Just few words (and links) about this hot topic.



The Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, sources have told the Guardian.


But, how Jeff Bezos’ iPhone was hacked?

According to a Motherboard's post [1]:

The report, obtained by Motherboard, indicates that investigators set up a secure lab to examine the phone and its artifacts and spent two days poring over the device but were unable to find any malware on it. Instead, they only found a suspicious video file sent to Bezos on May 1, 2018 that “appears to be an Arabic language promotional film about telecommunications.”

That file shows an image of the Saudi Arabian flag and Swedish flags and arrived with an encrypted downloader. Because the downloader was encrypted this delayed or further prevented “study of the code delivered along with the video.”

The report can be found here: https://assets.documentcloud.org/documents/6668313/FTI-Report-into-Jeff-Bezos-Phone-Hack.pdf


Just some hightlights

A brief and simple analysis by GeekWire [3]:

But if you don’t want to read a 15+ page forensics report, here are the key points to focus on:

  1. FTI was unable in their investigation to find or identify malware on the system
  2. FTI was unable to gain full access to the device due to lacking a password for iTunes backups.
  3. Bezos and MBS sent a message via WhatsApp on 4/4/18 to MBS and received a reply on 4/5/18, apparently to exchange phone numbers.
  4. On 5/1/18, Bezos received a message from Mohammad bin Salman (MBS)
    with a large video file. This “arrived unexpectedly and without
    explanation”.
  5. After 5/1/2019, “The amount of data being transmitted out of Bezos’
    phone changed dramatically after receiving the WhatsApp video file and
    never returned to baseline….egress on the device [data sent from the
    device] immediately jumped by 29,000 percent.”


My2C

  • According to a post [2] by Bill Marczak: "the video MBS sent to Bezos could be similar to or identical to one posted by a Twitter user", and also "we encourage FTI to check whether the hash of the video is the same as the hash of any of the encodings of this video available on Twitter."
  • The analysis reported that “due to end-to-end encryption employed by WhatsApp, it is virtually impossible to decrypt the contents of the downloader [.enc file] to determine if it contained any malicious code in addition to the delivered video.”.
    However, in a post on Github [4], Dino Dai Zovi explains "how to decrypt encrypted media files downloaded from WhatsApp".


References

  1. Here Is the Technical Report Suggesting Saudi Arabia’s Prince Hacked Jeff Bezos’ Phone
  2. Some Directions for Further Investigation in the Bezos Hack Case
  3. Decoding the Jeff Bezos phone hack: What the rest of us can learn from the forensic report
  4. https://github.com/ddz/whatsapp-media-decrypt


Additional readings