UN experts demand detailed investigation into alleged Saudi involvement in Jeff Bezos' phone hacking

UN report based on technical probe by specialists at FTI Consulting

UN special rapporteurs have called for an immediate official investigation into the alleged role of Saudi Crown Prince Mohammad bin Salman in hacking Jeff Bezos' phone.

David Kaye, United Nations Special Rapporteur on freedom of expression, and Agnes Callamard, UN Special Rapporteur on summary executions and extra-judicial killings, claim to have received information suggesting that the Saudi Crown Prince was likely involved in the hacking of Amazon CEO Jeff Bezos' phone.

Photos and other information exfiltrated from the device were subsequently used in an effort to influence Bezos-owned newspaper The Washington Post's reporting on Saudi Arabia.

"The alleged hacking of Mr Bezos's phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents," the two rapporteurs said.

"The circumstances and timing of the hacking and surveillance of Bezos also strengthen support for further investigation by US and other relevant authorities of the allegations that the Crown Prince ordered, incited, or, at a minimum, was aware of planning for but failed to stop the mission that fatally targeted Mr Khashoggi in Istanbul," they added.

The UN staff based their report on another technical report, which was ordered by Bezos into the security breach. The report [PDF] was completed by business advisory firm FTI Consulting in November 2019 and was recently leaked publically.

The FTI report, which includes the messages sent from bin Salman's WhatsApp account to Bezos, discusses in detail how the hack was performed.

According to the report, Bezos' phone was hacked in May 2018 via a WhatsApp message that came from the personal account of Saudi Crown Prince. The content shared was a malicious video file, which when opened, caused large amounts of data exfiltration from the phone.

The attackers are believed to have taken advantage of the CVE-2019-3568 buffer overflow vulnerability in WhatsApp, using an exploit crafted by Israeli security firm NSO Group, called Pegasus-3. NSO has denied any involvement in the attack.

Jeff Bezos had exchanged his number with bin Salman at a dinner in Los Angeles, Californai during Crown Prince's trip to the US.

This incident is particularly notable because in February 2019, nine months after the security breach, Bezos accused US-based tabloid National Enquirer of attempting to blackmail by threatening to publish nude pictures and text messages taken from his phone, revealing salacious details of his private life.

In January 2019, National Enquirer had published reports of Bezos' extramarital affair that led to his divorce from his wife, MacKenzie Bezos.

To find out how his personal data was leaked, Bezos put together an investigative team led by Gavin de Becker. In February 2019, de Becker's consulting firm, GDBA, retained Anthony J. Ferrante of FTI Consulting to manage a complex investigation and forensic analysis of Bezos' personal iPhone X.

FTI Consulting found that "within hours of receipt of the video from the Crown Prince's WhatsApp account, there was an anomalous and extreme change in phone behaviour, with cellular data originating from the phone (data egress) increasing by 29,156 per cent."

"Data spiking then continued over the following months at rates as much as 106,031,045 per cent higher than the pre-video data egress base line," it added.

FTI also said that the most likely explanation for "the anomalous data egress was [the] use of mobile spyware such as NSO Group's Pegasus or, less likely, Hacking Team's Galileo, that can hook into legitimate applications to bypass detection and obfuscate activity."

NSO is an Israeli security firm that has been accused of creating spyware used by governments around the world, supposedly to track terrorists and criminal groups. However, these tools are also allegedly used by governments to keep an eye on journalists and dissidents.

Last year, Gavin de Becker stated that the information from Bezos phone was acquired by Saudi government, and then its details were leaked to the National Enquirer.

He also suggested that the hack was likely linked to the murder of Jamal Khashoggi, a Saudi journalist who regularly wrote for the Bezos-owned Washington Post, criticising the autocratic leadership of Saudi Arabia.

In October last year, Facebook sued NSO Group over the spyware tools that, it claims, infected around 1,400 users in 20 countries.