![](\"https:\/\/media.wired.com\/photos\/5e2869dad5c9600008515680\/master\/pass\/Sec-bezos-1169506489.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Louise Matsakis, Lily Hay Newman| Date: Wed, 22 Jan 2020 17:19:43 +0000<\/strong><\/p>\n Louise Matsakis<\/span><\/a><\/span> Lily Hay Newman<\/span><\/a><\/span> <\/span><\/p>\n A UN report links the attack on Jeff Bezos's iPhone X directly to Saudi Arabian crown prince Mohammed bin Salman.<\/p>\n On November 8, 2018, Amazon CEO Jeff Bezos received an unexpected text message over WhatsApp from Saudi Arabian leader Mohammed bin Salman. The two had exchanged numbers a few months prior, in April, at a small dinner in Los Angeles, but weren\u2019t in regular contact; Bezos had previously received only a video file from the crown prince in May that reportedly extolled Saudi Arabia\u2019s economy<\/a>. The November text had an attachment as well: an image of a woman who looked like Lauren Sanchez, with whom Bezos had been having<\/a> an unreported affair.<\/p>\n That message appears to have been a taunt; American Media Inc., publisher of The National Inquirer<\/em>, would several months later make details of the affair<\/a> public. But it\u2019s the initial contact in May that has set off another firestorm with MBS at the center. That video file was loaded with malware, investigators now say. The crown prince\u2019s own account had been used to hack Bezos\u2019s phone.<\/p>\n Such brazen targeting of a private citizen\u2014the richest man in the world, no less\u2014is alarming to say the least. It underscores the dangers of an unchecked private market for digital surveillance, and raises serious questions about other prominent US figures who have known relationships with the crown prince, like White House advisor Jared Kushner and President Donald Trump himself.<\/p>\n \u201cThis reported surveillance of Mr. Bezos, allegedly through software developed and marketed by a private company and transferred to a government without judicial control of its use, is, if true, a concrete example of the harms that result from the unconstrained marketing, sale, and use of spyware,\u201d United Nations special rapporteurs David Kaye and Agnes Callamard said in a statement. Details provided by the UN suggest that the malware originated from a private vendor, such as Israel\u2019s NSO Group or the Italian Hacking Team<\/a>. The tie to MBS was first reported Tuesday by The Guardian<\/em><\/a>.<\/p>\n "It sounds like whatever implant they had self-destructed."<\/p>\n Former NSA Analyst Dave Aitel<\/p>\n Bezos became a Saudi target not because of Amazon, but his ownership<\/a> of The Washington Post<\/em>, which had published a series of critical stories about the kingdom. The November text from MBS came one month after Saudi officials murdered Post<\/em> columnist and Saudi dissident Jamal Khashoggi inside the country\u2019s Istanbul consulate. The UN probe into the attack on Bezos is based at least in part on a forensics analysis<\/a> commissioned by Bezos himself and completed by FTI Consulting, a cybersecurity consulting firm.The findings are not definitive, and the firm ranked them at medium to high confidence. Similarly, the UN made clear that while its investigation indicated these results, attribution is not certain.<\/p>\n \u201cAll FTI Consulting client work is confidential. We do not comment on, confirm or deny client engagements or potential engagements,\u201d the firm told WIRED in a statement.<\/p>\n The Saudi Embassy denied the allegations on Twitter<\/a> Tuesday evening: \u201cRecent media reports that suggest the Kingdom is behind a hacking of Mr. Jeff Bezos' phone are absurd. We call for an investigation on these claims so that we can have all the facts out.\u201d<\/p>\n According to the UN\u2019s findings, the Saudi regime began exfiltrating large amounts of data from Bezos within hours of sending the tainted MP4 video file. FTI Consulting found that six months before the video download, Bezos's phone averaged about 430 kilobytes of data coming from the phone per day, a small amount. Within hours of receiving the video that number rose and the phone started averaging 101 megabytes for months afterward. The UN reports that this number sometimes even jumped into the gigabyte range, several orders of magnitude over the pre-hack baseline\u2014indicating data exfiltration through malware.