A digital forensic analysis conducted by Anthony Ferrante of business advisory firm FTI Consulting concludes with “medium to high confidence” that Amazon CEO Jeff Bezos’ smartphone was hacked through a malicious file sent from the WhatsApp account of Saudi Arabian crown prince Mohammed bin Salman.
The malware was in an MP4 file attached to a WhatsApp message.
FTI Consulting forwarded its findings to United Nations special rapporteurs who released technical elements of the report.
Rapporteurs investigate the promotion and protection of freedom of opinion and expression, among other things.
FTI Consulting declined our request to comment for our story, stating that all client work is confidential.
Saudi Arabia’s embassy in the United States has denied the allegations.
Element of Uncertainty
The reason FTI qualified its conclusion likely is because “computer forensics isn’t always an exact science, and the experts might be limited by the data and evidence they have in hand,” said Tim Erlin, VP of product management and strategy at Tripwire.
“There may also be unanswered questions or alternatives to consider,” he told TechNewsWorld.
FTI’s conclusion “suggests they have a sequence of events that makes it likely that the video attachment carried malware, but they either didn’t prove causality or can’t be sure the crown prince created the hack as opposed to his just forwarding a compromised email,” suggested Rob Enderle, principal analyst at the Enderle Group.
“It rarely gets stronger than this unless the alleged perpetrator confesses, or the intelligence organization gets access to the entire chain of evidence,” he told TechNewsWorld.
The malware “appears to have had a self-destruct built in, making it impossible to have 100 percent concrete proof,” noted Liz Miller, principal analyst at Constellation Research.
FTI’s investigators “did not find even remnants of the malware code on the device, but did find a file with an encrypted downloader that had been delivered with the video,” she told TechNewsWorld.
WhatsApp, which hosted the downloader, has end-to-end encryption, which prevents investigators from accessing the downloader’s contents or code, Miller pointed out.
Chain of Events
The prince initiated a WhatsApp messaging conversation with Bezos on April 28, 2018, after they met at a dinner in Hollywood.
On May 1 Bezos received a message with a video attachment from the prince’s WhatsApp account.
Within hours, the volume of data transmitted from Bezos’ phone skyrocketed by 30,000 percent, FTI found. Data spiking continued over several months, at rate as much as 106 million percent higher than before the video was received.
“How did it take months for this to be noticed?” wondered Constellation’s Miller.
FTI found that on two later occasions the prince sent messages to Bezos that suggested he had knowledge of his private communications:
- One, on November 8, 2018, included a photo of a woman strongly resembling Lauren Sanchez, whom Bezos was dating;
- The other was sent February 16, 2019, two days after Bezos had participated in phone conversations about the Saudis’ alleged online campaign against him.
The UN special rapporteurs have linked the hack of Bezos’ smartphone to stories in his newspaper, The Washington Post, about the role of the Saudi prince and the Saudi government in the murder of Post journalist Jamal Khashoggi.
“I can’t remember how many times in the past decade I’ve read something about a critical security flaw in WhatsApp that allows access to users’ phones,” remarked Oliver Münchow, founder of security awareness and training company Lucy Security.
“I’m surprised no one told Jeff not to use it after its history of epic security fails,” he told TechNewsWorld.
The malware used was “most likely mobile spyware such as NSO Group’s Pegasus, or, less likely, Hacking Team’s Galileo,” FTI’s analysis suggests.
The Saudi Royal Guard acquired Pegasus-3 spyware from NSO Group, an Israel-based firm, FTI found. The spyware also was used against Saudi dissidents.
Pegasus spreads through malicious links “often sent through chat apps like WhatsApp and Messenger,” said Paul Bischoff, privacy advocate at Comparitech.
“Once on a device, the malware jailbreaks iPhones so that it can track phone calls, texts, keystrokes and location, and access the phone’s microphone and camera. It also affects Android phones,” he told TechNewsWorld.
Consumers “must maintain a healthy sense of paranoia when it comes to links and attachments,” said Rosa Smothers, senior VP of cyber operations at KnowBe4.
“Think before you click on any links or attachments sent to you,” she told TechNewsWorld. “Were you expecting the email or attachment? If your spidey sense tingles, call the sender and confirm they sent it.”
That said, “security always ranks high on surveys of the things consumers want, but no one is ever willing to pay for it,” remarked Jim McGregor, principal analyst at Tirias Research. “As a result, it’s never a priority.”
Security also is challenging because of the rapid pace of technology, he told TechNewsWorld. “Artificial intelligence should eventually improve security, but nothing will ever be 100 percent secure.”
Aftermath of the Hack
The UN rapporteurs have called for an investigation into the hack and said the use of WhatsApp as a platform to enable installation of Pegasus onto devices has been well documented.
Meanwhile, Facebook and WhatsApp have filed suit against NSO Group Technologies in a U.S. federal court, and a court in Israel has begun hearings to determine whether the NSO Group should have its export license revoked.
NSO has denied allegations against it.
“If someone with Bezos’ power and position is a target, it doesn’t bode well for anyone who doesn’t have that level of protection,” Enderle observed. “It makes you wonder how many other U.S. citizens are being spied on like this by a hostile state.”