The forensic details of Amazon CEO and founder Jeff Bezos’ phone hacking from 2018 have been made public as part of a report by the United Nations. UN human rights experts said that Bezos’ iPhone was compromised after receiving a video file on WhatsApp. The video was sent from a WhatsApp account used by Crown Prince of Saudi Arabia Prince Mohammad Bin Salman. Saudi Arabia on its part has denied the charge that the Crown Prince sent the message.
The use of NSO Group’s Pegasus-3 or Italy based Hacking Team’s Galileo malware is suspected in this case to carry out the illegal surveillance. For now, the NSO Group has denied the charge. Bezos’ phone was examined by cyber-security experts at the FTI Consulting, hired by the Amazon founder, and they conducted a forensic analysis of the phone. Details of the FTI report have been published by Motherboard.
The Guardian has first reported on the issue, though the Saudi link was suspected back in 2019 by Bezos’ security team. According to the UN human rights experts, the incident is being seen as a serious “contravention of fundamental international human rights standards,” and there are calls for a full fledged investigation into the issue.
While Amazon is yet to issue a statement on this, Bezos later tweeted a photo remembering slain Washington Post journalist Jamal Khashoggi, who was killed in the Saudi embassy in Turkey by Saudi agents. The late Khashoggi was a vociferous critic of the Saudi Crown Prince. Bezos also owns The Post.
The UN report also acknowledges that the surveillance were part of the Crown Prince’s efforts to silence The Washington Post‘s reporting on Saudi Arabia, which has been critical of Prince Salman in particular.
“The alleged hacking of Mr Bezos’ phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents. This reported surveillance of Mr Bezos, allegedly through software developed and marketed by a private company and transferred to a government without judicial control of its use, is, if true, a concrete example of the harms that result from the unconstrained marketing, sale and use of spyware,” the independent UN experts said in a statement.
According to Motherboard, an initial analysis of the phone did not confirm any malware. However, a video that was sent by the Saudi Crown Prince was seen as a suspicious file. This video looked like an Arabic language promotional film about telecommunications. The thumbnail of the video had flags of Saudi Arabia and Sweden.
The forensic analysis report shows that the behaviour on the phone changed drastically after the WhatsApp video was received. This is being seen as evidence that a sophisticated malware was attached to the video file.
FTI has said that because the video downloader was encrypted and could not be decrypted, they were unable to conclude the exact malware that was used. This bit has raised questions about the strength of the report’s evidence, with other cyber-security experts questioning why they were not able to decrypt the encoder.
But it was clear that once Bezos received the video on his iPhone, the phone started behaving abnormally with a 29,156 per cent jump in data egress or data transfer from the device, according to the FTI report.
It says, “A timeline analysis of cellular data originating from Bezos’ iPhone X reveals a 29,156 percent increase in unauthorized egress data within hours of the video’s delivery. There were also several additional notable spikes in egress data following the initial spike on May 2, 2018, ranging from 221MB through a highly atypical 4.6GB.” The spyware likely stole gigabytes worth of information from Bezos’ phone over the months.
Explained: All the links in Amazon founder Jeff Bezos’ phone hacking
According to the experts, the forensic analysis showed that the spyware most likely used was the NSO Group’s Pegasus-3 malware or the Hacking Team’s Galileo. Previously, Amnesty international had pointed out how two of its Saudi Arabia workers were targeted with NSO’s Pegasus- 3, which has been purchased by the kingdom.
The UN report’s timeline also makes it clear that Facebook had itself acknowledged in November 2019 that WhatsApp could be used to exploit a user’s phone via a malicious MP4 video file.
The UN report also lists out a timeline of events, which points out that Bezos attended a dinner with the Crown Prince on April 4, 2018 during the course of which they exchanged phone numbers for their WhatsApp accounts. The malicious message was sent to Bezos on May 1, 2018, according to this timeline.
On November 8, 2018, the Crown Prince appeared to taunt Bezos as he texted him on a photo with an offensive caption on WhatsApp. The photo resembled Lauren Sanchez, Bezos’ current girlfriend, though the affair was not yet public.
The caption read, “Arguing with a woman is like reading the Software License Agreement. In the end you have to ignore everything and click I agree.” The incident is also mentioned in the FTI report.
NSO Group has denied the use of Pegasus to hack into Bezos’ phone. In a statement posted on their website, the company said they were “shocked and appalled by the story that has been published with respect to alleged hacking of the phone of Mr Jeff Bezos.”
Further, the statement adds that “if this story is true, then it deserves a full investigation by all bodies providing such services to assure that their systems have not been used in this abuse.”
According to them such abuse of surveillance system will “blacken the eye of the cyber intelligence community and put a strain on the ability to use legitimate tools to fight serious crime and terror.”
NSO has always insisted that their software is only to be used to track criminals and terrorists. The statement adds, “These type of stories highlight the need for the surveillance community to follow our lead and implement strict Human Rights Policies and to act in a compliant manner.”
The group also said they are willing to engage with the UN, Bezos and any other body to “fully understand these issues and to set guidelines and capabilities to assure the protection of human rights in the sale and use of surveillance equipment.”
In November 2019, Facebook had confirmed vulnerability CVE-2019-11931, which said that a specially crafted MP4 file sent to a WhatsApp user could be used to trigger a stack-based buffer overflow. This stack-based overflow vulnerability is used by attackers to gain access to a computer or a smartphone.
Facebook acknowledged that it could result in Denial of Service (DoS) or a Remote Code Execution (RCE) attack. The RCE attack allows hackers to run malicious code on the device to access and make changes on the infected device or computer. The attack is able to gain full control over the device thanks to this kind of attack.
Facebook had said that the issue impacted Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.
It had asked users to update their apps in order to make sure they were not impacted by the vulnerability. In a statement, WhatsApp had also said there was no reason to believe users were impacted.