The forensic experts who investigated Jeff Bezos’ allegedly hacked smartphone may not have used all of the available resources. The report has been published now for everyone to read.

The forensic experts who examined Jeff Bezos’ smartphone and came to the conclusion that the device was hacked through an account of the Saudi Arabian crown prince did not seem to take full advantage of their options in their work. At least that’s what a report by the security experts at FTI Consulting suggests, published by US magazine Vice and published in November 2019.

It explains how the technicians proceeded and how they came to the conclusion that Bezos’ smartphone had been compromised “with medium to high security” via a video that had come from an account of the Saudi Crown Prince.

Investigation months after the hack

The report, the authenticity of which a spokesman for FTI neither wanted to confirm nor deny to heise online, shows that the company had only received the order on February 24, 2019, the iPhone X (model A1901) from the Amazon boss investigate forensically. The suspected hack that was then discovered was more than eight months in the past. Using technology from Cellebrite, among other things, they then examined the smartphone, which did not actually arrive at FTI until May 18, 2019. The hack was over a year old. For the entire analysis, the forensic experts took three days in specially secured rooms.

According to the experts, they did not find any traces of malware, but a number of indications that point to the hack and the responsible parties. This explains how Jeff Bezos exchanged cell phone numbers with the Saudi Crown Prince Mohammed bin Salman on April 4, 2018 and contacted WhatsApp. Without explanation, a video file came over this chat on May 1st, “apparently” an advertising film in Arabic. The received file was slightly larger than the video itself. In November 2019, WhatsApp admitted a hole in older versions that could be exploited via prepared MP4 files.

Not as detailed as possible

On Facebook, Alex Stamos, the ex-security chief at Facebook, to whom WhatsApp belongs, has posted thoughts on this analysis. The behavior described is normal, but he asks how FTI saw enough of the video for “fleeting analysis” but couldn’t do any more. If the video was the point of attack, evidence should be found in it. Stamos also points out that FTI apparently did not contact WhatsApp, although it could certainly have helped. “The idea that this report is the most comprehensive thing you can do with access to your smartphone is wrong,” he says.

FTI then explains in detail that after receiving the video, the behavior of the iPhone has visibly changed. An average of 430 kilobytes had flowed from the device before May 1, 2018. Within hours of the alleged hack, this value jumped to 126 megabytes and then leveled off at around 101 megabytes. This “unauthorized data” went out via the mobile radio. In spring 2019, this value had increased significantly. The technicians present this drastic change and two other indications as sufficient evidence for the hack.

Suspicious news from the Crown Prince

According to FTI, Jeff Bezos received a photo of a woman who looks like Lauren Sanchez on November 8, 2018, from the Saudi Crown Prince’s WhatsApp account. The Amazon boss had an affair with this woman that was not publicly known at the time, but which would have been recognizable by looking into the smartphone. The photo was therefore supplemented by the text: “Arguing with a woman is like reading the terms of use. In the end, you have to ignore everything and simply click ‘Agree’.”

Two days after Bezos was informed in detail about a Saudi online campaign against him as owner of the Washington Post on February 14, 2019, another message came in the chat: “Jeff everything you hear or what you were told is not true and it is a question of time that you learn the truth: there is nothing against you or Amazon from me or Saudi Arabia “. FTI cites both as evidence that bin Salman had information from the iPhone.

The information gathered in this way supports the allegation against Saudi Arabia, but it is unclear why FTI did not find out much more. So the technicians apparently had no access to the encrypted iCloud backup, possibly because Bezos had forgotten his password. While such an access should not have brought much new to light anyway, the situation is different with a jailbreak of the device. At the time of the report, FTI was only planning to do so. Security experts have told Vice that it is only in the areas of the iPhone that are accessible in this way that references to the malware can be found. FTI also wanted to investigate the behavior of the iPhone away from WLAN with a cellular connection.