UN urges US investigation into Bezos iPhone hacking

Amazon CEO Jeff Bezos [via Seattle City Council]

In a statement, UN Special Rapporteur Agnes Callamard and David Kaye explain the information received from a private investigation into the Bezos hacking "suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos." It is proposed the attempts were made "to influence, if not silence, The Washington Post's reporting on Saudi Arabia."

"The alleged hacking of Mr. Bezos's phone, and those of others, demands immediate investigation by US and other relevant authorities," said the rapporteurs, "including investigation of the continuous, multi-year, direct, and personal involvement of the Crown Prince in efforts to target perceived opponents."

The surveillance using malicious software "is a concrete example of the harms that result from the unconstrained marketing, sale, and use of spyware," the statement reads. "It underscores the pressing need for a moratorium on the global sale and transfer of private surveillance technology."

The UN believes the timing and circumstances of the hacking and surveillance of Bezos "also strengthen support for further investigation by US and other relevant authorities of the allegations that the Crown Prince ordered, incited, or at a minimum, was aware of planning for but failed to stop the mission that fatally targeted Mr. Khashoggi in Istanbul." Khashoggi was a journalist who wrote for the Washington Post, and whose murder during a visit to an embassy was reportedly captured on an Apple Watch.

In the summary of the analysis seen by the UN, Bezos' iPhone was infiltrated on May 1, 2018 via an MP4 video sent from a WhatsApp account personally used by Salman, with the two men exchanging contact details just one month prior to the hack.

Within hours of seeing the video, Bezos' iPhone then sent a large amount of data, raising from his daily average data egress of 430KB to 126MB, a rise of 29,156 percent. The data spiking continued for months, and at rates as high as 106 million percent higher than normal, indicating gigabytes of data was accessed.

In the full version of the report supplied to the UN by security firm FTI Consulting, published by Motherboard, Bezos' iPhone is identified as model number A1901, an iPhone X. Rather than containing malware in the video file, it is believed the attack was performed via an encrypted downloader, one that was possibly embedded in the video, which then downloaded a payload to perform the attack itself.

It is thought Crown Prince advisor and friend Saud al Qahtani procured the tools for the attack. President and chairman of the Saudi Federation for Cybersecurity, Programming, and Drones, Qahtani was apparently known for acquiring hacking tools on a regular basis, with spyware such as NSO Group's Pegasus or Hacking Team's Galileo likely to have been used to acquire the data.

For analyzing the iPhone, FTI used the Cellebrite UFED 4PC Ultimate and Physical Analyzer to acquire forensic images over a two-day period. Cellebrite is known for providing tools to law enforcement agencies for digital forensic analysis of smartphones and other devices.

Before the UN's statement, the Saudi Embassy in the United States dismissed the report on Twitter, calling the suggestion "absurd" while calling for a full investigation.