You are here

How Jeff Bezos' iPhone X was hacked

The forensic report's conclusions renew questions about the shadowy world of private hackers for hire

BT_20200125_MLHACK25_4015624.jpg
Over the years that he has run Amazon, Mr Bezos has largely kept private. That changed when The National Enquirer published photos and messages last year between him and Lauren Sanchez, a TV anchor.

ON THE the afternoon of May 1, 2018, Jeff Bezos received a message on WhatsApp from an account belonging to Saudi Arabia's crown prince, Mohammed bin Salman.

The two men had previously communicated using WhatsApp, but Mr Bezos, Amazon's chief executive, had not expected a message that day - let alone one with a video of Saudi and Swedish flags with Arabic text.

The video, a file of more than 4.4 megabytes, was more than it appeared. Hidden in 14 bytes of that file was a separate bit of code that most likely implanted malware, malicious software, that gave attackers access to Mr Bezos' entire phone, including his photos and private communications.

Those details were part of a forensic analysis that Mr Bezos had commissioned to discover who had hacked his phone, an iPhone X. He has been on a singular quest to find out who pene-trated the device after he said The National Enquirer's parent company threatened to release his private photographs and texts in early 2019. Those pictures and messages showed Mr Bezos, who was married at the time, with another woman, Lauren Sanchez. The analysis did not connect the hack to The Enquirer.

The forensic report on Mr Bezos' phone was at the heart of a United Nations statement on Wednesday raising concerns about the digital tactics of Crown Prince Mohammed. The analysis essentially accused the Saudi prince of using malware created by a private cybersecurity company to spy on and to intimidate Mr Bezos, who also owns The Washington Post. The Post, which has published coverage critical of the Saudi government, had employed Jamal Khashoggi, a dissident Saudi writer who was killed in the Saudi consulate in Istanbul in late 2018.

The report's conclusions renew questions about the shadowy world of private hackers for hire. For the right client, or the right sum, such hackers apparently infiltrated the phone of one of the world's wealthiest and most powerful men. The report did not say which private cybersecurity company was used, but suggested that the Tel Aviv-based NSO Group and Milan-based Hacking Team had the capabilities for such an attack.

The hack also exposed how popular messaging platforms like WhatsApp have vulnerabilities that attackers can exploit. In October, WhatsApp sued the NSO Group in federal court, claiming that NSO's spy technology was used on its service to target journalists and human rights activists. WhatsApp, which is owned by Facebook, has patched the flaw that the malware used.

Many technical mysteries remain about the infiltration of Mr Bezos' phone, including what type of malware was used. The forensic report did not detail whether Mr Bezos had opened the file that was sent to him via Crown Prince Mohammed's WhatsApp account. Cybersecurity experts said some malware did not require anyone to click on the file for it to install on a phone.

"This case really highlights the threats that are posed by a lawless and unaccountable private surveillance industry," said David Kaye, the UN special rapporteur who was a co-author of Wednesday's statement. "The companies which are creating these tools are extremely crafty and aggressive, and it's a cat-and-mouse game at this point."

The details of the hack could not be independently verified by The New York Times. Mr Bezos has pushed a theory of Saudi involvement with the threats from The Enquirer, without providing proof, since early 2019. The Enquirer's parent company has said Ms Sanchez's brother, Michael, was the sole source of the texts and intimate photos it acquired.

NSO said it was not involved in any hack of Mr Bezos' phone. Hacking Team did not respond to a request for comment. WhatsApp declined to comment, as did FTI Consulting, the company that Mr Bezos' security team hired to examine his phone and that wrote the forensic analysis. Amazon declined to comment on behalf of Mr Bezos.

The Saudi Embassy in Washington has said that accusations that the kingdom was involved in hacking Mr Bezos' phone were "absurd."

Over the years that he has run Amazon, Mr Bezos has largely kept private. That changed when The National Enquirer published photos and messages last year between him and Ms Sanchez, a TV anchor. Mr Bezos and his wife, MacKenzie Bezos, later got a divorce.

On Feb 7, 2019, Mr Bezos went public with what he said were troubling developments connected to The Enquirer. In a post on Medium, he accused The Enquirer of trying to blackmail him with his own text messages and photos and said he had asked Gavin de Becker, a private investigator, to determine how his phone had been hacked.

Ten days later, Mr de Becker was advised by a "leading intelligence expert" to conduct a forensic analysis of Mr Bezos' iPhone and to look for Saudi fingerprints in the hack, according to notes in the report. The report did not identify the intelligence expert who reached out to Mr de Becker.

Mr de Becker, who declined to comment, hired FTI Consulting on Feb 24, 2019, to examine Mr Bezos' phone. FTI was initially asked to look into several text messages that Mr Bezos had received from the WhatsApp account of the Saudi prince. In mid-May 2019, Mr Bezos handed over his iPhone X and asked FTI to run a full analysis on it, according to the report.

FTI zeroed in on an April 2018 dinner in which Crown Prince Mohammed and Mr Bezos had exchanged phone numbers in Los Angeles. After that, FTI found, the WhatsApp account of the prince initiated contact with Mr Bezos repeatedly and without prompting.

The May 2018 message that contained the innocuous-seeming video file came out of the blue, the report said. In the 24 hours after it was sent, Mr Bezos' iPhone began sending large amounts of data, which increased approximately 29,000 per cent over his normal data usage.

In additional notes to the report, which were obtained by The New York Times, investigators said several phone apps were being used during the time that data was leaving the phone. Those included the Safari web browser and the Apple Mail program, both of which Mr Bezos did not appear to be using heavily himself. Mr Bezos did not have iCloud backup enabled on the phone, the notes added, which would have also explained large amounts of data leaving the phone.

Messages sent by Crown Prince Mohammed's WhatsApp account starting in late 2018 soon began to suggest that the sender had intimate knowledge of Mr Bezos' private life. On Nov 8, 2018, the report said, Mr Bezos received a message from the account that included a photo of a woman resembling Ms Sanchez.

The photo was captioned, "Arguing with a woman is like reading the software license agreement. In the end you have to ignore everything and click I agree." At the time, Mr Bezos and his wife were discussing divorce, which would have been apparent to anyone reading his text messages.

In mid-February 2019, Mr Bezos held a series of phone calls with his security team about the Saudis' alleged online campaign against him, the report said. Two days later, Mr Bezos received a message from Crown Prince Mohammed's WhatsApp account that read, in part, "there is nothing against you or Amazon from me or Saudi Arabia". The report listed spyware known as Pegasus, developed by the NSO Group, and spyware called Galileo, developed by Hacking Team, as the two most likely tools used to carry out the attack. The report added that Saud al-Qahtani, a close adviser of Crown Prince Mohammed, owned a 20 per cent stake in Hacking Team.

The FTI report was not definitive about the hack, but said it had "medium to high confidence" that the message from the prince's WhatsApp account was the culprit. In notes to the report, FTI said it was still attempting a more thorough analysis of the iPhone, including by jailbreaking it, or bypassing Apple's control system on the phone. NYTIMES