Questions linger over investigation into Jeff Bezos’ hacking

DUBAI, United Arab Emirates — Cybersecurity experts said Thursday there were still many unanswered questions from an investigation commissioned by Jeff Bezos that concluded the billionaire’s cellphone was hacked, apparently after receiving a video file with malicious spyware from the WhatsApp account of Saudi Arabia’s crown prince.

The experts said the evidence in the privately commissioned report does not show with certainty that Bezos’ phone was actually hacked, much less how it was compromised or what kind of malware was used.

The report on the investigation, which was managed by FTI Consulting and overseen by Anthony Ferrante, a former head of the FBI’s Cyber Division, was made public Wednesday.

In it, investigators said a digital forensic review concluded with “medium to high confidence” that Bezos’ phone was compromised via malware sent from a WhatsApp account used by Saudi Prince Mohammed bin Salman.

Two U.N. experts issued their own take on the report’s findings, calling on the U.S. to investigate further. They said it appeared the Amazon founder may have been targeted because of his ownership of The Washington Post, which was publishing reports critical of the crown prince by columnist Jamal Khashoggi.

Khashoggi was killed by Saudi agents inside the kingdom’s consulate in Turkey in October 2018, five months after Bezos’ phone was apparently hacked.

The report’s conclusions drew heavily from the unusually high volume of data that left Bezos’ iPhone X within 24 hours of receiving the video file from Prince Mohammed’s WhatsApp account on May 1, 2018, a month after the two exchanged phone numbers. The size of the file, the investigators suggested, indicated a malware payload may have been included.

The investigators said Bezos’ phone began transmitting large volumes of data — an increase of some 29,000% — after receiving the video file.

The report further pointed to messages later sent from the prince’s WhatsApp account to Bezos that showed “apparent awareness” of private information. One included a meme with a photo of a woman the report said resembled the woman Bezos was having an extramarital relationship with before going public with his divorce.

Another, sent two days after Bezos was briefed in phone calls last February about a Saudi online campaign against him, advised the technology mogul that what he was hearing was not true. “There is nothing against you or amazon from me or Saudi Arabia,” the message said.

The report additionally pointed to Saudi Arabia’s documented use of spyware against critics and other adversaries as further potential proof.

Saudi Foreign Minister Prince Faisal bin Farhan Al Saud called the allegations “purely conjecture” and said if there was real evidence, the kingdom looked forward to seeing it.

Cybersecurity experts said that while it was likely a hack occurred, the investigation did not prove that definitively.

“In some ways, the investigation is very incomplete. … The conclusions they’ve drawn I don’t think are supported by the evidence. They veered off into conjecture,” said Robert Pritchard, the director of U.K.-based consultancy Cyber Security Expert.

Similarly, the former chief security officer at Facebook, who now directs a cyber policy centre at Stanford, wrote that the report is filled with circumstantial evidence, but no smoking gun.

“The funny thing is that it looks like FTI potentially has the murder weapon sitting right there, they just haven’t figured out how to test it,” Alex Stamos wrote on Twitter.

One sticking point centred on WhatsApp’s end-to-end encryption, which the report said made it “virtually impossible to decrypt contents of the downloader to determine if it contained malicious code” — meaning the investigators could not conclude whether the video file sent from Prince Mohammed’s WhatsApp account was infected and used to hack Bezos’ phone.

Bill Marczak, a senior research fellow at Citizen Lab, disputed that assertion, saying it is possible to decrypt the contents of a WhatsApp file. In a post written for The Medium that presents ways to further the investigation, Marczak shared a link to decryption instructions and code.

The FTI investigators did not reach out to WhatsApp to seek assistance, a Facebook spokesperson said.

FTI’s Ferrante did not respond to emails and text messages seeking comment. The company said in a statement that all FTI’s work for clients is confidential and that the company does not “comment on, confirm or deny client engagements.”

Matt Suiche, a French entrepreneur based in Dubai who founded cybersecurity firm Comae Technologies, said the video file was presumably on the iPhone because the report showed a screenshot of it. If the file had been deleted, he said the report should have stated this or explained why it was not possible to retrieve it.

“They’re not doing that. It shows poor quality of the investigation,” Suiche said.

Still, security professionals and the report itself said the fact that investigators failed to identify any embedded malicious code does not mean there wasn’t a hack because sophisticated spyware can erase itself, leaving no trace.

Steve Morgan, founder and editor-in-chief at Cybersecurity Ventures, a cybersecurity research firm in New York, said the report makes reasonable assumptions and speculations, but does not claim 100% certainty or proof.

“Given their detailed analysis and all of the evidence they reviewed, their conclusions are reasonable,” Morgan said. “The tools they used, including forensic software and hardware from Cellebrite, are widely acknowledged to be amongst the best available,” he said.

Theresa Payton, founder and CEO of Fortalice Solutions, said the report is credible in her opinion, but leaves some questions unanswered, including whether the crown prince’s WhatsApp account may have been hacked by a third party, meaning he was not the true attacker.

“Unless Mohammed bin Salman has a thorough forensic review of dates, times, phone logs, geocoded locations, and logins, it’ll be hard to know for sure who was behind that WhatsApp message,” she said.

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Weinstein conviction sends right message, says advocate

“Don’t stay in silence because we can make this end one day”

One actor tackles 33 zany characters in CAT’s social satire, Fully Committed

Ash Mercia is taking on an actor’s biggest challenge

Sylvan Lakers asked for playground input

Town has set aside $250,000 to replace Centennial Park playground

Alberta legislature resumes: Focus on jobs and bill to punish protesters

EDMONTON — A new legislature sitting has begun with the Alberta government… Continue reading

Your community calendar

Feb. 19 A Liberation of Holland event is being held at the… Continue reading

Bucks defeat Raptors in battle of Eastern Conference heavyweights

Bucks 108 Raptors 97 TORONTO — Khris Middleton scored 22 points as… Continue reading

Monahan, Backlund score 2G each, Flames beat Bruins 5-2

Flames 5 Bruins 2 BOSTON — Sean Monahan scored a pair of… Continue reading

Canadian Pacific obtains injunction to end Mohawk rail blockade in Kahnawake

MONTREAL — Canadian Pacific Railway obtained an injunction Tuesday aimed at ending… Continue reading

Alberta legislature resumes: Focus on jobs and bill to punish protesters

EDMONTON — A new session of the Alberta legislature began Tuesday with… Continue reading

Red Deer realtor is Century 21’s best seller worldwide

Nobody sold more units than Gavin Heintz among company’s 139,000 realtors

Red Deer District Community Foundation looking for volunteer board members

The Red Deer & District Community Foundation is looking for new board… Continue reading

Feds seek 21 months for Hot Pockets heiress in college scam

BOSTON — Prosecutors are seeking nearly two years in prison for an… Continue reading

Most Read