Its defenses are so difficult to penetrate that once sophisticated attackers are in, they can go largely undetected. “A lot of Apple security is amazing and really benefits the average user, but once you’re a target of an advanced adversary or three letter agency, the advanced security of these devices can be used against you,” says Patrick Wardle, who worked for the National Security Agency and is now principal security researcher for Minneapolis-based software maker Jamf…

Apple recently announced changes to its bug bounty program, upping the maximum reward to $1.5 million. It also announced it would distribute special phones to security researchers that allow deeper access to the operating system…

Apple’s efforts to make it more difficult to penetrate its operating system may have helped reduce the number of bugs found on iOS, but it has also helped push some of that research underground… Meanwhile, a black market for iPhone bugs has flourished, researchers say, with companies springing up to offer hacking services to the government or, in some cases, anyone willing to pay.

MacDailyNews Take: Hopefully, Apple’s bug bounty program’s expansion will lead Apple to finding what must amount to a relative handful of very sophisticated exploits and eliminating them forever, starting with closing off whatever insecurity is obviously present in Facebook’s WhatsApp.

[Thanks to MacDailyNews Reader “Dale E.” for the heads up.]

26 Comments

  1. “It’s defenses are so difficult to penetrate that once sophisticated attackers are in, they can go largely undetected.”

    It’s a feature!

    I won’t call Apple to task for being hacked. That would be wrong. That’s on the bad guys.

    But that’s some serious bullshit from Apple shills.

    1. That’s a nice straw man you’ve set up. Nobody is saying or has ever said Apple’s device security is perfect. What people have said is that Apple devices are more secure than alternatives and that is true. There is no debate on that statement. None. At. All. Can Apple devices be hacked? Yes. Are Apple devices safer and more secure than alternatives? Yes. You can’t argue out of one side of your mouth that Apple is the most locked down censored environment in existence and then argue out of the other side of your mouth that Apple is no more secure than anyone else. Those two arguments are contradictory. If you don’t understand why then you have no coding or software engineering experience or knowledge. Take it from an engineer. More open = more security vectors. As you’re fond of saying, it’s just math.

      1. You’re made of Straw. It is Apple that constantly touts its Security, it’s the authors that claimed it’s “so good it Hurth them”. And I did not tout anything about the alternatives.

        This is about Apple. They sell security, when that fails, they have failed.

        1. “You’re made of Straw.”

          Are you 12 years old?

          Yes Apple touts its security and uses security as a selling point, because Apple devices are more secure than other devices. No one is saying Apple hasn’t had or won’t continue to have security failures. Those failures will happen. That doesn’t change the mathematical fact that Apple devices are better when it comes to security. If you are better at something you should use that as a selling point and you should tell people about it.

            1. Do you have reading comprehension issues? I already said Apple security has failed in the past and will fail in the future. It isn’t possible for anyone to deliver a device which won’t have security failures.

              Your statement “security by censorship” proves beyond doubt that you have no credible experience or knowledge in software or hardware engineering.

              None of your straw man ramblings changes the fact that Apple devices are better when it comes to security. It’s just math.

    1. Yep! “Apple is too good at security, that’s how they hackers remained undetected”! Riiiight!
      I don’t know which is more BS… the belief that that statement can ever be true, or that it is true and people never suspected vulnerabilities.

  2. After having worked on an encrypted messaging system with had much in common with WhatsApp, I have to wonder what kind of sketchy crap WhatsApp (facebook) was doing that would have put message payload in a position where it could be used as executable code. I wonder if they were using prohibited APIs and getting away with it because they’re facebook.

  3. Three letter agencies — which country? Snowden showed us years ago that the largest U.S. companies were all sell-outs. Any notion that data on our devices or stored in the cloud are “secure” is an illusion. You will learn to love Big Brother.

  4. More fool him, trusting WhatsApp! Does he NOT know it’s owned by FaceBook?? FaceBook only got hacked three times in 2019! Doesn’t that ring alarm bells? Plonker!

  5. Applecynic (the real one, not his cowardly stalker) makes a good point. The main premise of having a walled garden in iOS is CONSTANTLY being defended by iOS fans as the only way to ensure top security. iOS fans contend that only Apple can possibly ensure app security.

    Funny, but the Mac offers better security and it doesn’t require Apple to snoop all app code and demand a 30% price markup before allowing users to access it.

    The security risk exposed here is enormous. The constant data flow between your app and its servers — something thin client OSes like iOS have to do because they are simply not designed to work on anything but the most trivial tasks without a constant internet connection. On the Mac, despite degradation over the years in many ways, the savvy user still has ultimate authority to see what background internet traffic is zipping back and forth (this is by default unannounced to the casual user on all modern OSes).

    To be truly secure, a platform should require all apps to register the valid server addresses, so unauthorized connections can be identified by the user and blocked. Enabling complete transparency of communications traffic to the user, and user ability to block them — something iOS and its derivatives have steadfastly refused to do — is the only real way to ensure that user data is going only where it should be going. Bezos only discovered the data theft after the fact using expensive forensic IT consultants. Apple should have enabled him to see IMMEDIATELY that gigabytes of data were going to an unwarranted hacker’s server. We have the technology, but the ad revenue is just too tempting, and thus most apps are constantly adding new ad servers all the time. Paid apps such as those on the Mac platform don’t have that problem. The never-ending marketing deluge that plagues mobile platforms can actually be monitored and controlled by a mere human user on a Mac.

    It’s just as much on Apple that they, the one and only annointed Gatekeepers of the iOS Platform, allow insecure crapware from Facebook to be distributed.

    Anyone who trusts that Apple security checks on iOS are adequate needs their head examined. iOS is only marginally more secure than Android because Apple’s automated app code checks are far from comprehensive. The same app from the same developer on iOS is just as vulnerable as the Android distribution. Yet Apple loves the income from crapware distributors like Facebook and data skimming junk from Google (the default search on iOS !?!?!?), so let’s drop the illusion that Apple today thinks first and foremost about the users’ security. Apple merely attempts, if it is convenient, to be a half step more secure than the competition (a low bar) for marketing purposes. True security — i.e., user control — would be too costly for Apple’s current beancounters to allow.

    1. Definitely agree that as long as data stays on the iOS device it’s probably secured like nothing else. Unfortunately, once you need to access any services outside of that device your data security drops like a rock, arguably not as far as other mobile OSes but a huge change in data security nonetheless.

      You could have the best secured fortress, but once you have to deal with a 3rd party delivery person to interact with the outside world anything that leaves is significantly less secure.

    1. Hi Jaye, dude is definitely good, I got him to hack your phone and… wow! amazing what you got on that thing, dude. Some bleach is required – for my eyes! He told me he was gonna start dumping screenshots at twitter dot com slash jayedre. SMH LOL WTF YOLO dude

    1. I contacted GoatSe-cure and he hacked me and stole my money and my wife and my iPhones and my life. Plus I saw pictures of Goatses everywhere I went, the guy was relentless and showed me the big one all the time. What a nightmare, stay away from Goatsescure unless you want a giant new one ripped for you down there.

    1. I got DarkCracker to hack Jaye Dre’s phone. He’s no relative of Dr Dre, it isn’t even his real name. Be aware that Jaye is a scammer if the highest order, so contact Jaye and FarkCracker only if you want to be ripped off and hacked yourself. Danger Dill Blobinson!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.