SAN FRANCISCO — On the afternoon of May 1, 2018, Jeff Bezos received a message on WhatsApp from an account belonging to Saudi Arabia’s crown prince, Mohammed bin Salman.
The two men had previously communicated using WhatsApp, but Bezos, Amazon’s chief executive, had not expected a message that day — let alone one with a video of Saudi and Swedish flags with Arabic text.
The video, a file of more than 4.4 megabytes, was more than it appeared. Hidden in 14 bytes of that file was a separate bit of code that most likely implanted malware, malicious software, that gave attackers access to Bezos’ entire phone, including his photos and private communications.
Those details were part of a forensic analysis that Bezos had commissioned to discover who had hacked his phone, an iPhone X. He has been on a singular quest to find out who penetrated the device after he said The National Enquirer’s parent company threatened to release his private photographs and texts in early 2019. Those pictures and messages showed Bezos, who was married at the time, with another woman, Lauren Sanchez. The analysis did not connect the hack to The Enquirer.
The forensic report on Bezos’ phone was at the heart of a United Nations statement Wednesday raising concerns about the digital tactics of Crown Prince Mohammed. The analysis essentially accused the Saudi prince of using malware created by a private cybersecurity company to spy on and to intimidate Bezos, who also owns The Washington Post. The Post, which has published coverage critical of the Saudi government, had employed Jamal Khashoggi, a dissident Saudi writer who was killed in the Saudi consulate in Istanbul in late 2018.
The report’s conclusions renew questions about the shadowy world of private hackers for hire. For the right client, or the right sum, such hackers apparently infiltrated the phone of one of the world’s wealthiest and most powerful men. The report did not say which private cybersecurity company was used, but suggested that the Tel Aviv-based NSO Group and Milan-based Hacking Team had the capabilities for such an attack.
The hack also exposed how popular messaging platforms like WhatsApp have vulnerabilities that attackers can exploit. In October, WhatsApp sued the NSO Group in federal court, claiming that NSO’s spy technology was used on its service to target journalists and human rights activists. WhatsApp, which is owned by Facebook, has patched the flaw that the malware used.
Many technical mysteries remain about the infiltration of Bezos’ phone, including what type of malware was used. The forensic report did not detail whether Bezos had opened the file that was sent to him via Crown Prince Mohammed’s WhatsApp account. Cybersecurity experts said some malware did not require anyone to click on the file for it to install on a phone.
“This case really highlights the threats that are posed by a lawless and unaccountable private surveillance industry,” said David Kaye, the U.N. special rapporteur who was a co-author of Wednesday’s statement. “The companies who are creating these tools are extremely crafty and aggressive, and it’s a cat-and-mouse game at this point.”
The details of the hack could not be independently verified by The New York Times. Bezos has pushed a theory of Saudi involvement with the threats from The Enquirer, without providing proof, since early 2019. The Enquirer’s parent company has said Sanchez’s brother, Michael, was the sole source of the texts and intimate photos it acquired.
NSO said it was not involved in any hack of Bezos’ phone. Hacking Team did not respond to a request for comment. WhatsApp declined to comment, as did FTI Consulting, the company that Bezos’ security team hired to examine his phone and that wrote the forensic analysis. Amazon declined to comment on behalf of Bezos.
The Saudi Embassy in Washington has said that accusations that the kingdom was involved in hacking Bezos’ phone were “absurd.”
Malware that was created for the explicit purpose of prying into private online communications, also known as spyware, has become a $1 billion industry. While companies like the NSO Group and Hacking Team have been accused of deploying their spyware with governments to examine dissidents and others, smaller companies also sell simpler versions of the software for as little as $10, allowing people to snoop on their spouses or children.
Ron Deibert, the director of Citizen Lab at the University of Toronto, which was not involved in the Bezos investigation, said the Amazon chief’s situation was “a reminder that the proliferation of commercial spyware is a global security problem for all sectors, from government and businesses to civil society.”
