Jeff Bezos’ smartphone is back in the news. After days of second-hand reports that the Amazon founder and Washington Post owner’s phone was hacked by none other than Saudi Crown Prince Mohammed bin Salman, a.k.a. MBS, we now have access to the full forensic report on the incident.
Motherboard has posted a copy here. The report was prepared by FTI Consulting, at the request of Bezos’ investigator. If you’re into computer forensics, it’s a good read and provides the kind of nitty-gritty detail that a good forensics report should have. For example, the report notes that once FTI took possession of the phone, its facilities were guarded 24x).
But if you don’t want to read a 15+ page forensics report, here are the key points to focus on:
- FTI was unable in their investigation to find or identify malware on the system
- FTI was unable to gain full access to the device due to lacking a password for iTunes backups.
- Bezos and MBS sent a message via WhatsApp on 4/4/18 to MBS and received a reply on 4/5/18, apparently to exchange phone numbers.
- On 5/1/18, Bezos received a message from Mohammad bin Salman (MBS) with a large video file. This “arrived unexpectedly and without explanation”.
- After 5/1/2019, “The amount of data being transmitted out of Bezos’ phone changed dramatically after receiving the WhatsApp video file and never returned to baseline….egress on the device [data sent from the device] immediately jumped by 29,000 percent.”
Alex Stamos, the former Facebook chief security officer, posted a Twitter thread with his take on the report. He puts it well when he says, “This FTI forensics report is not very strong. Lots of odd circumstantial evidence, for sure, but no smoking gun. The funny thing is that it looks like FTI potentially has the murder weapon sitting right there, they just haven’t figured out how to test it.”
That last point is important and one that FTI clearly realizes. The report indicates that FTI is continuing to explore additional lines of investigation. And in good crowdsourcing fashion, after Stamos posted his analysis, a number of people in the security community offered to help.
Why is this investigation “not very strong”? Because, as of the writing of the report, FTI was unable to gain full access to the device to do a full forensic analysis. This is apparently because of issues with iTunes backup that they detail in their report, likely because of a forgotten password.
In other words, Bezos’ investigators have run into the same problem that we’ve been reading law enforcement is facing with the iPhones related to the naval base shooting in Pensacola, Fla. This has led to Attorney General William Barr and President Trump to renew the call for ways to bypass encryption, a move that is reigniting the “encryption wars” of the 1990s.
The FTI Consulting investigators have, however, outlined a compelling circumstantial case. Clearly SOMETHING happened on 5/1/18 to Bezos’ phone to make it start sending massive amounts of data. And that was the same date Bezos got a video from MBS that was unexpected. FTI Consulting bolsters its circumstantial argument by noting and showing evidence that a customer of the Hacking Team, a company that has been known to make hacking and surveillance tools used by nation-states and others, asked in May 2018 if it was possible to infect a device through a picture or video which is automatically downloaded. The request even specifically asks about WhatsApp, the Facebook-owned app that Bezos and MBS used.
Where does this leave us? With a reasonable, credible circumstantial case. It also leaves us with a technical mystery that hasn’t yet been solved, but may be solved in the future. The amount of interest in this case alone means that this unsatisfactory answer won’t suffice forever. Add in the enthusiasm with which the security community likes a good challenge, and is now looking to jump in, and you can reasonably expect that there will be more to come out of this.
Meanwhile, what does this teach the rest of us?
First, if you are potentially the target of a nation-state-level attack, you should change your phones regularly. One thing that is surprising to me out of this report is that Bezos apparently kept the same phone, with the same configuration, for nearly a year. If there was malware on the phone starting in May 2018, it was still active apparently until February 2019, a full eight months. This episode also reminds us of an important principle in security: if the physical device isn’t secure, then all bets are off. If someone gets physical access to the device, they own it. Indeed, the key to more information in this case likely will come because the investigators have Bezos’ physical device and are able to crack that.
Second, the FTI Consulting report makes another reasonable, circumstantial argument that whoever hacked his phone listened in on a phone briefing in February 2019 about possible hacking of his phone. This is a reminder that a compromised mobile device is a spy’s best friend. It has, by design, audio and video gathering capabilities. It also gives attackers information about your physical location. And it can give them access to every email, social media account and app you have on the device. Seeing as most people live on their phones, this gives complete and total access.
Third, this underscores that even “secure” chat apps like WhatsApp or Signal are not bulletproof and don’t provide complete protection. Those apps provide encryption of conversations, yes. But the key phrase is “end to end encryption”: if one of the ends is compromised with malware, all bets are off.
This story is not over. There is not a conclusive answer yet. I’m not 100% convinced yet. However, there is a reasonable circumstantial case out there. So I’m nearly 100% convinced that I may be 100% convinced in the future. And if additional research is brought to bear and is successful, that circumstantial case could end up being even more solid.
Finally, it’s a reminder that even billionaires, and even ones in tech, can be hacked. Be careful out there.