By Dan Goodin
January 21, 2020
It’s like a plot from a bad thriller: a forensic analysis paid for by Amazon founder Jeff Bezos discovered that his cell phone coughed up massive amounts of personal information within hours of receiving a WhatsApp-attached video file sent by the future king of Saudi Arabia, the Guardian and the Financial Times reported on Tuesday.
The text, the analysis is reported to say, came on May 1, 2018. That’s when Saudi Crown Prince Mohammed bin Salman sent Bezos a text over WhatsApp weeks after the two had exchanged numbers. Their relationship started out cordially but became strained as The Washington Post reported that the Saudi government was behind the gruesome killing and subsequent dismemberment of veteran Saudi journalist Jamal Khashoggi. He used to contribute a regular column in the Bezos-owned Washington Post criticizing Prince Mohammed’s autocratic leadership. The FT report is here, and the report from the Guardian is here.
Massive and unauthorized exfiltration
Within hours of Bezos’ receipt of the video, the analysis found, “a massive and unauthorized exfiltration of data from Bezos’s phone began, continuing and escalating for months,” the FT reported. That amount of data surreptitiously exfiltrated from the device “was in the dozens of gigabytes,” compared to the few hundred kilobytes daily afterage in the months before the video file was sent.
The extraordinary conclusion—which depending on the publications was reached with either “medium to high confidence” or found to be “highly probable”—comes nine months after a security consultant hired by the billionaire said the government of Saudi Arabia gained access to the private contents of Jeff Bezos’ phone. The consultant, Gavin De Becker, made no explicit allegation at the time that Bezos’ phone had been hacked.
A Saudi official denied the country’s government was behind a hack on Bezos’ phone. “Saudi Arabia does not conduct illicit activities of this nature, nor does it condone them,” the official told the FT. “We request the presentation of any supposed evidence and the disclosure of any company that examined any forensic evidence so that we can show it is demonstrably false.”
The analysis was led by Anthony J. Ferrante, a security expert at the business advisory firm FTI Consulting. It doesn’t claim to have conclusive evidence, and its findings have yet to be independently confirmed by the FT, Guardian, or any other known news publication.
Representatives for Bezos and FTI Consulting declined to comment.
Allegations that Saudi Arabia obtained access to data on Bezos’s phone came a few months after the National Enquirer tabloid reported that Bezos’s was having an extramarital affair with broadcaster Lauren Sanchez. The publication published texts and pictures from the phone that appeared to show the two had an ongoing relationship.
A few weeks later, Bezos published emails he received from officials at National Enquirer‘s parent company, AMI. The company allegedly threatened to publish nude photos from Bezos’ phone unless he ended an investigation into the security breaching involving his phone and backed away from public allegations the breach was motivated by political leanings by the National Enquirer. National Enquirer has maintained the phone data came from Sanchez’s brother and was not the result of a hack.
In May, WhatsApp owner Facebook said it fixed a critical vulnerability in the messenger app that had been under active exploit. According to an FT report published the same day the exploit was developed by Israeli developer NSO Group and worked by sending a WhatsApp call to targets. By exploiting a buffer overflow vulnerability in the WhatsApp VoIP stack, the calls could remotely install surveillance malware on both iPhones and Android devices. Targets need not have answered the call to be infected.
It’s not clear if the WhatsApp exploit was the same one allegedly used against Bezos. Based on the limited descriptions of the vulnerabilities, they appear to be different, other than they both gave remote attackers full control over devices running vulnerable devices.
* This article was automatically syndicated and expanded from Ars Technica.