Who honestly has a crown prince in their threat model? UN report officially fingers Saudi royal as Bezos hacker

The Crown Prince of Saudi Arabia, Mohammad bin Salman, has been officially fingered as the man responsible for hacking Amazon CEO Jeff Bezos’s iPhone X, causing a massive stir in diplomatic circles.

Following a report yesterday that Bezos’s smartphone had been compromised by a malware-poisoned video sent directly by bin Salman to Bezos through WhatsApp, on Wednesday two UN special rapporteurs named the head of the oil state as the source of digital spyware, and called for an “immediate investigation by US and other relevant authorities” into the “continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents.”

Shortly thereafter, a technical report ordered by Bezos back in 2018, and completed in 2019, into the security breach – a report on which the UN staff had based their assessment – publicly leaked. The dossier is rather lacking in places, though it includes some details on how the hack may have worked, plus messages sent from bin Salman to Bezos that contained sexist jokes and taunts about his private life.

“In contravention of fundamental international human rights standards, a WhatsApp account belonging to the Crown Prince of the Kingdom of Saudi Arabia in 2018 deployed digital spyware enabling surveillance of The Washington Post owner and Amazon CEO, Jeffery Bezos,” the UN said in an unusually blunt statement.

Obviously, no one thinks bin Salman wrote the exploit and spyware code himself. An annex [PDF] accompanying the UN assessment suggests the spyware was supplied to Saudi Arabia by the NSO Group in the form of surveillanceware called Pegasus. It also noted that Hacking Team’s Galileo software may have been responsible. NSO, at least, has denied any involvement.

The forensic team observed a vast amount of data being pulled off the phone soon after Bezos opened a video file sent to him from bin Salman. For what it's worth, in November last year, Facebook patched a remote-code execution hole in WhatsApp that could be exploited by an MP4 video file (CVE-2019-11931).

Hooking up

The spyware can “hook into legitimate applications to bypass detection and obfuscate activity,” the UN report noted, adding: “For example, following the initial spike of exfiltration after receipt of the suspect video file, more than 6GB of egress data was observed using exfiltration vectors.”

That information contrasted with screengrabs from Bezos’s phone in the leaked technical report [PDF]. Bezos gave bin Salman his number over dinner in Los Angeles on April 4, 2018 and the two connected immediately over WhatsApp.

Then on May 1, bin Salman sent Bezos a video that “appears to be an Arabic language promotional film about telecommunications” featuring the Saudi and Swedish flags. There was no discussion that the file would be sent and Bezos played it – assuming, presumably, that the head of a country would be unlikely to try to hack his phone.

The technical report's wording is a bit confused, but it seems an encrypted blob of code in the 4MB video file was able to run spyware on the phone, presumably via a software flaw. The team was unable to decrypt the payload. As such there was no physical evidence of infection. However, within hour of Bezos playing the video there was an "extreme change in behavior" in his phone – and it started sending gigabytes of information to an unknown location over the course of several months.

As it turned out some of that information contained text messages and pictures exchanged between Bezos and his new girlfriend: details of that secret relationship eventually emerged in tabloid rag The National Enquirer.

Before those details were published, however, bin Salman sent Bezos an odd WhatsApp message that implied he knew about the Amazon boss's new beau. The message contained a photo of a woman that the forensic team argues looks like his paramour, along with the poor-taste joke: “Arguing with a woman is like reading the software license agreement. In the end you have to ignore everything and click I agree.”

High confidence

It’s far from complete proof but, combined, the fact that personal text messages had leaked from Bezos’s phone and its odd behavior after receiving the video file was sufficient for Bezos's investigators – and subsequently the UN rapporteurs – to conclude that they had “medium to high confidence” that bin Salman was personally responsible.

One odd detail: according to the report, Bezos used an alarmingly small amount of data (averaging 430KB a day) in his day-to-day use of his phone – something that made the sudden dumping of gigabytes of data that much more obvious. One possible explanation is that the phone in question was one he only used on occasion or for a limited number of tasks – such as sexting his girlfriend and chatting with heads of state.

Of course there is a lot of relevant context: Saudi Arabia has repeatedly hacked the phones of critics and dissidents of its regime. And Facebook recently sued NSO Group over its Pegasus software which exploits a hole in WhatsApp to infect a phone. The method of infection? A video file.

Why Bezos? Because, as publisher of The Washington Post, he was ultimately in charge of an influential newspaper, particularly in US political circles, that was being highly critical of bin Salman’s regime at a time when everyone else was heralding his reform efforts.

In particular, Washington Post columnist Jamal Khashoggi was subsequently murdered by Saudi Arabian agents at the country’s embassy in Turkey almost certainly on bin Salman personal orders, according to the US intelligence agencies.

Both the UN and forensic team provide a timeline of events around Bezos’s phone hack, Washington Post articles, Khashoggi’s death, and the targeting of Saudi dissidents, that flags a long series of what could be extraordinary coincidences.

This is what the UN’s Callamard and Kaye said in relation to the report: "The information we have received suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia.

“The allegations reinforce other reporting pointing to a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities, including nationals and non-nationals. These allegations are relevant as well to ongoing evaluation of claims about the Crown Prince's involvement in the 2018 murder of Saudi and Washington Post journalist, Jamal Khashoggi.

"The alleged hacking of Mr Bezos's phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents.”

They also call for greater controls over “the unconstrained marketing, sale and use of spyware” and a “moratorium on the global sale and transfer of private surveillance technology.”

Meanwhile, the Saudi government has called the hacking reports "absurd." ®