| New Delhi |
Updated: January 23, 2020 10:47:42 am
The forensic details of Amazon CEO and founder Jeff Bezos’ phone hacking from 2018 has been made public as part of a report by the United Nations. The UN human rights experts have confirmed what was earlier reported and suspected, that Bezos’ iPhone was compromised via a WhatsApp video file, sent from the account of Crown Prince of Saudi Arabia Prince Mohammad Bin Salman. The use of NSO Group’s Pegasus-3 is most likely in this case, a charge than the Israeli cyber-security firm has denied.
Bezos’ phone was examined by cyber-security experts at the FTI Consulting who had conducted a forensic analysis of the phone. Details of the FTI report have been published by Motherboard.
The Guardian has first reported on the issue yesterday, though the Saudi link was suspected back in 2019 by Bezos’ security team. According to the UN human rights experts, the incident is being seen as a serious “contravention of fundamental international human rights standards,” and there are calls for a full fledged investigation into the issue.
The report also acknowledges that the surveillance were part of the Crown Prince’s efforts to silence The Washington Post‘s reporting on Saudi Arabia, which has been critical of Prince Salman in particular. Bezos also owns The Washington Post.
“The alleged hacking of Mr Bezos’s phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents. This reported surveillance of Mr. Bezos, allegedly through software developed and marketed by a private company and transferred to a government without judicial control of its use, is, if true, a concrete example of the harms that result from the unconstrained marketing, sale and use of spyware,” the independent UN experts said in a statement.
The WhatsApp video
According to Motherboard, initial analysis of the phone did not confirm any malware. However, a video that was sent by the Saudi Crown Prince was seen as suspicious file. This video looked like an Arabic language promotional film about telecommunications with the flags of Saudi Arabia and Sweden on top.
Forensic analysis confirms WhatsApp video link
The forensic analysis report gives out exact details on how Bezos’ phone was hacked. While initial technical analysis did not confirm the malware, later analysis showed that the video file indeed carried malware. This was because the video downloader was encrypted and could not be decrypted.
But it was clear that once Bezos received the video on his iPhone, the phone started behaving abnormally with a 29,156 per cent jump in data egress or data transfer from the device, according to the UN report. Over the months, the data spike rate was at rates of nearly “106,031,045 per cent higher than the pre-video data egress base line,” or around 4.6GB of data, notes the report.
The spyware stolen gigabytes worth of information from Bezos’ phone over the months, including his private messages and photos to his girlfriend Lauren Sanchez. These messages were later published by The National Enquirer, an American tabloid owned by the American Media Inc, (AMI) in January 2019.
Bezos later put out a blog post in February 2019 detailing how AMI’s CEO David Pecker was trying to blackmail him and claimed to have accessed more of his personal photos, including nudes, which they were threatening to publish. AMI wanted The Washington Post to back down from its coverage of the National Enquirer and its links to the Saudi regime.
According to the experts, the forensic analysis showed that the spyware most likely used was like the NSO Group’s Pegasus-3 malware, which has been purchased and deployed by Saudi officials in other cases as well. Previously, Amnesty international had pointed out how two of its Saudi Arabia workers were targeted with NSO’s Pegasus.
The report’s timeline also makes it clear that Facebook had itself acknowledged in November 2019 that WhatsApp could be used exploit a user’s phone via a malicious MP4 file, as it has happened in the case of Bezos.
MBS taunted Bezos with offensive meme about his girlfriend
The UN report also lists out a timeline of events, which points out that Bezos attended a dinner with the Crown Prince on April 4, 2018 during the course of which they exchanged phone numbers for their WhatsApp accounts.
The malicious message was sent to Bezos on May 1, 2018. On November 8, 2018, the Crown Prince appeared to taunt Bezos as he texted him on a photo with an offensive caption on WhatsApp. The photo resembled Lauren Sanchez, Bezos’ current girlfriend, though the affair was not yet public. The caption read, ” “Arguing with a woman is like reading the Software License Agreement. In the end you have to ignore everything and click I agree.”
NSO Group’s response
NSO Group has denied the use of Pegasus to hack into Bezos’ phone, a denial they issued earlier as well. In a statement post on their website, the company said they were “shocked and appalled by the story that has been published with respect to alleged hacking of the phone of Mr. Jeff Bezos.”
Further, the statement adds that “if this story is true, then it deserves a full investigation by all bodies providing such services to assure that their systems have not been used in this abuse.” According to them such abuse of surveillance system will “blacken the eye of the cyber intelligence community and put a strain on the ability to use legitimate tools to fight serious crime and terror.”
NSO has always insisted that their software is only to be used to track criminals and terrorists. The statement adds, “These type of stories highlight the need for the surveillance community to follow our lead and implement strict Human Rights Policies and to act in a compliant manner.”
The group also said they are willing to engage with the UN, Bezos and any other body to “fully understand these issues and to set guidelines and capabilities to assure the protection of human rights in the sale and use of surveillance equipment.”
The WhatsApp vulnerability
In November 2019, Facebook had confirmed vulnerability CVE-2019-11931, which said that a specially crafted MP4 file sent to a WhatsApp user could be used to trigger a stack-based buffer overflow. This stack-based overflow vulnerability is used by attackers to gain access to a computer or in this case the smartphone. Facebook acknowledge that it could result in Denial of Service (DoS) or a Remote Code Execution (RCE) attack.
The RCE attack allows hackers to run malicious code on the device to access and make changes on the infected device or computer. The attack is able to gain full control over the device thanks to this kind of attack.
Facebook had said that the issue impacted Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100. It had asked users to update their apps in order to make sure they were not impacted by the vulnerability. In a statement, WhatsApp had also said there was no reason to believe users were impacted, but the Bezos incident shows this was clearly not true.
© IE Online Media Services Pvt Ltd