How Saudi Arabia allegedly hacked Jeff Bezos
Saudi Arabia may have had some help when it allegedly hacked into Jeff Bezos’s personal iPhone. On Tuesday, The Guardian reported that a digital forensics examination commissioned by Bezos had accused Saudi Crown Prince Mohammed bin Salman of compromising the Amazon founder’s phone during a private WhatsApp conversation. Now, two United Nations human rights experts have called for an “immediate investigation,” pointing to the report’s finding that the intrusion was “likely” carried out with spyware tools made by companies such as NSO Group or Hacking Team.
The allegations have sparked fresh controversy for the Crown Prince and for NSO Group, a secretive Israeli firm whose flagship product, Pegasus, has been implicated in government surveillance of dissidents across the world. An NSO spokesperson told Fast Company last year that such allegations were “nothing more than an empty PR stunt to continue the propaganda drumbeat against NSO’s work helping intelligence agencies fight crime and terrorism around the globe.” Multiple cyber security experts say otherwise.
Whether NSO technology was behind the Bezos hack is unclear. The investigators have been unable to analyze the root file system of his iPhone, and NSO denies that its technology could have been used on U.S. phone numbers. But the basic details of the scandal offer lessons about the unregulated hacker-for-hire industry, the vulnerabilities of modern devices, and the lengths to which governments will go to silence their critics.
As my colleagues have previously reported, NSO’s spyware is capable of stealing data from many popular smartphones without a recipient so much as clicking a link. That appears to be what happened to Bezos when the Saudi Crown Prince, better known as MBS, sent him a WhatsApp message containing a mysterious video attachment. Within hours of the video file being sent, “a massive and unauthorized exfiltration of data from Bezos’s phone began,” according to the investigators’ analysis. The report claims the amount of data exiting his phone increased 29,000% and that it was “highly probable” that the file was the culprit.
The forensic report from FTI Consulting, which was commissioned by Bezos’s security team, is part of a broader investigation that the Washington Post owner launched last year, following an adultery scandal in which he accused the National Enquirer of attempting “extortion and blackmail,” over compromising photos he exchanged with his girlfriend Lauren Sanchez. The tabloid had also cited his private text messages in its reporting that Bezos had an affair with Sanchez. To determine how his texts were leaked, Bezos initially tapped security consultant Gavin de Becker, who then publicly blamed the Saudi government for the hack. “It’s clear that MBS considers the Washington Post to be a major enemy,” he wrote in the Daily Beast, suggesting that the Crown Prince was flexing his muscles after the high-profile murder of Jamal Khashoggi, a Post columnist and Saudi dissident.
Bezos received suspicious messages from MBS
Experts who spoke to Fast Company last year explained that even security-conscious Bezos would have struggled to defend himself against sophisticated state-backed hackers. Even if the Saudis didn’t use NSO technology—and the firm vigorously denies they were involved—the oil-rich kingdom would have no trouble purchasing so-called “zero-day” malware that could circumvent the iPhone’s security. These novel exploits, which are always evolving, are far too expensive for most fraudsters, costing upwards of $1 million on the black market. Of course, that’s pennies to a billionaire like MBS. (Haaretz reports that Saudi Arabia paid $55 million for NSO’s Pegasus 3 software in 2017.)
The details of the alleged hack attack describe how Bezos could have been compromised by a simple text. Bezos’s relationship with MBS was cordial following an early encounter at a dinner with a number of leading U.S. executives in Los Angeles in April 2018. After the dinner, where MBS sought to drum up investment in the kingdom, they exchanged numbers, and that same day, the crown prince initiated a WhatsApp conversation with Bezos. (MBS has also used WhatsApp to communicate with White House adviser Jared Kushner.)
On May 1, 2018, about a month after the dinner, Bezos received an unexpected message from MBS with a video attachment, which featured an image of Saudi and Swedish flags overlaid with Arabic text and which appeared to be about the telecommunications industry. WhatsApp’s encryption delayed or further prevented “study of the code delivered along with the video,” according to FTI investigators. The report did not say whether Bezos opened the file.
Within hours of the video file being sent, “a massive and unauthorized exfiltration of data from Bezos’s phone began, continuing and escalating for months,” according to the FTI report, which was obtained by Kim Zetter and Joseph Cox at Motherboard.
Months later, following Khashoggi’s murder and the Post‘s subsequent investigations, MBS sent Bezos two WhatsApp messages suggesting he knew of the CEO’s private communications. On November 8, 2018—around the time that Bezos and his wife were communicating about a divorce—Bezos received a message from the MBS account that included a photo of a woman who resembled Lauren Sanchez. The caption read: “Arguing with a woman is like reading the software license agreement. In the end you have to ignore everything and click I agree.” On February 16, 2019, two days after Bezos received a briefing by phone about the Saudis’ online campaign against him, he received a new message from MBS, contending “there is nothing against you or Amazon from me or Saudi Arabia.”
