The Bezos Phone Hack: Narrative Framed by Loose FactsForensic Examination Declares Malware, But No Malware Was Found
It's a seductive story line: A chat app belonging to Saudi Arabia's crown prince is used to deliver malware to an American billionaire's phone.
See Also: Gartner Magic Quadrant for APM
More than a decade ago, that kind of scenario would be fantasy. It's now real: The phones in our pockets are doors to personal lives, just one remote execution vulnerability away (see: Attackers Exploit WhatsApp Flaw to Auto-Install Spyware).
The language of the report contains red flags that are typical of an overreaching claim: a stitching together of compelling yet circumstantial facts to create an explosive narrative.
But did that actually happen to Amazon CEO Jeff Bezos? (See: Investigators: Saudis Hacked Amazon CEO Jeff Bezos' Phone).
A forensic investigation commissioned by Bezos concludes claims to have uncovered the May 2018 hack attack. In an incredible score, Vice's Motherboard obtained the forensic report of Bezo's iPhone X that claims there's no other explanation than malware, which was delivered in a video file sent by Mohammed bin Salman's WhatsApp account.
The finding has been backed by U.N. officials, who are pushing for an investigation. But Saudi Arabia has refuted it.
The forensic report, completed by FTI Consulting in Washington, immediately raised skepticism from security experts versed in the arcana of iPhone code autopsies.
And for those of us who aren't versed in how to extract and decrypt an MP4 file sent over WhatsApp and check it for malware, the language of the report contains red flags that are typical of an overreaching claim: a stitching together of compelling yet circumstantial facts to create an explosive narrative.
The biggest problem is FTI didn't actually recover any malware. Yet FTI asserts with "medium to high" confidence it was malware.
Alex Stamos, former chief security officer of Facebook and now an adjunct professor at Stanford, tweeted: "The funny thing is that it looks like FTI potentially has the murder weapon sitting right there, they just haven't figured out how to test it."
Bezos: Messy Leaks Reveal Affair
Bezos was under pressure in early 2018. Photos and texts were leaked to American Media, the publisher of the National Enquirer, which revealed he had been having an affair.
Bezos has accused the publication of trying to blackmail him; federal investigators are probing that. The Wall Street Journal later revealed in March 2019 that the brother of Lauren Sanchez, Bezos' girlfriend, leaked photos and text to the Enquirer for $200,000.
All of that mess came amidst the backdrop of the murder of Washington Post columnist Jamal Khashoggi.
Khashoggi was killed in Saudi Arabia's consulate in Istanbul in October 2018 after trying to obtain documents for his upcoming marriage. He had long been a fierce critic of Saudi Arabia's regime, and the Post fervently criticized Saudi Arabia afterwards. Bezos owns the Washington Post.
Would Bezos be a target for Saudi Arabia intelligence? For sure. Would Saudi Arabia go so far as to exploit bin Salman's personal connection, given that he and Bezos were WhatsApp buddies? Maybe. In these strange, wild days, the cliché anything is possible is certainly possible.
But the proof would be on Bezos' iPhone. FTI didn't find it.
Bin Salman sent Bezos a large video file on May 1, 2018, which FTI describes as "arriving unexpectedly and without explanation," as if people routinely warn their friends that they're about to send a video attachment.
The 4.22MB video was encrypted. After the video was sent, Bezos' phone started sending about 101MB of data per day, whereas before it averaged around 430KB, FTI says. FTI used a tool from Cellebrite to analyze the phone, as well as Fiddler proxy and Wireshark for traffic analysis.
FTI didn't find any signs the video file was malicious, but wrote that the "encrypted downloader" - marked with a ".enc" file - that was hosted on WhatsApp's media server made it impossible to decrypt. The report then falls back on the dramatic rise in data going out of the phone after the video file was delivered to point to its conclusion that it was likely malware.
Decoding the ".enc"
But there are many problems with this. In fact, it is possible to decrypt a ".enc" file, writes Bill Marczak, who is a postdoctoral researcher at the University of California Berkeley and a research fellow at Citizen Lab, which has long highlighted state-coordinated malware campaigns against activists and dissidents.
Marczak outlined further avenues for research in a blog post on Thursday. He also recommended a review of the data spikes, suggesting that closer analysis of iOS's DataUsage.sqlite file may provide clarification for the data egress surge. Also, Marczak suggests more investigation of the video file itself, which has been spotted using reverse image searches on Google.>
Stamos technically breaks down on Twitter how WhatsApp encodes and delivers videos. If the video was indeed the vector for exploitation, Stamos writes, something would still be leftover on Bezos' phone.
If the video is the initial point of exploitation, then there MUST be some evidence of that in the video file itself. It's true that this will just be a first stage exploit that pulls down the rest of the malware, but the actual exploit and a bit of ARM shell must be there.— Alex Stamos (@alexstamos) January 22, 2020
Get a Second Opinion
Technical details aside, FTI's report slides into a logical fallacy trap that doesn't required any knowledge of iPhone. FTI's conclusions - that the phone must have had malware on it, otherwise why would it send so much data, is soft ground to stand on. Especially when you can't find the malware.
The video file could indeed turn out to be malware, at which point such an aggressive allegation would stick better, prompting a need for further investigation.
CitizenLab, for example, believes that Saudi Arabia has used hacking tools such as NSO Group's Pegasus spyware. So it's all still in the realm of possibility.
The trials of Bezos, from the theft of his personal data to the Post's fervent defense of Khashoggi, make an attractive framework for FTI's narrative. But before making a ground-shaking accusation, it might have been good for the company to engage experts who could do what it says it couldn't do.
As with anything highly technical, get a second opinion.