Who honestly has a crown prince in their threat model? UN report officially fingers Saudi royal as Bezos hacker

Rapporteurs call for investigation, technical security report leaks

The Crown Prince of Saudi Arabia, Mohammad bin Salman, has been officially fingered as the man responsible for hacking Amazon CEO Jeff Bezos’s iPhone X, causing a massive stir in diplomatic circles.

Following a report yesterday that Bezos’s smartphone had been compromised by a malware-poisoned video sent directly by bin Salman to Bezos through WhatsApp, on Wednesday two UN special rapporteurs named the head of the oil state as the source of digital spyware, and called for an “immediate investigation by US and other relevant authorities” into the “continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents.”

Shortly thereafter, a technical report ordered by Bezos back in 2018, and completed in 2019, into the security breach – a report on which the UN staff had based their assessment – publicly leaked. The dossier is rather lacking in places, though it includes some details on how the hack may have worked, plus messages sent from bin Salman to Bezos that contained sexist jokes and taunts about his private life.

“In contravention of fundamental international human rights standards, a WhatsApp account belonging to the Crown Prince of the Kingdom of Saudi Arabia in 2018 deployed digital spyware enabling surveillance of The Washington Post owner and Amazon CEO, Jeffery Bezos,” the UN said in an unusually blunt statement.

Obviously, no one thinks bin Salman wrote the exploit and spyware code himself. An annex [PDF] accompanying the UN assessment suggests the spyware was supplied to Saudi Arabia by the NSO Group in the form of surveillanceware called Pegasus. It also noted that Hacking Team’s Galileo software may have been responsible. NSO, at least, has denied any involvement.

The forensic team observed a vast amount of data being pulled off the phone soon after Bezos opened a video file sent to him from bin Salman. For what it's worth, in November last year, Facebook patched a remote-code execution hole in WhatsApp that could be exploited by an MP4 video file (CVE-2019-11931).

Hooking up

The spyware can “hook into legitimate applications to bypass detection and obfuscate activity,” the UN report noted, adding: “For example, following the initial spike of exfiltration after receipt of the suspect video file, more than 6GB of egress data was observed using exfiltration vectors.”

That information contrasted with screengrabs from Bezos’s phone in the leaked technical report [PDF]. Bezos gave bin Salman his number over dinner in Los Angeles on April 4, 2018 and the two connected immediately over WhatsApp.

Then on May 1, bin Salman sent Bezos a video that “appears to be an Arabic language promotional film about telecommunications” featuring the Saudi and Swedish flags. There was no discussion that the file would be sent and Bezos played it – assuming, presumably, that the head of a country would be unlikely to try to hack his phone.

The technical report's wording is a bit confused, but it seems an encrypted blob of code in the 4MB video file was able to run spyware on the phone, presumably via a software flaw. The team was unable to decrypt the payload. As such there was no physical evidence of infection. However, within hour of Bezos playing the video there was an "extreme change in behavior" in his phone – and it started sending gigabytes of information to an unknown location over the course of several months.

As it turned out some of that information contained text messages and pictures exchanged between Bezos and his new girlfriend: details of that secret relationship eventually emerged in tabloid rag The National Enquirer.

Before those details were published, however, bin Salman sent Bezos an odd WhatsApp message that implied he knew about the Amazon boss's new beau. The message contained a photo of a woman that the forensic team argues looks like his paramour, along with the poor-taste joke: “Arguing with a woman is like reading the software license agreement. In the end you have to ignore everything and click I agree.”

High confidence

It’s far from complete proof but, combined, the fact that personal text messages had leaked from Bezos’s phone and its odd behavior after receiving the video file was sufficient for Bezos's investigators – and subsequently the UN rapporteurs – to conclude that they had “medium to high confidence” that bin Salman was personally responsible.

One odd detail: according to the report, Bezos used an alarmingly small amount of data (averaging 430KB a day) in his day-to-day use of his phone – something that made the sudden dumping of gigabytes of data that much more obvious. One possible explanation is that the phone in question was one he only used on occasion or for a limited number of tasks – such as sexting his girlfriend and chatting with heads of state.

Of course there is a lot of relevant context: Saudi Arabia has repeatedly hacked the phones of critics and dissidents of its regime. And Facebook recently sued NSO Group over its Pegasus software which exploits a hole in WhatsApp to infect a phone. The method of infection? A video file.

Why Bezos? Because, as publisher of The Washington Post, he was ultimately in charge of an influential newspaper, particularly in US political circles, that was being highly critical of bin Salman’s regime at a time when everyone else was heralding his reform efforts.

In particular, Washington Post columnist Jamal Khashoggi was subsequently murdered by Saudi Arabian agents at the country’s embassy in Turkey almost certainly on bin Salman personal orders, according to the US intelligence agencies.


