FTI releases preliminary investigation into Amazon CEO’s phone hack

Media, citing FTI Consulting, reported that the hackers suspected of hacking the phone of Amazon CEO Jeff Bezos had an unclear relationship with Crown Prince bin Salman. Although there was no evidence of any malware on the phone, investigators found suspicious files. Without Bezos’ iTunes backup password, investigators re-established it, suggesting that Bezos himself may have forgotten.

FTI releases preliminary investigation into Amazon CEO's phone hack

(Report cover via Motherboard)

The researchers set up a secure laboratory environment to examine mobile phones and related products, the report said. Despite spending two days browsing the device, unfortunately no malware was found in it.

Instead, they found only a suspicious video file. It was sent to Bezos on May 1, 2018, in what appeared to be an Arabic propaganda film.

The documents show images of flags from Saudi Arabia and Sweden, with encrypted downloads. Because the downloader was encrypted, the researchers failed to get into the code in time and further.

FTI releases preliminary investigation into Amazon CEO's phone hack

(Video screenshot)

The reason for listing the video or downloader as a suspect was that a Nebesos’ phone then began transmitting large amounts of data. The report states:

Within hours of receiving the encrypted downloader, it began to release large-scale unauthorized leaks from Bezos’ phones. It has been going on for months and has been escalating since then.

In addition, the results of digital forensics were consistent with a wider range of investigations, interviews, studies and expert intelligence information, prompting investigators to assess whether Bezos’ phones were compromised by tools purchased by Saud al Qahtani.

FTI releases preliminary investigation into Amazon CEO's phone hack

(Report screenshot)

Initial investigations found that it was published by the Guardian but criticised by information security professionals. Because reports indicate that the tools used may have been developed by the Israeli company NSO Group.

The latter is the manufacturer of offensive mobile hacking tools, but forensic reports do not specify this, saying only that the company’s tools have the ability to penetrate Bezos’ phones.

In addition to the large amount of data extracted from Bezos’ mobile phone, investigators are pointing to two strange text messages sent to Bezos from a WhatsApp account linked to the crown prince.

For example, a message on November 8, 2018, contained a photo of a woman who looked like Lauren Sanchez, and their relationship has yet to come to light.

Then, on 16 February, a second message was received after A bass briefing by Bezos, informing him not to believe everything he had heard or been told.

“Because WhatsApp uses end-to-end encryption, it is not possible to decrypt the contents of the downloader to determine whether it contains other malicious code in addition to the video,” the investigators said.

Also, during the initial attempt to collect iPhone forensic images, FTI determined that the device had iTunes backup encryption enabled. However, a comprehensive analysis of forensic content must rely on encrypted passwords.

On May 20, 2019, researchers tried to circumvent this restriction and eventually obtained authorization to reset all of Bezos’s iPhone X settings to recover the device’s password.

However, a mobile forensics expert told Motherboard that the investigation sits in the report is not yet complete, accounting for about 50 percent of what investigators want to know. For example, files that are interested in saved messages, photos, contacts, and so on, rather than core files.