If Saudi Arabia did hack Jeff Bezos, this is probably how it went down

Whoever hacked Jeff Bezos hid their tracks remarkably well. Here's everything we know


23 Jan 2020

Bezos launches the Amazon Fire Phone in 2014, which turned out to be a huge flop

Getty Images / David Ryder / Stringer

The world's richest man has a lot to lose, but, can seemingly be tricked in the same way as anyone else. On Wednesday evening it emerged that the iPhone X of Amazon CEO Jeff Bezos may have been targeted by a Saudi intelligence operation.

A report in The Guardian claims that Bezos's phone was compromised after being sent a spyware-laden video file through on WhatsApp. The cover image of the video featured a split screen with the the Saudi Arabian flag on one side and the Swedish flag on the other side.

The most explosive claim? The compromised message was sent from the personal WhatsApp account of the crown prince of Saudi Arabia, Mohammed bin Salman (often known as MBS). The alleged incident happened on May 1, 2018 and followed Bezos and MBS sharing phone numbers. Forensic analysts working for FTI Consulting concluded that once the phone was infected, the attackers were able to siphon "large amounts" of data from the device and had access until the start of 2019.

Months later, in February 2019, the US tabloid the National Enquirer published messages and intimate photos that are said to have been obtained from Bezos's phone. The Guardian report does not say what specific data was taken from Bezos's phone. But Gavin De Becker, the private investigator employed by Bezos, has previously claimed that the "Saudis had access to Bezos’s phone".

Saudi officials have consistently denied being involved in the hack. “Saudi Arabia does not conduct illicit activities of this nature, nor does it condone them,” a spokesperson has said. They called for evidence to backup the claim so the country can prove it wasn't responsible.

But it's not he first time the country has been accused of using spyware to compromise people's phones. It has a reported history of using technology from Israeli security firm NSO Group to compromise devices and obtain private information on individuals. The spyware, called Pegasus, has been sold to governments and law enforcement agencies worldwide and it's claimed the technology can exploit vulnerabilities in devices and allow data to be collected. NSO is facing multiple lawsuits around the world. In a statement, the company said its technology was "not used in this instance".

Responding to the FTI Consulting research, two United Nations rapporteurs published analysis of how information may have been taken from Bezos's phone. "Experts advised that the most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group’s Pegasus or, less likely, Hacking Team’s Galileo, that can hook into legitimate applications to bypass detection and obfuscate activity".

Hours after the video had been sent to his phone, data leaving the device spiked by 29,156 per cent, the UN's report said. This swelled to 106,031,045 per cent higher than before the video in the following months. The UN representatives called for a full investigation.

But NSO says its technology was not used against Bezos. A spokesperson says the company knows this "because of how our software works and our technology cannot be used on US phone numbers." A statement on its website said the company is "shocked and appalled" by the alleged hacking and it supports any investigation to find the truth. There has been no public evidence concretely linking NSO Group's technology to the attack and cybersecurity professionals have pointed out FTI's report does not pin the blame on the Israeli company. (Vice has published the FTI report in full).

The alleged video that was sent to Bezos, as included in FTI's report and first published by Vice

FTI Consulting / Vice

Saudi Arabia has previously been accused of having close relationships with the NSO group and its spyware tool. In December 2018, a lawsuit filed in Israel by Saudi dissident Omar Abdulaziz alleged that NSO's technology was used to spy on murdered journalist Jamal Khashoggi. In addition, Amnesty International is taking NSO to court in an attempt to stop it from being allowed to export its technology after it discovered human rights workers had been targeted by Pegasus.

A senior Saudi advisor, Saud al-Qahtani, was reported to have sent messages to NSO Group discussing how it planned to use the company's technology to track dissidents around the world. The analysis produced by FTI Consulting said it believed "Bezos’s phone was compromised via tools procured by Saud al Qahtani".

So how exactly does Pegasus work? “Pegasus is a very sophisticated spyware which when run you will have no idea what’s just happened," says Jake Moore, a cybersecurity specialist at ESET. The use of Pegasus elsewhere has been highly targeted, making it a tool that can compromise individuals rather than a larger mass attack. "Bezos may well have innocently clicked on the file in the message but extreme caution should always be adhered to whenever something is sent," Moore says. So far, the widest lawsuit against NSO Group – the company has objected to all legal cases saying its technology "is not designed or licensed for use against human rights activists and journalists" – comes from Facebook, which owns WhatsApp.

The company has accused NSO of hacking into the phones of 1,400 people and conducting surveillance against them. "Defendants reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code – undetected – to target devices over WhatsApp servers," the Facebook lawsuit says. (NSO denies the claims).

Alexey Firsh, a security expert at Kaspersky, says in the case of Bezos it's likely that now-fixed vulnerabilities in WhatsApp were exploited. "Based on a very few technical details from the public sources available, the phone was exploited by the malformed chat message in WhatsApp without any additional victim interaction," Firsh says. "This description matches a pair of infamous WhatsApp vulnerabilities, which could be exploited by high profile threat actors."

One of the vulnerabilities only existed on Android devices but CVE-2019-3568 could be exploited on iPhones, which Bezoz owned. "To exploit these vulnerabilities, the attacker simply needs to send a message to get access to the phone it is received on," Firsh says. "The scenario is simple, the attacker sends a message to the phone, the user does not have to interact with anything, and the criminal gets access to the phone"

Canadian non-profit research outfit Citizen Lab says it has tracked the use of Pegasus to 45 countries – including Saudi Arabia. Once installed on a device it's said the spyware is able to access almost everything that it holds. Files, photos, instant messaging, browsing history, location tracking and social networks are all among the sensitive information that can be grabbed.

"Once Pegasus is installed, it begins contacting the operator’s command and control servers to receive and execute operators’ commands, and send back the target’s private data," researchers at Citizen Labs say. Command and control servers are computers that are controlled by attackers that can be used to send and receive commands from compromised devices – they're effectively a way of remotely operating a device without the user knowing.

The Citizen Lab researchers say they've observed NSO using social engineering to trick people into clicking on links and fake package notifications on dozens of occasions. "This case is a reminder that the proliferation of commercial spyware is a global security problem for all sectors, from government and businesses to civil society," Ronald Deibert, the director of Citizen Lab, says.

It's likely that not all the ways of delivering the Pegasus spyware have been discovered. The report from the FTI Consulting researchers did not find any malware on Bezos's iPhone, but it's also believed that the software is able to disguise itself and hide from forensic analysis.

"Based on samples that we saw, it uses a high level of code obfuscation to hide its activity from an untrained eye," Kaspersky's Firsh says. "More importantly this malware is constantly maintained and updated by the developers to support modern OS features and to make efforts to avoid detection by security solutions."

More great stories from WIRED

🚙 The most exciting electric cars coming in 2020

🍄 These mental tricks can help you go vegan this January

🚐 SUVs are worse for the planet than anyone realised

⏲️ Science says we should work shorter hours in winter

📧 How to use psychology to get people to answer your emails