<\/p>\n The UN report points to Pegasus<\/a> malware, developed by the cyberarms dealer NSO Group, which has adapted it for use on numerous iOS and Android versions over the last four years. Saudi Arabia first bought Pegasus from NSO Group in November 2017, according to the UN. Investigators suggest Galileo, a Hacking Team product, as another possibility. Analysis<\/a> of those tools<\/a> by third-party and academic researchers have shown that both are capable of compromising a device and accessing almost any data on it, from text messages, calls, contacts, and emails to apps, browsing history, and even location data.<\/p>\n NSO Group denied in a statement that its tools were used in the attack. \u201cAs we stated unequivocally in April 2019 to the same false assertion, our technology was not used in this instance," the firm said. "Our technology cannot be used on US phone numbers. Our products are only used to investigate terror and serious crime. Any suggestion that NSO is involved is defamatory.\u201d<\/p>\n The UN alleges that during the same period that the Saudi regime had access to Bezos\u2019s phone, it also targeted Khashoggi\u2019s associates and other pro-human rights dissidents using mobile malware developed by NSO Group. The actions fit with Saudi Arabia\u2019s broader pattern of targeting activists. In November, the Justice Department charged two Twitter employees<\/a> with abusing internal systems to steal information on Saudi Arabia\u2019s behalf.<\/p>\n Saudi Arabia appears to have simultaneously also launched an online disinformation campaign to discredit Bezos. In November 2018, the top-trending hashtag on Twitter in Saudi Arabia was \u201cBoycott Amazon,\u201d the UN notes. The campaign abruptly stopped in April 2019, after an investigator working for Bezos accused the Saudis<\/a> of hacking the executive\u2019s phone. It then picked up again in October, after Bezos attended a memorial event for Khashoggi.<\/p>\n While private exploit brokers like NSO Group often describe themselves as forensic analysis firms, tools like Pegasus have a track record of being used for offensive hacking. In fact, analysts used such tools to analyze Bezos\u2019s phone in the wake of the breach. Doing so proved challenging, given the sophistication of the attack. By the time a \u201cphysical analyzer\u201d from the Israeli company Cellebrite<\/a> vetted the device, there were no traces of malware. An audit of nearly 300,000 directors, sub-directories, and file names similarly yielded no evidence of iOS jailbreaking tools<\/a>.<\/p>\n It was also difficult to analyze the video sent from the crown prince\u2019s account for signs of malware, because both the file itself and the downloader were encrypted. And the UN notes that WhatsApp\u2019s own end-to-end encryption also created challenges. Cellebrite\u2019s software platforms for analyzing device traffic and network logs did pinpoint, though, when Bezos\u2019s phone began hemorrhaging data.<\/p>\n \u201cIt sounds like whatever implant they had self-destructed and wasn't there when they went for the forensics,\u201d says Dave Aitel, chief security technology officer at the secure infrastructure firm Cyxtera and a former NSA analyst. \u201cIt seems about right that you would have a self-destruct capability on any real implant. And US investigators probably have other classified information that validates their attribution.\u201d<\/p>\n That such a simple, elegant attack could snag Jeff Bezos underscores just how at-risk Trump has been.<\/p>\n It\u2019s not clear what other information the hack may have gleaned about Bezos or Amazon\u2019s business. The incident also puts further scrutiny on an already controversial private cyberarms industry. At the end of October, WhatsApp and its owner Facebook sued NSO Group<\/a> over alleged attacks on more than a thousand of its users\u2014a first effort to curb rampant growth of the private exploit industry. The complaint noted<\/a> that at least some of NSO Group's infrastructure is hosted by Amazon Web Services. Additionally, Facebook patched<\/a> a vulnerability in November that "could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user." It is unclear if this bug was exploited to target Bezos, but it\u2019s a reminder that such bugs can exist in even the most seemingly innocuous features of an app like WhatsApp.<\/p>\n Saudi Arabia\u2019s apparent targeting of one of the world\u2019s most powerful businessmen raises questions about the kingdom\u2019s communications with US officials, including Jared Kushner, President Trump\u2019s son-in-law and adviser on the Middle East. Kushner has reportedly exchanged personal messages<\/a> with MBS, and has been known to use WhatsApp<\/a> to talk with foreign leaders. Kusher was issued a top-secret security clearance, even after concerns were raised<\/a> by White House and intelligence officials about the risk of foreign influence.<\/p>\n