Cybersecurity experts said Thursday there were still many unanswered questions from an investigation commissioned by Jeff Bezos that concluded the billionaire’s cellphone was hacked, apparently after receiving a video file with malicious spyware from the WhatsApp account of Saudi Arabia’s crown prince.
The experts said the evidence in the privately commissioned report does not show with certainty that Bezos’ phone was actually hacked, much less how it was compromised or what kind of malware was used.
The report on the investigation, which was managed by FTI Consulting and overseen by Anthony Ferrante, a former head of the FBI’s Cyber Division, was made public Wednesday.
In it, investigators said a digital forensic review concluded with “medium to high confidence” that Bezos’ phone was compromised via malware sent from a WhatsApp account used by Saudi Prince Mohammed bin Salman.
Two U.N. experts issued their own take on the report’s findings, calling on the U.S. to investigate further. They said it appeared the Amazon founder may have been targeted because of his ownership of The Washington Post, which was publishing reports critical of the crown prince by columnist Jamal Khashoggi.
Khashoggi was killed by Saudi agents inside the kingdom’s consulate in Turkey in October 2018, five months after Bezos’ phone was apparently hacked.
The report’s conclusions drew heavily from the unusually high volume of data that left Bezos’ iPhone X within 24 hours of receiving the video file from Prince Mohammed’s WhatsApp account on May 1, 2018, a month after the two exchanged phone numbers. The size of the file, the investigators suggested, indicated a malware payload may have been included.
The investigators said Bezos’ phone began transmitting large volumes of data — an increase of some 29,000% — after receiving the video file.
The report further pointed to messages later sent from the prince’s WhatsApp account to Bezos that showed “apparent awareness” of private information. One included a meme with a photo of a woman the report said resembled the woman Bezos was having an extramarital relationship with before going public with his divorce.
Another, sent two days after Bezos was briefed in phone calls last February about a Saudi online campaign against him, advised the technology mogul that what he was hearing was not true. “There is nothing against you or amazon from me or Saudi Arabia,” the message said.
The report additionally pointed to Saudi Arabia’s documented use of spyware against critics and other adversaries as further potential proof.
Saudi Foreign Minister Prince Faisal bin Farhan Al Saud called the allegations “purely conjecture” and said if there was real evidence, the kingdom looked forward to seeing it.
Cybersecurity experts said that while it was likely a hack occurred, the investigation did not prove that definitively.
“In some ways, the investigation is very incomplete. … The conclusions they’ve drawn I don’t think are supported by the evidence. They veered off into conjecture,” said Robert Pritchard, the director of U.K.-based consultancy Cyber Security Expert.
Similarly, the former chief security officer at Facebook, who now directs a cyber policy center at Stanford, wrote that the report is filled with circumstantial evidence, but no smoking gun.
“The funny thing is that it looks like FTI potentially has the murder weapon sitting right there, they just haven’t figured out how to test it,” Alex Stamos wrote on Twitter.
One sticking point centered on WhatsApp’s end-to-end encryption, which the report said made it “virtually impossible to decrypt contents of the downloader to determine if it contained malicious code” — meaning the investigators could not conclude whether the video file sent from Prince Mohammed’s WhatsApp account was infected and used to hack Bezos’ phone.
Bill Marczak, a senior research fellow at Citizen Lab, disputed that assertion, saying it is possible to decrypt the contents of a WhatsApp file. In a post written for Medium that presents ways to further the investigation, Marczak shared a link to decryption instructions and code.
The FTI investigators did not reach out to WhatsApp to seek assistance, a Facebook spokesperson said.
FTI’s Ferrante did not respond to emails and text messages seeking comment. The company said in a statement that all FTI’s work for clients is confidential and that the company does not “comment on, confirm or deny client engagements.”
Matt Suiche, a French entrepreneur based in Dubai who founded cybersecurity firm Comae Technologies, said the video file was presumably on the iPhone because the report showed a screenshot of it. If the file had been deleted, he said the report should have stated this or explained why it was not possible to retrieve it.
“They’re not doing that. It shows poor quality of the investigation,” Suiche said.
Still, security professionals and the report itself said the fact that investigators failed to identify any embedded malicious code does not mean there wasn’t a hack because sophisticated spyware can erase itself, leaving no trace.
Steve Morgan, founder and editor-in-chief at Cybersecurity Ventures, a cybersecurity research firm in New York, said the report makes reasonable assumptions and speculations, but does not claim 100% certainty or proof.
“Given their detailed analysis and all of the evidence they reviewed, their conclusions are reasonable,” Morgan said. “The tools they used, including forensic software and hardware from Cellebrite, are widely acknowledged to be amongst the best available,” he said.
Theresa Payton, founder and CEO of Fortalice Solutions, said the report is credible in her opinion, but leaves some questions unanswered, including whether the crown prince’s WhatsApp account may have been hacked by a third party, meaning he was not the true attacker.
“Unless Mohammed bin Salman has a thorough forensic review of dates, times, phone logs, geocoded locations, and logins, it’ll be hard to know for sure who was behind that WhatsApp message,” she said.