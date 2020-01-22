Amazon chief Jeff Bezos’s phone was infiltrated during a WhatsApp conversation with the Saudi crown prince, “most likely” using hacking tools made by cyberweapons companies such as NSO Group or Hacking Team, according to a new forensic report and the findings of a pair of UN investigators.

Exactly how it happened is still unclear—investigators have been unable to analyze the root file system of Bezos’s iPhone. But the basic details offer lessons in the unregulated hacker-for-hire industry, the vulnerabilities of modern devices, and the lengths to which governments will go to silence their critics.

NSO Group’s zero-click spyware is capable of stealing data from many popular smartphones, without a recipient so much as clicking or opening a link, and the Kingdom of Saudi Arabia was one of its users, paying $55 million to NSO in 2017, according to Haaretz. A spokesperson for the controversial Israel-based company told Fast Company that its weapons “are only used to investigate terror and serious crime,” but critics allege they have been used to track, imprison, and target political dissidents.

In a lawsuit, a Saudi dissident claimed that NSO’s software was used to track his communications with Jamal Khashoggi before his assassination in October 2018. The CIA and the UN have both concluded with high confidence that Saudi Crown Prince Mohammed bin Salman, known as MBS, was involved in the death of Khashoggi, a columnist for the Washington Post, which Bezos owns. After the paper reported on how a Saudi hit squad had killed Khashoggi, Bezos and the Post were targeted by a Saudi propaganda campaign.

The investigation into Bezos’s phone began last year, after the CEO alleged in a blog post that the National Enquirer was engaged in “extortion and blackmail.” The tabloid had cited his private text messages in reporting that Bezos had an affair with Lauren Sanchez. Bezos’s security consultant, Gavin De Becker, alleged in a subsequent Daily Beast article that Saudi Arabia was behind the hack, saying “it’s clear that MBS considers The Washington Post to be a major enemy.” Experts who spoke to Fast Company last year concurred that even security-conscious Bezos would have trouble defending against sophisticated state-backed hackers.

Bezos received suspicious messages from MBS

The new forensic analysis, conducted by business advisory firm FTI Consulting, and obtained by Kim Zetter and Joseph Cox at Motherboard, found:

Bezos’s relationship with Crown Prince MBS was cordial following an early encounter at a dinner with a number of leading U.S. executives in Los Angeles in April 2018. After the dinner, where MBS sought to drum up investment in the kingdom, they exchanged numbers, and that same day, the crown prince initiated a WhatsApp conversation with Bezos. (MBS has also used WhatsApp to communicate with White House adviser Jared Kushner.)

On May 1, 2018, about a month after the dinner, Bezos received an unexpected message from MBS with a video attachment, which featured an image of Saudi and Swedish flags overlaid with Arabic text and which appeared to be about the telecommunications industry. Because it arrived with an encrypted downloader, this delayed or further prevented “study of the code delivered along with the video.” The report did not say whether Bezos opened the file.

Within hours of the video file being sent, “a massive and unauthorized exfiltration of data from Bezos’s phone began, continuing and escalating for months,” according to the investigators’ analysis. The report said the amount of data exiting his phone increased 29,000% and that it was “highly probable” that the file was the culprit.

On two subsequent occasions, MBS sent Bezos WhatsApp messages suggesting he knew of the CEO’s private communications.

On November 8, 2018—around the time that Bezos and his wife were communicating about a divorce—Bezos received a message from the MBS account that included a photo of a woman who resembled Lauren Sanchez. The caption read: “Arguing with a woman is like reading the software license agreement. In the end you have to ignore everything and click I agree.”

On February 16, 2019, two days after Bezos received a briefing by phone about the Saudis’ online campaign against him, he received a new message from MBS, contending “there is nothing against you or Amazon from me or Saudi Arabia.”

The investigators found that Bezos’s phone typically sent about 430 KB of data per day, which is typical of an iPhone user. Within hours of receiving the WhatsApp video, that number jumped to 126 MB, and maintained an average of 101 MB data egress per day in the following months.

The report says the software used in the attack was procured by Saud al Qahtani, an advisor to MBS. He was also president and chairman of the Saudi Federation for Cybersecurity, Programming and Drones and was known to procure hacking tools including those made by the Italian company Hacking Team.

Investigators struggled to study the hack

The investigators did not find any malicious code embedded in the video file and discovered that the video was sent using an encrypted downloader hosted on WhatsApp’s media server, making it “impossible to decrypt the contents of the downloader to determine if it contained any malicious code in addition to the delivered video.” FTI did not respond to a request for comment.

The report did not conclude which company was involved but said that advanced spyware, “such as NSO Group’s Pegasus or Hacking Team’s Galileo, can hook into legitimate applications and processes on a compromised device as a way to bypass detection and obfuscate activity in order to ultimately intercept and exfiltrate data,” the report states, according to Motherboard. “The success of techniques such as these is a very likely explanation for the various spikes in traffic originating from Bezos device.”

The investigators struggled to understand the attack in part because they apparently could not obtain the password for Bezos’s iTunes backup, according to Motherboard. Instead, they restored the device’s settings to factory defaults, thereby “removing the encryption password while preserving the file system and any relevant data and artifacts,” and they used a forensic device made by Cellebrite to examine the phone. To examine the root file system of Bezos’s phone, they would need to jailbreak it; otherwise, their findings are incomplete, security experts told Motherboard.

More evidence may be available on Amazon’s own servers: “The irony is that NSO Group uses Amazon Web Services to interact with WhatsApp’s APIs,” tweeted Alex Stamos, Facebook’s former head of security, on Tuesday. “So if NSO was behind the intrusion, then some of the key evidence is available to Bezos’s excellent AWS security team.” An Amazon spokesperson did not immediately respond to a request for comment.

The new analysis is “the first to directly implicate a WhatsApp account” used by MBS, according to the Financial Times. In a statement released this morning, Agnes Callamard, a UN specialist in extrajudicial killings who has been investigating Khashoggi’s murder, and David Kaye, an expert in human rights law, call for an “immediate investigation” by the United States and other countries into the allegations. They noted that the messages to Bezos came at the start of a two-month period in mid-2018 when at least four Saudi dissidents who were living abroad reported having their devices hacked.