The investigators found that Bezos’s phone typically sent about 430 KB of data per day, which is typical of an iPhone user. Within hours of receiving the WhatsApp video, that number jumped to 126 MB, and maintained an average of 101 MB data egress per day in the following months.
Investigators struggled to study the hack
Investigators hired by Bezos did not find any malicious code embedded in the video file. Because the video was sent using WhatsApp, it was “impossible to decrypt the contents of the downloader to determine if it contained any malicious code in addition to the delivered video.” FTI did not contact WhatsApp during its investigation, according to a person familiar with the issue who spoke to the Wall Street Journal. FTI did not respond to a request for comment.
The FTI report claims that the software used in the attack was procured by Saud al Qahtani, an advisor to MBS. He was also president and chairman of the Saudi Federation for Cybersecurity, Programming and Drones, and was known to procure hacking tools including those made by the Italian company Hacking Team.
The FTI report did not conclude which company was involved in the attack but said that advanced spyware, “such as NSO Group’s Pegasus or Hacking Team’s Galileo, can hook into legitimate applications and processes on a compromised device as a way to bypass detection and obfuscate activity in order to ultimately intercept and exfiltrate data,” according to Motherboard. “The success of techniques such as these is a very likely explanation for the various spikes in traffic originating from Bezos device.”
The investigators struggled to understand the attack in part because they apparently could not obtain the password for Bezos’s iTunes backup, according to Motherboard. Instead, they restored the device’s settings to factory defaults, thereby “removing the encryption password while preserving the file system and any relevant data and artifacts,” and they used a forensic device made by Cellebrite to examine the phone. To examine the root file system of Bezos’s phone, they would need to jailbreak it; otherwise, their findings are incomplete, security experts told Motherboard.
More evidence may be available on Amazon’s own servers. “The irony is that NSO Group uses Amazon Web Services to interact with WhatsApp’s APIs,” tweeted Alex Stamos, Facebook’s former head of security, on Tuesday. “So if NSO was behind the intrusion, then some of the key evidence is available to Bezos’s excellent AWS security team.” An Amazon spokesperson did not immediately respond to a request for comment.
U.N. experts call for limits on surveillance industry
The new analysis is “the first to directly implicate a WhatsApp account” used by MBS, according to the Financial Times. In a statement released this morning, Agnes Callamard, a UN specialist in extrajudicial killings who has been investigating Khashoggi’s murder, and David Kaye, an expert in human rights law, called for an “immediate investigation” by the United States and other countries into the allegations. They noted that the messages to Bezos came at the start of a two-month period in mid-2018 when at least four Saudi dissidents who were living abroad reported having their devices hacked.
“The information we have received suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post’s reporting on Saudi Arabia,” they wrote. “The allegations reinforce other reporting pointing to a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities, including nationals and non-nationals.”
The surveillance of Bezos, they added, “allegedly through software developed and marketed by a private company and transferred to a government without judicial control of its use, is, if true, a concrete example of the harms that result from the unconstrained marketing, sale and use of spyware. Surveillance through digital means must be subjected to the most rigorous control, including by judicial authorities and national and international export control regimes, to protect against the ease of its abuse. It underscores the pressing need for a moratorium on the global sale and transfer of private surveillance technology.”
The Saudi Embassy in Washington rejected the new findings as “absurd” in a Twitter message, and called “for an investigation on these claims so that we can have all the facts out.”
In a statement, an NSO Group spokesperson told Fast Company that its technology “was not used in this instance.” They added that NSO technology cannot be used on U.S. phone numbers and that any suggestion to the contrary is “defamatory.”
At least one cyber security expert disagrees. John Scott-Railton, a researcher with watchdog Citizen Lab who has studied NSO for years, told Fast Company that in 2016 researchers used NSO’s Pegasus to infect a phone that was located in the United States. (Last year, Scott-Railton was the target of a surveillance campaign waged against some of NSO’s critics.) Bill Marczak, a senior research fellow at Citizen Lab, said that if there is a restriction on U.S. phones, users could still infect a device by sending a link through media other than a telephone number, such as through a messaging app.
NSO is the subject of a number of lawsuits alleging cybercrimes, including one filed this week by Amnesty International and one filed in October by Facebook, which alleges the firm’s software had been used to attack more than a thousand of its users.
— Jeff Bezos (@JeffBezos) January 22, 2020
On Wednesday afternoon, Bezos appeared to respond to the UN experts’ statement on Twitter, where he posted a photo of himself at Khashoggi’s memorial service with the hashtag “#Jamal.”
This article has been updated.