A forensic examination of Amazon CEO Jeff Bezos’s mobile phone has pointed to it having allegedly been infected by personal-message-exfiltrating malware – likely NSO Group’s notorious Pegasus mobile spyware – that came from Saudi Arabia’s Crown Prince Mohammed bin Salman’s personal WhatsApp account.
The United Nations backed up the allegation by releasing details of the evidence on Wednesday.
The UN’s report said that full details from the digital forensic exam of Bezos’s phone were made available to its special rapporteurs. The release of the report followed a story about the hack from The Guardian that was published earlier on Wednesday.
The report was drafted by Agnes Callamard, a UN expert on extrajudicial killings who’s been probing the murder of The Washington Post columnist Jamal Khashoggi, and by David Kaye, who’s been investigating violations of press freedom. Bezos owns The Washington Post.
Khashoggi was killed in October 2018 by agents of the Saudi government after they allegedly used Pegasus to hack his friend’s phone.
According to the UN’s report, the crown prince’s WhatsApp account sent Bezos a taunting message a month after Khashoggi was murdered. From the report:
A single photograph is texted to Mr. Bezos from the Crown Prince’s WhatsApp account, along with a sardonic caption. It is an image of a woman resembling the woman with whom Bezos is having an affair, months before the Bezos affair was known publicly.
The richest man in the world had been having a seemingly friendly WhatsApp conversation with bin Salman when, on 1 May 2018, an unsolicited file was sent from the crown prince’s phone.
Within hours, a trove of data was exfiltrated from Bezos’s phone, although the forensic exam did not reveal what was in the messages.
According to the forensic details released by the UN, the unsolicited message coming from bin Salman’s WhatsApp account was a video. After it was received, Bezos’s phone started pumping out data at an extraordinary rate: the data egress increased by 29,156%. It not only stayed that high for months; it also hit rates as much as 106,031,045% higher than the phone’s normal data egress rates.
It looks like Bezos’s phone could have been infected with Pegasus mobile spyware, experts concluded. From the UN’s statement:
Experts advised that the most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group’s Pegasus or, less likely, Hacking Team’s Galileo, that can hook into legitimate applications to bypass detection and obfuscate activity. For example, following the initial spike of exfiltration after receipt of the suspect video file, more than 6GB of egress data was observed using exfiltration vectors.
Before it was patched in May 2019, a zero-day vulnerability in WhatsApp meant that with just one call, spies could access your phone and plant spyware – specifically, Pegasus.
The mobile spyware has been unleashed against Mexican political activists; targeted at the human rights-focused NGO Amnesty International in a spearphishing attack; and used against Ahmed Mansoor, a prominent human rights activist and political dissident in the United Arab Emirates who was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) after being charged with “insulting the UAE and its symbols”.
In May 2019, Amnesty International filed a lawsuit seeking to stop the “web of surveillance” it says is enabled by NSO Group, the Israeli firm that makes Pegasus.
As described in its affidavit, a Pegasus infection can happen in several ways. Most commonly, a target clicks on an exploit link, often sent as a text message. That triggers the download onto a mobile device.
Once installed, Pegasus turns into what Citizen Lab has called a “silent, digital spy.” It can get at everything – including contacts, photos, call history and previous text messages – regardless of encryption or other protections. It also allows its operator the ability to remotely operate a device’s camera and microphone, enabling remote eavesdropping on conversations, as well as passive or active tracking of a target’s location data.
The timing of the attack on Bezos’s phone could point to what may turn out to be the exfiltration of painfully intimate content behind a tabloid’s tell-all. Namely, the data grab preceded the National Enquirer’s publication last January of intimate details of Bezos’s life, including sexts from his extramarital affair.
The tabloid’s story set off what The Guardian’s sources described as a “race” by the Amazon CEO’s security team to figure out how his phone got hacked. American Media Inc (AMI), which publishes the National Enquirer, has denied being tipped off by the Saudi prince, but the Amazon CEO’s own team found with “high confidence” that Saudis were behind the hack.
That denial came in March 2019, following Bezos’ security consultant Gavin de Becker having written an op-ed for the Daily Beast in which he said that his investigation had concluded that the Saudis had accessed the Amazon security chief’s phone.
Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information. As of today, it is unclear to what degree, if any, AMI was aware of the details.
Saudi Arabia has dismissed the allegations against bin Salman as being “absurd.”
Recent media reports that suggest the Kingdom is behind a hacking of Mr. Jeff Bezos' phone are absurd. We call for an investigation on these claims so that we can have all the facts out.— Saudi Embassy (@SaudiEmbassyUSA) January 22, 2020
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast.