Questions linger over investigation into Jeff Bezos’ hacking

Questions linger over investigation into Jeff Bezos’ hacking

DUBAI, United Arab Emirates — Cybersecurity experts said Thursday there were still many unanswered questions from an investigation commissioned by Jeff Bezos that concluded the billionaire’s cellphone was hacked, apparently after receiving a video file with malicious spyware from the WhatsApp account of Saudi Arabia’s crown prince.

The experts said the evidence in the privately commissioned report does not show with certainty that Bezos’ phone was actually hacked, much less how it was compromised or what kind of malware was used.

The report on the investigation, which was managed by FTI Consulting and overseen by Anthony Ferrante, a former head of the FBI’s Cyber Division, was made public Wednesday.

In it, investigators said a digital forensic review concluded with “medium to high confidence” that Bezos’ phone was compromised via malware sent from a WhatsApp account used by Saudi Prince Mohammed bin Salman.

Two U.N. experts issued their own take on the report’s findings, calling on the U.S. to investigate further. They said it appeared the Amazon founder may have been targeted because of his ownership of The Washington Post, which was publishing reports critical of the crown prince by columnist Jamal Khashoggi.

Khashoggi was killed by Saudi agents inside the kingdom’s consulate in Turkey in October 2018, five months after Bezos’ phone was apparently hacked.

The report’s conclusions drew heavily from the unusually high volume of data that left Bezos’ iPhone X within 24 hours of receiving the video file from Prince Mohammed’s WhatsApp account on May 1, 2018, a month after the two exchanged phone numbers. The size of the file, the investigators suggested, indicated a malware payload may have been included.

The investigators said Bezos’ phone began transmitting large volumes of data — an increase of some 29,000% — after receiving the video file.

The report further pointed to messages later sent from the prince’s WhatsApp account to Bezos that showed “apparent awareness” of private information. One included a meme with a photo of a woman the report said resembled the woman Bezos was having an extramarital relationship with before going public with his divorce.

Another, sent two days after Bezos was briefed in phone calls last February about a Saudi online campaign against him, advised the technology mogul that what he was hearing was not true. “There is nothing against you or amazon from me or Saudi Arabia,” the message said.

The report additionally pointed to Saudi Arabia’s documented use of spyware against critics and other adversaries as further potential proof.

Saudi Foreign Minister Prince Faisal bin Farhan Al Saud called the allegations “purely conjecture” and said if there was real evidence, the kingdom looked forward to seeing it.

Cybersecurity experts said that while it was likely a hack occurred, the investigation did not prove that definitively.

“In some ways, the investigation is very incomplete. … The conclusions they’ve drawn I don’t think are supported by the evidence. They veered off into conjecture,” said Robert Pritchard, the director of U.K.-based consultancy Cyber Security Expert.

Similarly, the former chief security officer at Facebook, who now directs a cyber policy centre at Stanford, wrote that the report is filled with circumstantial evidence, but no smoking gun.

“The funny thing is that it looks like FTI potentially has the murder weapon sitting right there, they just haven’t figured out how to test it,” Alex Stamos wrote on Twitter.

One sticking point centred on WhatsApp’s end-to-end encryption, which the report said made it “virtually impossible to decrypt contents of the downloader to determine if it contained malicious code” — meaning the investigators could not conclude whether the video file sent from Prince Mohammed’s WhatsApp account was infected and used to hack Bezos’ phone.

Bill Marczak, a senior research fellow at Citizen Lab, disputed that assertion, saying it is possible to decrypt the contents of a WhatsApp file. In a post written for The Medium that presents ways to further the investigation, Marczak shared a link to decryption instructions and code.

The FTI investigators did not reach out to WhatsApp to seek assistance, a Facebook spokesperson said.

FTI’s Ferrante did not respond to emails and text messages seeking comment. The company said in a statement that all FTI’s work for clients is confidential and that the company does not “comment on, confirm or deny client engagements.”

Matt Suiche, a French entrepreneur based in Dubai who founded cybersecurity firm Comae Technologies, said the video file was presumably on the iPhone because the report showed a screenshot of it. If the file had been deleted, he said the report should have stated this or explained why it was not possible to retrieve it.

“They’re not doing that. It shows poor quality of the investigation,” Suiche said.

Still, security professionals and the report itself said the fact that investigators failed to identify any embedded malicious code does not mean there wasn’t a hack because sophisticated spyware can erase itself, leaving no trace.

Steve Morgan, founder and editor-in-chief at Cybersecurity Ventures, a cybersecurity research firm in New York, said the report makes reasonable assumptions and speculations, but does not claim 100% certainty or proof.

“Given their detailed analysis and all of the evidence they reviewed, their conclusions are reasonable,” Morgan said. “The tools they used, including forensic software and hardware from Cellebrite, are widely acknowledged to be amongst the best available,” he said.

Theresa Payton, founder and CEO of Fortalice Solutions, said the report is credible in her opinion, but leaves some questions unanswered, including whether the crown prince’s WhatsApp account may have been hacked by a third party, meaning he was not the true attacker.