Pecker-checker Becker's hacker wrecker: Saudi cyber-crew stole Bezos's sexts from phone, fed them to tabloid – claim


Both the UN and forensic team provide a timeline of events around Bezos’s phone hack, Washington Post articles, Khashoggi’s death, and the targeting of Saudi dissidents, that flags a long series of what could be extraordinary coincidences.

This is what the UN’s Callamard and Kaye said in relation to the report: "The information we have received suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia.

“The allegations reinforce other reporting pointing to a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities, including nationals and non-nationals. These allegations are relevant as well to ongoing evaluation of claims about the Crown Prince's involvement in the 2018 murder of Saudi and Washington Post journalist, Jamal Khashoggi.

"The alleged hacking of Mr Bezos's phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents.”

They also call for greater controls over “the unconstrained marketing, sale and use of spyware” and a “moratorium on the global sale and transfer of private surveillance technology.”

Meanwhile, the Saudi government has called the hacking reports "absurd." ®

Similar topics

Other stories you might like

  • Warehouse belonging to Chinese payment terminal manufacturer raided by FBI

    PAX Technology devices allegedly infected with malware

    US feds were spotted raiding a warehouse belonging to Chinese payment terminal manufacturer PAX Technology in Jacksonville, Florida, on Tuesday, with speculation abounding that the machines contained preinstalled malware.

    PAX Technology is headquartered in Shenzhen, China, and is one of the largest electronic payment providers in the world. It operates around 60 million point-of-sale (PoS) payment terminals in more than 120 countries.

    Local Jacksonville news anchor Courtney Cole tweeted photos of the scene.

    Continue reading
  • Everything you wanted to know about modern network congestion control but were perhaps too afraid to ask

    In which a little unfairness can be quite beneficial

    Systems Approach It’s hard not to be amazed by the amount of active research on congestion control over the past 30-plus years. From theory to practice, and with more than its fair share of flame wars, the question of how to manage congestion in the network is a technical challenge that resists an optimal solution while offering countless options for incremental improvement.

    This seems like a good time to take stock of where we are, and ask ourselves what might happen next.

    Congestion control is fundamentally an issue of resource allocation — trying to meet the competing demands that applications have for resources (in a network, these are primarily link bandwidth and router buffers), which ultimately reduces to deciding when to say no and to whom. The best framing of the problem I know traces back to a paper [PDF] by Frank Kelly in 1997, when he characterized congestion control as “a distributed algorithm to share network resources among competing sources, where the goal is to choose source rate so as to maximize aggregate source utility subject to capacity constraints.”

    Continue reading
  • How business makes streaming faster and cheaper with CDN and HESP support

    Ensure a high video streaming transmission rate

    Paid Post Here is everything about how the HESP integration helps CDN and the streaming platform by G-Core Labs ensure a high video streaming transmission rate for e-sports and gaming, efficient scalability for e-learning and telemedicine and high quality and minimum latencies for online streams, media and TV broadcasters.

    HESP (High Efficiency Stream Protocol) is a brand new adaptive video streaming protocol. It allows delivery of content with latencies of up to 2 seconds without compromising video quality and broadcasting stability. Unlike comparable solutions, this protocol requires less bandwidth for streaming, which allows businesses to save a lot of money on delivery of content to a large audience.

    Since HESP is based on HTTP, it is suitable for video transmission over CDNs. G-Core Labs was among the world’s first companies to have embedded this protocol in its CDN. With 120 points of presence across 5 continents and over 6,000 peer-to-peer partners, this allows a service provider to deliver videos to millions of viewers, to any devices, anywhere in the world without compromising even 8K video quality. And all this comes at a minimum streaming cost.

    Continue reading
  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading
  • Singaporean minister touts internet 'kill switch' that finds kids reading net nasties and cuts 'em off ASAP

    Fancies a real-time crowdsourced content rating scheme too

    A Minister in the Singapore government has suggested the creation of an internet kill switch that would prevent minors from reading questionable material online – perhaps using ratings of content created in real time by crowdsourced contributors.

    "The post-COVID world will bring new challenges globally, including to us in the security arena," said Minister for Defence Dr Ng Eng Hen at a Tuesday ceremony to award the city-state's 2021 Defense Technology Prize.

    "For operations, the SAF (Singapore Armed Force) has to expand its capabilities in the digital domain. Whether for administrative or operational purposes, I think that we will need to leverage technology to the maximum," he declared.

    Continue reading
  • China Telecom booted out of USA as Feds worry it could disrupt or spy on local networks

    FCC urges more action against Huawei and DJI, too

    The US Federal Communications Commission (FCC) has terminated China Telecom's authority to provide communications services in the USA.

    In its announcement of the termination, the government agency explained the decision is necessary because the national security environment has changed in the years since 2002. That was when China Telecom was first allowed to operate in the USA.

    The FCC now believes – partly based on classified advice from national security agencies – that China Telecom can "access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States." And because China Telecom is state-controlled, China's government can compel the carrier to act as it sees fit, without judicial review or oversight.

    Continue reading

Biting the hand that feeds IT © 1998–2021