The curious case of Jeff Bezos' phone hack

Malware allegedly attacked Jeff Bezos phone via a WhatsApp message from Saudi Crown Prince Mohammed bin Salman. But investigations reveal few clues.  

|
Alexander Zemlianichenko/AP
Saudi Arabia's Crown Prince Mohammed bin Salman speaks at a talk in Riyadh on Oct. 14, 2019. He is a suspect behind the hacking of Jeff Bezos' phone. United Nations experts called for an "immediate investigation" into the matter on Jan. 22, 2020.

United Nation's human rights experts are asking Washington to investigate a suspected Saudi hack that may have siphoned data from the personal smartphone of Jeff Bezos, Amazon founder and owner of The Washington Post. But the forensic evidence they cite comes from an incomplete study of Mr. Bezos's phone, raising multiple questions.

Here's a quick guide to what's known, and what remains unknown, about their findings.

What happened to Jeff Bezos' phone? 

According to a cybersecurity firm run by a former Obama administration official, evidence on the phone suggests it was infected by spyware in May 2018 via a WhatsApp message from the account of Saudi Crown Prince Mohammed bin Salman. That message included a video file that the firm's investigators say likely contained malware.

Mr. Bezos' personal security adviser had been advised in February 2019 to have the phone examined by an intelligence official who has not been named. Mr. Bezos went public with the suspected hack shortly thereafter, saying the National Enquirer tabloid had threatened to publish his private messages and photos.

Are the forensic findings conclusive? 

Not at all. Outside security researchers highlighted several issues with the forensics report by FTI Consulting, run by former Obama administration National Security Council cybersecurity official Anthony Ferrante.

For instance, the FTI report, dated November and obtained Wednesday by the Vice News site Motherboard, said researchers didn't find any malware on the phone, nor any evidence that Mr. Bezos' phone had surreptitiously communicated with known spyware command servers.

Further, an examination of the crucial root file system – where top-flight hackers often hide their malware – was still pending when the report was written. iPhone security expert Will Strafach, CEO of Guardian Firewall, said that if the FTI investigators didn't look at the root file system, they didn't do a thorough forensic exam.

"I think the U.N. intentions are good but the details really matter here and the public reporting falls short of any real firm smoking gun," said Mr. Strafach.

Other security experts questioned the FTI team's forensic chops, wondering on Twitter and in blog posts why it was unable to decrypt the software that would have delivered the malware payload along with the video file.

Alex Stamos of Stanford University tweeted: "The funny thing is that it looks like FTI potentially has the murder weapon sitting right there, they just haven't figured out how to test it."

Mr. Ferrante of FTI did not respond to emails and text messages seeking comment.

Could hackers have erased all evidence of intrusion? 

Absolutely, said Mr. Strafach. Elite hackers plant malware that erases itself after surreptitiously sending sensitive data to command servers.

"It scoops up everything they want and removes itself so there's no trace, no evidence," he said. "Anyone who knows what they are doing are going to cover up their tracks."

Sophisticated mobile spyware – such as a package called Pegasus, made by the Israeli hacker-for-hire company NSO Group – is designed to bypass detection and mask its activity. Saudi Arabia is reported to have used Pegasus against dissidents and human rights activists within weeks of the suspected Bezos hack.

On Wednesday, NSO Group "unequivocally" denied that its technology was used in the Bezos hack.

Why is the United Nations involved? 

One of the two U.N. officials seeking answers in the case, Agnes Callamard, focuses on extrajudicial killings and has already investigated the Saudi government's role in the October 2018 murder in Turkey of Saudi critic and Washington Post columnist Jamal Khashoggi.

The other, David Kaye, is the U.N. point person on free expression. He focuses on the growing and lawless use of malicious spyware to monitor and intimidate human-rights defenders and journalists.

Both are independent experts in the U.N.'s human rights arm, not employees of the international organization.

Are other public figures at risk? 

It's difficult to say at the moment. Prince Mohammed has attended gatherings with numerous U.S. entertainers, technology executives, and sports-team owners. A senior administration official, speaking on condition of anonymity to discuss internal matters, said Jared Kushner, a White House aide and son-in-law to President Donald Trump, has communicated with the crown prince via WhatsApp.

Why isn't the U.S. government more involved? 

A top U.S. Justice Department official, Adam S. Hickey, would not say whether federal investigators were looking into the allegations. Trump has been reluctant to condemn the Saudi prince over the Khashoggi killing and often expresses satisfaction with his government's purchases of U.S. weapons.

This story was reported by The Associated Press. AP writer Jonathan Lemire contributed from New York.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to The curious case of Jeff Bezos' phone hack
Read this article in
https://www.csmonitor.com/Technology/2020/0123/The-curious-case-of-Jeff-Bezos-phone-hack
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe