This is how they hacked the mobile of Jeff Bezos

On March 21, 2018, Saudi Crown Prince Mohamed bin Salmán invited Jeff Bezos, owner of Amazon and The Washington Post, to a dinner in Los Angeles. The meeting occurred on April 4 and Bezos and Salmán exchanged phone numbers. That same night Salmán wrote to Bezos. It is not unusual for two of the most powerful people in the world to text each other. But the Saudi prince had an alleged added interest with Bezos: The Washington Post published articles by the most famous Saudi dissident, Jamal Khashoggi.

Weeks later, on May 1, Bezos received an MP4 video file on WhatsApp from the prince’s number, according to a report commissioned by the businessman himself. That does not mean that the message was necessarily sent from Bin Salmán’s phone, since the accounts of this application are linked to a number, which can be impersonated, and not to a specific device. It is not known whether Bezos punctured the video showing a frame with a Saudi and a Swedish flag and an overlay in Arabic. Yes, within a few hours, his iPhone X began to behave strangely and send data at a rate thousands of times higher than usual.

In principle, the founder of Amazon did not perceive anything strange. The messages and messages sent by the user and other files go to the cloud from a mobile phone. But among this traffic, unwanted leaks can be hidden and, linked to that video, there was supposedly some kind of malicious code that managed those leaks. Hackers had managed to access their files and applications. 

About 430 kilobytes of data came out of Bezos’s mobile daily, a typical average for mobile users. After receiving the file, the information output increased to 126 megabytes (300 times more) and established an average of 101 a day. Espionage continued until February 2019 and there were days when the data output reached 4.6 gigs (more than 10,000 times more than normal).

All this information comes from the forensic analysis of Bezos’s phone and published in part this Wednesday by the United Nations, which investigated the murder of Khashoggi, which occurred in October 2018 at the Saudi consulate in Istanbul. “The initial results did not identify the presence of any malicious code, but subsequent analyzes revealed that the suspicious video had been sent through a download program encrypted on a WhatsApp server,” says the full report, prepared by a former FBI agent. and leaked to the media. Due to WhatsApp encryption, the content of that program could not be established. Therefore, the main suspicion falls on that download software.

The shadow of famous companies

Suspicions about the program that Saudi Arabia allegedly used to hack Jeff Bezos point to famous companies in this field such as the Israeli NSO or the Italian Hacking Time, makers of this type of software. The report points directly to the figure of Saud al Qahtani, a close associate of Bin Salman and who had dealings with Hacking Team four years ago.

NSO is the creator of Pegasus 3, a famous spy tool capable of accessing mobile phones without being detected. In Mexico, the government of the previous president, Enrique Peña Nieto, was implicated in a case of espionage against activists and journalists with this tool. According to a timeline also released by the UN, Saudi Arabia acquired the NSO software in November 2017, on the days when the Saudi government detained 30 regime figures at the Ritz Hotel in Riyadh.

Bezos could be just one more victim. Several friends and confidants of Khashoggi also suffered infiltrations through WhatsApp or text messages. Facebook, the company that owns WhatsApp, has denounced NSO for using its platform to send this malicious software. As a curious detail, the NSO group uses the Amazon Web Services servers, owned by Bezos, to interact with the WhatsApp programmer tool, from where they allegedly coordinate malicious shipments.

Four weeks after Khashoggi’s murder on November 8, 2018, Bezos received a photo with a message from the Saudi prince’s account, according to the UN report. It was an image of a woman who looked like her then lover, unknown to the public, Lauren Sanchez. The text of the message read: “Arguing with a woman is like reading a software license agreement. In the end you have to ignore everything and click ‘agree.’

At that time Bezos was negotiating a divorce agreement with his now ex-wife. The news of the divorce was only known months later, in January 2019, advanced by the National Enquirer. Bezos accused the Enquirer of extortion for threatening to publish photos and sexual messages.

That photo was a possible veiled threat to Jeff Bezos to pressure him and his newspaper to stop investigating Khashoggi’s death. A year after the murder, in what now seems an obvious gesture of defiance, Bezos attended a ceremony in Istanbul in memory of the journalist killed in front of the Saudi consulate.

These types of attacks are personalized. No one without valuable information should in principle fear that their mobile will be attacked with these sophisticated tools. When it happens, however, it is of little use to use encrypted messaging apps. The malicious code is inside the phone and sees the same as the user, even if a message self-destructs after 30 seconds. Regular mobiles can do little to prevent this type of intrusion. What is surprising is that it has affected the richest man in the world, who has also made his fortune in the technology sector.