“Unless Mohammed bin Salman has a thorough forensic review of dates, times, phone logs, geocoded locations, and logins, it’ll be hard to know for sure who was behind that WhatsApp message,” she said.

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Red Deer RCMP say a 30-year-old man faces sexual charges against a teen. (File photo by Advocate staff)
Innisfail RCMP arrest man following ‘lengthy pursuit’

Innisfail RCMP say a “lengthy pursuit” through a rural area ended with… Continue reading

Red Deer South MLA Jason Stephan speaks in the Alberta Legislature on Wednesday in this image from his Facebook page.
Red Deer MLA Jason Stephan sounds off on socialism in anti-lockdown speech

Red Deer-South MLA Jason Stephan has applauded his government’s COVID-19 response, saying… Continue reading

(Photo by Paul Cowley/ Advocate Staff)
Mask bylaws not popular in rural areas

Red Deer and Blackfalds bylaws requiring masks in public places kick in on Monday

A GoFundMe campaign to support a Stettler couple following a fire has raised more than $3,000. (Contributed photo)
Family pet dies in Stettler fire

GoFundMe page has raised more than $3K so far

Canadian Olympic gymnast and National Sport School alumni Kyle Shewfelt announces his retirement in Calgary, Thursday, May 21, 2009. Calgary's board of education will close the National Sport School that has produced Olympic and Paralympic champions for 26 years. THE CANADIAN PRESS/Jeff McIntosh
Calgary’s National Sport School to close, looks to join a different school division

Calgary’s National Sport School to close, looks to join a different school division

Canada's Erica Wiebe, left, celebrates after defeating Nigeria's Blessing Onyebuchi, right on the ground, to win Gold medal in women's FS 76Kg wrestling at the Commonwealth Games on Gold Coast, Australia, Thursday, April 12, 2018. THE CANADIAN PRESS/AP-Manish Swarup
Canada’s Olympic champion wrestler Erica Wiebe eyes return to competition

Canada’s Olympic champion wrestler Erica Wiebe eyes return to competition

Louisiana-Lafayette running back Elijah Mitchell (15) is tackled by Coastal Carolina linebacker Enock Makonzo (43) and safety Cameron Mitchell (49) during the first half of an NCAA football game in Lafayette, La., Wednesday, Oct. 14, 2020. It's already been a season to remember but Canadian Enock Makonzo and the Coastal Carolina Chanticleers will chase two more firsts Saturday. THE CANADIAN PRESS/AP-Paul Kieu
Canadian Enock Makonzo, Chanticleers chase Sun Belt East regular-season crown

Canadian Enock Makonzo, Chanticleers chase Sun Belt East regular-season crown

Atlanta United's Mo Adams, right, challenges Toronto FC's Alejandro Pozuelo during first half MLS soccer action in East Hartford, Conn., Sunday, Oct. 18, 2020. Toronto FC's Alejandro Pozuelo says he finished the season with an injured leg. THE CANADIAN PRESS/AP-Jessica Hill
Toronto FC ready to refocus on future as long, hard season comes to an end

Toronto FC ready to refocus on future as long, hard season comes to an end

Federal Health Minister Patty Hajdu and Vancouver Mayor Kennedy Stewart speak to the media during a visit to the Molson Overdose Prevention Site in Vancouver's Downtown Eastside, Thursday, January 16, 2020. City councillors in Vancouver voted unanimously this week to ask federal officials for an exemption to Canada's Controlled Drugs and Substances Act, a decision advocates hope will blaze a trail for the decriminalization of small amounts of illicit drugs for personal use in other municipalities. THE CANADIAN PRESS/Jonathan Hayward
Advocates aim to shape ‘Vancouver model’ for drug decriminalization

Advocates aim to shape ‘Vancouver model’ for drug decriminalization

Senator Murray Sinclair appears before the Senate Committee on Aboriginal Peoples in Ottawa, Tuesday, May 28, 2019. Sinclair is planning to leave the Senate early next year. THE CANADIAN PRESS/Fred Chartrand
Sen. Murray Sinclair, former head of TRC, set to leave the upper chamber next January

Sen. Murray Sinclair, former head of TRC, set to leave the upper chamber next January

Carolina De La Torre, right, owner of Arepas Ranch in Calgary, poses for a photo with her husband in this undated handout photo. The Venezuelan woman who believes she was used as part of Jason Kenney's argument not to lockdown restaurants in the province remembers her encounter with the premier as a lot less dramatic than he suggested. THE CANADIAN PRESS/HO, Carolina De La Torre *MANDATORY CREDIT*
‘No crying’: Venezuelan refugee Kenney cited says interaction was less dramatic

‘No crying’: Venezuelan refugee Kenney cited says interaction was less dramatic

Prime Minister Justin Trudeau listens to a question from a reporter during a bi-weekly news conference outside Rideau cottage in Ottawa, Friday, Nov. 27, 2020. THE CANADIAN PRESS/Adrian Wyld
Trudeau feels most Canadians could be vaccinated by September 2021

Trudeau feels most Canadians could be vaccinated by September 2021

Most Read