It was just a video sent through WhatsApp. And yet it is said to have been enough to infiltrate the iPhone of one of the most powerful tech entrepreneurs in the world - that of Amazon founder Jeff Bezos. The British Guardian reported first. The sender of the video and thus the potential attacker is said to have been none other than the Saudi Arabian Crown Prince Mohammed bin Salman.
That sounds worryingly easy. The US magazine Vice has now published the analysis of the IT forensics specialist who examined the smartphone from Bezos, the company FTI Consulting. FTI Consulting's report dates back to November 2019. It states that Bezos' smartphone with "medium to high security" has been compromised via malware sent from the WhatsApp account used by the Saudi Crown Prince , You have to be so careful. Because you don't know exactly yet. And: Many experts are not satisfied with the depth and quality of the analysis presented - this is shown by the reactions of international experts and the assessment of a German security researcher.
Suddenly more data flowed out
First of all, it describes the following sequence of events: On May 1, 2018, Amazon CEO Bezos received a WhatsApp message from Mohammed bin Salman's account on his iPhone X. It contained a video without comment, the screenshot of which shows a Saudi Arabian and a Swedish flag shows. Another research suggests that content should have been a comparison of data usage and the associated costs. As usual with WhatsApp, the video was sent together with a downloader, which - as usual - was encrypted.
The forensic scientists could neither find malware in the video file nor were they able to analyze the downloader more closely or to check whether it "contained malicious code in addition to the transmitted video". However, the specialists at FTI Consulting noticed that shortly after receiving the video, the amount of data flowing from Bezos' iPhone increased "immediately by leaps and bounds" and has not returned to the previous level since then.
What could that mean? As a "very likely explanation", the report mentions techniques such as those which "more advanced mobile spy software such as Pegasus from the NSO Group or Galileo from HackingTeam" made use of: They hooked into legitimate applications and processes on the smartphone in order to carry out their activities disguise. Large data outflows, for example from the Safari browser and the mail client on Bezos' smartphone shortly after the suspected infection of the device could fit.
All of this is said to have taken place over an astonishingly long period of time: it was only in February 2019 - more than eight months after the alleged infection - that the cybersecurity company was brought in. According to the report, after security circles have warned that Jeff Bezos' smartphone has been the victim of a so-called Advanced Persistent Threats (APT), a rather elaborate attack that could be behind state actors.
FTI Consulting does not want to have found any known malware on Bezos' device, nor any evidence of tools that circumvent device restrictions on use ("jailbreaking") or that use known security holes in the Apple iOS operating system. According to the FTI report, the fact that no evidence of known malware was found on Bezos' phone, but does not refute that it never existed, says: "Malware often contains self-destructive capabilities that can be activated if certain conditions or targets be achieved. "
However, the company also appears to have encountered some problems in its analysis. According to the report, the device had enabled encryption for iTunes backups, so a password would have been required for a "complete analysis of the content of the forensic image". However, it is precisely this password that Jeff Bezos no longer seems to have come up with - at least suggests that IT forensics were looking for ways to circumvent the same password. In the end, they reset Bezos' phone to the factory settings, while at the same time claiming that they received "the file system and all other relevant data and artifacts".
In the end, all of this means that the FTI report provides evidence and indications of a connection between the attack on Bezos' smartphone and a complication of the Gulf state, but no hard evidence. Accordingly, the Saudi Arabian embassy in the United States denies any involvement in the incidents.