Here Is the Technical Report Suggesting Saudi Arabia’s Prince Hacked Jeff Bezos’s Phone

Credit to Author: Kim Zetter| Date: Wed, 22 Jan 2020 16:55:01 +0000

A report investigating the potential hack of Jeff Bezos’ iPhone indicates that forensic investigators found a suspicious file but no evidence of any malware on the phone. It also says that investigators had to reset Bezos’s iTunes backup password because investigators didn’t have it to access the backup of his phone. The latter suggests that Bezos may have forgotten his password.

The report, obtained by Motherboard, indicates that investigators set up a secure lab to examine the phone and its artifacts and spent two days poring over the device but were unable to find any malware on it. Instead, they only found a suspicious video file sent to Bezos on May 1, 2018 that “appears to be an Arabic language promotional film about telecommunications.”

That file shows an image of the Saudi Arabian flag and Swedish flags and arrived with an encrypted downloader. Because the downloader was encrypted this delayed or further prevented “study of the code delivered along with the video.”

Investigators determined the video or downloader were suspicious only because Bezos’ phone subsequently began transmitting large amounts of data. “[W]ithin hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos’ phone began, continuing and escalating for months thereafter,” the report states.


A screenshot of the report showing the video the MBS account sent to Bezos. Image: Screenshot

“The amount of data being transmitted out of Bezos’ phone changed dramatically after receiving the WhatsApp video file and never returned to baseline. Following execution of the encrypted downloader sent from MBS’ account, egress on the device immediately jumped by approximately 29,000 percent,” it notes. “Forensic artifacts show that in the six (6) months prior to receiving the WhatsApp video, Bezos’ phone had an average of 430KB of egress per day, fairly typical of an iPhone. Within hours of the WhatsApp video, egress jumped to 126MB. The phone maintained an unusually high average of 101MB of egress data per day for months thereafter, including many massive and highly atypical spikes of egress data.


A screenshot of a section of the FTI Consulting report. Image: Screenshot

The digital forensic results, combined with a larger investigation, interviews, research, and expert intelligence information, led the investigators “to assess Bezos’ phone was compromised via tools procured by Saud al Qahtani,” the report states.

Saud al Qahtani is a friend and close advisor to Saudi Crown Prince Mohammed bin Salman, known as MBS. He was also president and chairman of the Saudi Federation for Cybersecurity, Programming and Drones and was known to procure offensive hacking tools on behalf of the Saudi regime, among them tools made by the Italian company Hacking Team.

Some of the investigation’s findings were first reported by the Guardian, but has received criticism from information security professionals because the news reports have suggested the tool used might have been developed by the Israeli company NSO Group, a maker of offensive mobile hacking tools. The forensic report does not say an NSO Group tool was used, but simply notes that the company’s tools have the ability to conduct the kind of exfiltration that appears to have occurred on Bezos’ phone.

“Advanced mobile spyware, such as NSO Group’s Pegasus or Hacking Team’s Galileo, can hook into legitimate applications and processes on a compromised device as a way to bypass detection and obfuscate activity in order to ultimately intercept and exfiltrate data,” the report states. “The success of techniques such as these is a very likely explanation for the various spikes in traffic originating from Bezos device.”

Subscribe to our cybersecurity podcast, CYBER.

This article originally appeared on VICE US.