Over the years that he has run Amazon, Bezos has largely kept private. That changed when The National Enquirer published photos and messages last year between him and Sanchez, a TV anchor. Bezos and his wife, MacKenzie Bezos, later got a divorce.
On Feb. 7, 2019, Bezos went public with what he said were troubling developments connected to The Enquirer. In a post on Medium, he accused The Enquirer of trying to blackmail him with his own text messages and photos and said he had asked Gavin de Becker, a private investigator, to determine how his phone had been hacked.
Ten days later, de Becker was advised by a “leading intelligence expert” to conduct a forensic analysis of Bezos’ iPhone and to look for Saudi fingerprints in the hack, according to notes in the report. The report did not identify the intelligence expert who reached out to de Becker.
De Becker, who declined to comment, hired FTI Consulting on Feb. 24, 2019, to examine Bezos’ phone. FTI was initially asked to look into several text messages that Bezos had received from the WhatsApp account of the Saudi prince. In mid-May 2019, Bezos handed over his iPhone X and asked FTI to run a full analysis on it, according to the report.
FTI zeroed in on an April 2018 dinner in which Crown Prince Mohammed and Bezos had exchanged phone numbers in Los Angeles. After that, FTI found, the WhatsApp account of the prince initiated contact with Bezos repeatedly and without prompting.
The May 2018 message that contained the innocuous-seeming video file came out of the blue, the report said. In the 24 hours after it was sent, Bezos’ iPhone began sending large amounts of data, which increased approximately 29,000% over his normal data usage.
In additional notes to the report, which were obtained by The New York Times, investigators said several phone apps were being used during the time that data was leaving the phone. Those included the Safari web browser and the Apple Mail program, both of which Bezos did not appear to be using heavily himself. Bezos did not have iCloud backup enabled on the phone, the notes added, which would have also explained large amounts of data leaving the phone.
Messages sent by Crown Prince Mohammed’s WhatsApp account starting in late 2018 soon began to suggest that the sender had intimate knowledge of Bezos’ private life. On Nov. 8, 2018, the report said, Bezos received a message from the account that included a photo of a woman resembling Sanchez.
The photo was captioned, “Arguing with a woman is like reading the software license agreement. In the end you have to ignore everything and click I agree.”
At the time, Bezos and his wife were discussing divorce, which would have been apparent to anyone reading his text messages.
In mid-February 2019, Bezos held a series of phone calls with his security team about the Saudis’ alleged online campaign against him, the report said. Two days later, Bezos received a message from Crown Prince Mohammed’s WhatsApp account that read, in part, “there is nothing against you or Amazon from me or Saudi Arabia.”
The report listed spyware known as Pegasus, developed by the NSO Group, and spyware called Galileo, developed by Hacking Team, as the two most likely tools used to carry out the attack. The report added that Saud al-Qahtani, a close adviser of Crown Prince Mohammed, owned a 20% stake in Hacking Team.
The FTI report was not definitive about the hack, but said it had “medium to high confidence” that the message from the prince’s WhatsApp account was the culprit. In notes to the report, FTI said it was still attempting a more thorough analysis of the iPhone, including by jailbreaking it, or bypassing Apple’s control system on the phone.
Some cybersecurity experts said more information about the hack was needed to verify the report’s conclusions. Bill Marczak, a cyber expert at Citizen Lab, said in a blog post Wednesday that technology existed for decrypting the WhatsApp messages to see more detail about the video file that was sent.
Agnes Callamard, the United Nations special rapporteur who also co-wrote Wednesday’s statement, said the episode was “a wake-up call to the international community as a whole that we are facing a technology that is very difficult to track, extremely powerful and effective, and that is completely unregulated.”
She said Bezos’ experience should sound alarms because even with his wealth and resources, it took months of investigation by specialists to figure out what had happened — a luxury few others have.
“It basically means that we are all extremely vulnerable,” she said.