23, Jan, 2020
Never open a WhatsApp message from the crown prince of Saudi Arabia
Bay Area! I’ll be talking with Anna Wiener about Uncanny Valley, her brilliant new memoir of a life in tech, on February 4th at Manny’s in San Francisco. It’s our second-ever Interface Live event, and it would mean the world to me if you came to say hello and talk tech and democracy with us. Get your tickets here!
Some days, when you write a column about the latest interactions between big tech platforms and the government, you try to make a meticulous and layered argument based on a series of nuanced observations about the world. Other days, you just write down a bunch of facts and say — wait, what?!
The past 24 hours have been a wait, what?! sort of day.
It has been just under a year since Amazon CEO Jeff Bezos shocked the world with a Medium post disclosing that he had been the subject of an extortion attempt, hired the best person in the world to investigate it, and promised to get to the bottom of it. The story’s elements included an extramarital affair, family betrayal, stolen nudes, and the crusading reporting of the Washington Post, which Bezos owns. Within days, a hefty amount of circumstantial evidence hinted that the government of Saudi Arabia — and its crown prince, Mohammed bin Salman, were likely involved in the scheme.
Then, on Tuesday afternoon, the Guardian published a bombshell: a forensic examination conducted at Bezos’ request by the FTI Consulting found that his phone had most likely been hacked in 2018 after he received a WhatsApp message from a personal phone number belonging to MBS himself. Stephanie Kirchgaessner reports:
The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world’s richest man, according to the results of a digital forensic analysis.
This analysis found it “highly probable” that the intrusion into the phone was triggered by an infected video file sent from the account of the Saudi heir to Bezos, the owner of the Washington Post.
The report was subsequently confirmed by the Financial Times and New York Times, and , and Vice published the full report from FTI. Among other things, the report suggests that MBS was attempting to intimidate Bezos, months before a Post columnist — MBS critic Jamal Khashoggi — was brutally murdered on the crown prince’s orders, according to the CIA.
The United Nations has called for further investigation related to the Khashoggi murder, in which MBS continues to deny his involvement. Here’s Jared Malsin, Dustin Volz and Justin Scheck in the Wall Street Journal.
“The circumstances and timing of the hacking and surveillance of Bezos also strengthen support for further investigation by U.S. and other relevant authorities of the allegations that the Crown Prince ordered, incited, or, at a minimum, was aware of planning for but failed to stop the mission that fatally targeted Mr. Khashoggi in Istanbul,” the officials said in a statement based on their review of the forensic analysis.
“At a time when Saudi Arabia was supposedly investigating the killing of Mr. Khashoggi, and prosecuting those it deemed responsible, it was clandestinely waging a massive online campaign against Mr. Bezos and Amazon targeting him principally as the owner of The Washington Post,” Ms. Callamard and Mr. Kaye said.
Is the case against MBS being behind the hack open and shut? On one hand, there’s no smoking gun. On the other, no one has proposed a credible-sounding alternate culprit. The gist is that after MBS’ WhatsApp account sent Bezos a video file, Bezos’ phone went crazy and started transmitting an enormous amount of data:
That file shows an image of the Saudi Arabian flag and Swedish flags and arrived with an encrypted downloader. Because the downloader was encrypted this delayed or further prevented “study of the code delivered along with the video.”
Investigators determined the video or downloader were suspicious only because Bezos’ phone subsequently began transmitting large amounts of data. “[W]ithin hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos’ phone began, continuing and escalating for months thereafter,” the report states.
Still, information security types aren’t satisfied with the FTI report, arguing that someone with access to the phone and the malicious file should be able to find direct evidence that it was the culprit. See Alex Stamos on this point.
What malware was used in the attack? What vulnerabilities were exploited? Could my phone be hacked in the same way? We don’t know, we don’t know, and we don’t know, respectively.
OK, but who made the malware used in the attack? Probably one of those shadowy hacker-for-hire outfits. The FTI report “suggested that the Tel Aviv-based NSO Group and Milan-based Hacking Team had the capabilities for such an attack,” Sheera Frenkel reports in a Times piece about the hack. NSO Group denied it; Hacking Team didn’t respond.
Is this the craziest series of events ever to befall the CEO of a major tech platform? Yes and it’s not even close.