
Report on the Bezos Phone Hack [pdf] - bb88
https://assets.documentcloud.org/documents/6668313/FTI-Report-into-Jeff-Bezos-Phone-Hack.pdf
======
lawnchair_larry
There is pretty much no actual evidence here and at least a few indications
that they are not iOS forensics experts. Bezos did not choose the right
company to handle this work.

Some of their assumptions are really stretching, especially the bit about the
picture of the woman looking vaguely like his girlfriend, as if that’s an
indicator that they know about her. They seem to be working backwards from
their conclusion and trying to stretch the evidence to the explain what they
want to be true.

I actually was more convinced that MBS was involved _before_ reading the
report. Now seeing this, plus the story that AMI paid her brother 200k for
leaked texts that WSJ saw and verified, really has me doubting.

~~~
arkadiyt
The report claimed they couldn't decrypt the whatsapp video, so Dino A. Dai
Zovi (head of security for CashApp) published code [1] to do it.

The report also concludes that they need to jailbreak the phone to do more
analysis, but hadn't yet for undisclosed reasons. Bezos was using an iPhone X,
which is trivial to jailbreak with checkra1n [2].

So yeah, FTI didn't know what they were doing.

[1]:
[https://twitter.com/dinodaizovi/status/1221324029841244161](https://twitter.com/dinodaizovi/status/1221324029841244161)

[2]: [https://checkra.in/](https://checkra.in/)

~~~
app4soft
> _so Dino A. Dai Zovi (head of security for CashApp) published code to do
> it._

Great! May be useful to decrypt also the whatsapp videos, mentioned in _Lev
Parnas_ ' excerpts.

FTR, Just found that there are many other tools available for decrypt whatsapp
in last two years.[0]

[0]
[https://github.com/search?o=desc&q=whatsapp+decrypt&s=update...](https://github.com/search?o=desc&q=whatsapp+decrypt&s=updated&type=Repositories)

------
mikenew
> Due to end-to-end encryption employed by WhatsApp, it is virtually
> impossible to decrypt the contents of the downloader to determine if it
> contained any malicious code in addition to the delivered video.

I can't make any sense of that. The phone is the end in "end-to-end". It
contains the decryption keys. Why would "the downloader" be any different to
decrypt than the video? Also they show a screenshot of the video being sent
through WhatsApp... but they're saying that the video was downloaded via some
malicious executable? I would have thought the video would _contain_ the
malicious code. That makes no sense.

> Advanced weapons grade mobile malware typically installs itself to the root
> filesystem of a device to maintain persistence and avoid detection.

This report sounds like bullshit. It sounds like they looked at the cellular
data use, noticed an increase after this whatsapp message was sent, and did a
bunch of random stuff they barely understood to fill out the report. Their
list of "forensic tools" or whatever includes like... grep. And virutalbox.
They also _didn 't_ jailbreak the phone and look at the filesystem, so I'm not
sure what they even looked at besides just sniffing the wifi traffic.

EDIT: I reread the report. Jeff Bezos' phone was not hacked. They are claiming
that a video attachment in whatsapp contained a malicious executable that
gained full filesystem access to his iPhone based on absolutely nothing other
than the fact that his cellular data upload increased. Most of that increase
happened _almost a year later_. The guy just started using iCloud photo
backups or sent someone videos via imessage or something. There are _way_
simpler explanations for why the media got his text messages. Like, you know,
the person he sent them to showed somebody.

------
Natsu
That's a really long document to say that they weren't able to find much of
anything. They think his bandwidth usage went up for a long time after he got
a WhatsApp message from MbS' number and couldn't actually analyze any malware.
I have to wonder why they'd hack him with a video flying their own flag.

The thing about the women looking similar is really reaching and doesn't make
any sense. We already have other reports that Bezos' GF showed texts to her
brother who sold them from other reports.

Finally, what's with really rich people sending their electronics to 3rd party
security firms and not letting the Feds analyze anything directly? You'd think
that if this was really some matter of national security or whatever, you'd
want an investigation by people with subpoena power. But I guess that doesn't
matter for some reason?

~~~
lawnchair_larry
Private companies keep it closely guarded and destroy any copies of it after
the job is done. You can be reasonably confident that it won’t leave the
analysis laptops.

If you give it to the FBI, you have no guarantees. It’s property of the
government and is archived and stored indefinitely as evidence. The FBI do not
do private investigative services for important rich people, they investigate
crimes.

