WashU Expert: ‘Every application has its vulnerabilities’

Bezos may have ignored the simplest advice: Don’t open suspicious links or files

In the wake of the news that Jeff Bezos' phone was hacked, Joseph Scherrer, director of the Cybersecurity Strategic Initiative, says you should make your smartphone a hard target because “cybercriminals like to take the easy way in.”

You don’t have to be one of the wealthiest people in the world, or own one of the largest newspapers in the country, to be the target of a cyberattack.

But it certainly doesn’t hurt your chances.

The United Nations in a news release Jan. 22 said it had information suggesting that Crown Prince Mohammed bin Salman of the Kingdom of Saudi Arabia used the WhatsApp messaging app (owned by Facebook) to deploy spyware uploading large amounts of cellphone data from Jeff Bezos, who is Amazon’s CEO, owner of The Washington Post and one of the richest people in the world.

The attack on Bezos, allegedly using a video to deploy the malware, is not that unusual for leaders in industry or government, according to Joseph Scherrer, director of the Cybersecurity Strategic Initiative at the McKelvey School of Engineering at Washington University in St. Louis.

“Their wealth and influence makes them juicy targets,” he said, and mobile malware attacks, like the one perpetrated against Bezos, are only becoming more common.

Scherrer retired from the U.S. Air Force after a distinguished 24-year career that culminated as the commander of the Air Force’s only combat coded deployable communications wing.

“Research conducted by the cybersecurity firm Check Point found that mobile device attacks rose 50 percent in 2019 compared to the same time period in 2018,” said Scherrer, who is also the executive director of professional education at the McKelvey School of Engineering and program director of graduate studies in information systems management and cybersecurity management. “This trend is projected to continue into 2020.”

The U.N. suggests Bezos wasn’t targeted for money, but instead in an effort to “influence, if not silence, The Washington Post’s reporting on Saudi Arabia.” In general, illicit financial gain is the main reason for cyberattacks on mobile devices.

“Cybercriminals seek your login credentials for online banking apps and payment services such as Venmo, Apple Pay and Google Pay. They then use these credentials to gain access to your accounts and steal your money,” Scherrer said. “With nearly 3.5 billion smartphone users in the world today, that amounts to a lot of opportunity for cybercriminals.”

The apps on our phones are convenient and help us in our daily lives. However, “every application has its vulnerabilities,” Scherrer said. “Even if an app is patched or updated regularly, that still doesn’t mean that it’s secure. Both ‘white hat’ and ‘black hat’ hackers find vulnerabilities all the time. The problem is that black hat hackers use that knowledge for malevolent purposes.”

Scherrer suggests making your smartphone a hard target because, he said, “cybercriminals like to take the easy way in.”

He offers this advice:

  • Lock your device behind a strong passcode or using a biometric signature (fingerprint).

  • To add even more security to your locked device, use a second method of authentication, such as a Yubikey, for smartphones. These devices generate one-time passwords that make it extremely difficult for a potential hacker to bypass to gain access to your phone.

  • Don’t use the same password for multiple applications and accounts. Ideally, each password should be unique.

  • Encrypt the data on your phone. All major smartphone operating systems have this capability now.

  • Secure the WiFi connection on your phone using a virtual private network from your cellular provider.

  • Regularly back up your data to the cloud so that if your phone is compromised, you don’t lose your data. There are many mobile backup applications for Apple and Android that use the cloud to house your data in a safe and secure manner.

  • Finally, don’t open suspicious links or files that seem strange or from unusual sources.