Cybercrime ,Cyberwarfare / Nation-State Attacks ,Endpoint SecuritySaudi Arabia Dismisses Report; United Nations Demands Full Investigation Mathew J. Schwartz (euroinfosec) •January 22, 2020
The mobile phone of Amazon CEO Jeff Bezos was hacked using a malicious file sent directly from the official WhatsApp account of Saudi Arabia's Crown Prince Mohammed Bin Salman, investigators have reportedly found.
See Also: What's the Big Risk? How Failing to Effectively Manage Employee Password Security Leaves Your Business Exposed to Threats
Hackers stole sensitive information from Bezos' phone "within hours" of the hack, according to a digital forensic analysis of Bezos' phone conducted by FTI Consulting, a Washington-based business advisory group.
The digital forensic analysis concluded with "medium to high confidence" that the attack was carried out on May 1, 2018, using a malicious video file sent from the Saudi prince's WhatsApp account. Once opened, the malicious file infected Bezos' phone and stole information from the compromised device, FTI Consulting reported.
In a tweet, Saudi Arabia’s U.S. embassy issued a statement denying any Saudi involvement in the hack of Bezos' phone and called for a full investigation.
Recent media reports that suggest the Kingdom is behind a hacking of Mr. Jeff Bezos' phone are absurd. We call for an investigation on these claims so that we can have all the facts out.— Saudi Embassy (@SaudiEmbassyUSA) January 22, 2020
UN Experts Call of Urgent Investigation
Based on FTI Consulting's findings, the United Nations on Wednesday called for an immediate investigation into the matter, including Saudi Arabia's involvement. U.N. experts also warned that the attack on Bezos, who owns the Washington Post, was an attempted assault on press freedoms.
"The information we have received suggests the possible involvement of the [Saudi] crown prince in surveillance of Bezos, in an effort to influence, if not silence, the Washington Post's reporting on Saudi Arabia," Agnes Callamard, U.N. special rapporteur on summary executions and extrajudicial killings, and David Kaye, U.N. special rapporteur on freedom of expression, say in a statement.
"The alleged hacking of Bezos' phone, and those of others, demands immediate investigation by U.S. and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the crown prince in efforts to target perceived opponents."
Spyware Cited as Likely Attack Tool
Callamard and Kaye also cited some of FTI Consulting's findings.
"According to the analysis, the crown prince and Mr. Bezos exchanged phone/WhatsApp numbers the month before the alleged hack," they say. "The forensic analysis found that within hours of receipt of the MP4 video file from the crown prince's account, massive and (for Bezos' phone) unprecedented exfiltration of data from the phone began, increasing data egress suddenly by 29,156 percent to 126 MB. Data spiking then continued undetected over some months and at rates as much as 106,032,045 percent (4.6 GB) higher than the pre-video data egress baseline for Mr. Bezos' phone of 430KB."
The U.N. experts note that while the attack vector remains unknown, investigators concluded that spyware is a likely culprit. "The forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group's Pegasus-3 malware, a product widely reported to have been purchased and deployed by Saudi officials," they say.
Amazon didn't immediately respond to Information Security Media Group's request for comment on the FTI Consulting report.
Bezos' lawyer tells the Guardian: “I have no comment on this except to say that Mr. Bezos is cooperating with investigations.”
Citing the FTI Consulting findings, other experts have also emphasized that the hack attack wasn't just an assault on Bezos. "The big story is not this hack," says Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies, via Twitter.
"The big story is, it appears, that we're looking at a Saudi blackmail attempt to influence the Washington Post's reporting," he says. "Also, the truly king-sized naïveté, to think they would get away with this."
Attack Followed Leak of Private Bezos Details
The hacking report arrives one year after The National Enquirer tabloid newspaper published personal details about Bezos' private life, which included explicit text messages.
Gavin de Becker, a security expert hired by Amazon to investigate the message leak, told the Daily Beastthat the Saudi government may have had access to Bezos' phone before the Enquirer published the report.
Meanwhile, the Saudi government continues to face intense scrutiny over the killing of Jamal Khashoggi, a journalist who worked at the Washington Post. In his writing for the Post, Khashoggi criticized Saudi Arabia's crown prince.
Suspicion Falls on NSO Group
Khashoggi was murdered in Saudi Arabia's consulate in Turkey in October 2018 by a Saudi government hit team, western intelligence agencies have stated. His body was never found. After his killing, several security experts and privacy watchdogs found that the Saudi government had been eavesdropping on Khashoggi - among other dissidents - via Pegasus mobile phone spyware built by Israel-based NSO Group (see: Attackers Exploit WhatsApp Flaw to Auto-Install Spyware).
Privacy watchdogs and human rights groups have accused NSO Group of selling technology that enables repressive regimes to spy on citizens, human rights activists, journalists and political dissidents (see: Cyber-Intelligence Firm NSO Group Tries to Boost Reputation).
Last November, senior government officials in at least 20 countries were reportedly targeted using Pegasus software that used WhatsApp to take over users' phones (see: Government Officials in 20 Nations Targeted Via WhatsApp: Report)
Likely Exploit Tactic: Buffer Overflow
If Bezos was hacked via WhatsApp, it's likely that a buffer overflow exploit - or a similar one - was used, says Alan Woodward, a professor of computer science at the University of Surrey. As an example, he pointed to CVE-2019-11931, in which a stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user, according to Facebook, which disclosed the flaw last November and patched it. The vulnerability affected versions of WhatsApp running on Android, iOS and Windows Phone.
"The question is not how was it done - likely a buffer overrun exploit, now closed - but who dunnit and why?" Woodward says via Twitter.
Senior Correspondent Akshaya Asokan contributed to this story.