It was just a video sent through WhatsApp. And yet it is said to have been enough to infiltrate the iPhone of one of the most powerful tech entrepreneurs in the world – that of the Amazon founder Jeff Bezos, The British reported first Guardian, The sender of the video and thus the potential attacker is said to have been none other than the Saudi Arabian Crown Prince Mohammed bin Salman.
That sounds worryingly easy. The US magazine Vice has now published the analysis of the IT forensics specialist who examined the smartphone from Bezos, the company FTI Consulting. FTI Consulting's report dates back to November 2019. It states that Bezos' smartphone with "medium to high security" has been compromised via malware sent from the WhatsApp account used by the Saudi Crown Prince , You have to be so careful. Because you don't know exactly yet. And: Many experts are not satisfied with the depth and quality of the analysis presented – this is shown by the reactions of international experts and the assessment of a German security researcher.
Suddenly more data flowed out
First of all, it describes the following sequence of events: On May 1, 2018, Amazon CEO Bezos received a WhatsApp message from Mohammed bin Salman's account on his iPhone X. It contained a video without comment, the screenshot of which shows a Saudi Arabian and a Swedish flag shows. Another research suggests that content should have been a comparison of data usage and the associated costs. As in Whatsapp As usual, the video was sent together with a downloader, which – as usual – was encrypted.
The forensic scientists were unable to find malware in the video file, nor were they able to analyze the downloader more closely or to check whether it "contained malicious code in addition to the transmitted video". However, the specialists at FTI Consulting noticed that shortly after receiving the video, the amount of data that Bezos' iPhone drained away, "jumped immediately" and since then has not returned to the previous level.
What could that mean? As a "very likely explanation", the report mentions techniques such as those that "advanced mobile espionage software such as Pegasus from the NSO Group or Galileo from HackingTeam" used: namely, they hooked into legitimate applications and processes on the smartphone in order to carry out their activities disguise. Large data outflows, for example from the Safari browser and the mail client on Bezos’s smartphone, shortly after the suspected infection of the device could fit.
All of this is said to have happened over an astonishingly long period of time: it was only in February 2019 – more than eight months after the alleged infection – that the cybersecurity company was brought in. According to the report, after security circles have warned that Jeff Bezos' smartphone has been the victim of a so-called Advanced Persistent Threats (APT), a rather elaborate attack that could be behind state actors.
FTI Consulting does not want to have found any known malware on Bezos ’device, nor does it indicate any tools that circumvent device restrictions on use (" jailbreaking ") or that use known security vulnerabilities in the Apple iOS operating system. According to the FTI report, the fact that no evidence of known malware was found on Bezos' phone, but does not refute that it never existed, says: "Malware often contains self-destructive capabilities that can be activated if certain conditions or targets be achieved. "
However, the company also appears to have encountered some problems in its analysis. According to the report, the device had enabled encryption for iTunes backups, so a password would have been required for a "complete analysis of the content of the forensic image". However, it is exactly this password that Jeff Bezos does not seem to have come up with – at least suggests that the IT forensic experts were looking for ways to circumvent the same password. In the end, they reset Bezos' phone to the factory settings while, according to their own statements, they received "the file system and all other relevant data and artifacts".
In the end, all of this means that the FTI report provides evidence and indications of a connection between the attack on Bezos' smartphone and the involvement of the Gulf state, but no hard evidence. The Saudi Arabian embassy in the United States denies this any involvement in the incidents,