~~~
comment_guy
Given the motivations of a private company or the FBI, who would you really
choose? I'd go private with anything sensitive, they can't arrest me and they
have a profit motive in protecting my data.

~~~
Natsu
It would be odd for them to arrest Bezos for having his own phone hacked.

------
nodamage
Two questions (which aren't really explained in this report):

1\. Did he have to actually play the video, or was simply receiving the
message enough to compromise his phone?

2\. It says after his phone was compromised, a large amount of data was
extracted from his phone. Was this only WhatsApp specific data (cached pics
and videos from messages sent within the app) or did the malware actually have
full access to all of the files on his phone?

Because of iOS's sandboxing and permission system I would not have expected
that a vulnerability in WhatsApp itself would be able to grant access to the
entire phone. That seems like it would be much bigger news if it were the
case.

~~~
comex
They don't know. They weren't able to actually find the exploit code, so they
don't know how it worked or what level of access it achieved. Or whether there
even was an exploit at all.

That said, if there was an exploit, I'd be surprised if it _didn 't_ escape
the iOS sandbox. As an exploit category, iOS sandbox escapes are medium
difficulty. Not as easy as WebKit exploits, or privilege escalation on some
other operating systems (...such as macOS), but still plentiful. Or from a
buyer's perspective, more expensive, but readily available. MBS doesn't
exactly have issues with expense.

By the way, image/video parsing vulnerabilities are somewhat rare themselves,
at least in stacks that only handle a small number of formats (not something
like ffmpeg or VLC with a bazillion file format parsers that nobody's looked
at in decades).

~~~
nodamage
> As an exploit category, iOS sandbox escapes are medium difficulty.

Are there any published explanations of exploits that achieve this? Just
curious what it would look like.

~~~
comex
Project Zero has some excellent writeups.

Here is one from last year where the author exploited a kernel vulnerability
that’s directly accessible from within the sandbox:

“voucher_swap: Exploiting MIG reference counting in iOS 12”

[https://googleprojectzero.blogspot.com/2019/01/voucherswap-e...](https://googleprojectzero.blogspot.com/2019/01/voucherswap-
exploiting-mig-reference.html)

And here is a massive writeup, also from last year, analyzing the privilege
escalation parts of no fewer than five different exploit chains, which were
found bundled together in a real attack, each targeting a different range of
iOS versions. Not five exploits, five _chains_. It’s a great read:

“A very deep dive into iOS Exploit chains found in the wild”

[https://googleprojectzero.blogspot.com/2019/08/a-very-
deep-d...](https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-
into-ios-exploit.html)

------
zaroth
This story has frustrated me from the very first Bezos blog post [1] as a
fairly obvious counterintelligence operation.

Now a year later the story has resurfaced and it’s all the same conspiracy
theories based on nothing.

This report demonstrates as clearly as you could hope that there was no real
analysis and no real evidence of any of the absolutely extraordinary claims
made by Besos and de Becker. [2]

From what I can tell, the only reasonable conclusion is that this whole thing
was a retaliatory attack on MBS and on AMI. Yet a year later, the news
headlines are all parroting that the report proves MBS _personally_
orchestrated this exploit.

We are now at the point of _theater of the absurd_. This story has been a
smoldering load of garbage from the very beginning. [3] I can’t believe it
keeps coming around.

The closest I can find to an honest accounting is this WSJ op-ed [4], which
many here won’t like because it ties the totally flawed reporting on this
story back to similar flaws in the Russiagate reporting. That is, a story the
media wants to be true just a bit too badly.

[1] - [https://medium.com/@jeffreypbezos/no-thank-you-mr-
pecker-146...](https://medium.com/@jeffreypbezos/no-thank-you-mr-
pecker-146e3922310f)

[2] - [https://www.thedailybeast.com/jeff-bezos-investigation-
finds...](https://www.thedailybeast.com/jeff-bezos-investigation-finds-the-
saudis-obtained-his-private-information)

[3] -
[https://news.ycombinator.com/item?id=19535965](https://news.ycombinator.com/item?id=19535965)

[https://news.ycombinator.com/item?id=19539943](https://news.ycombinator.com/item?id=19539943)

[4] - [https://www.wsj.com/articles/jeff-bezos-tries-to-wag-the-
dog...](https://www.wsj.com/articles/jeff-bezos-tries-to-wag-the-
dog-11579909357)

~~~
Natsu
The media doesn't shy even from starting wars over this stuff (the gas attacks
that weren't in Syria, WMD in Iraq, etc.). Expect them to make many layers of
conclusions like this to support some goal in, I dunno, replacing MbS with
someone they like better after a while.

------
beshrkayali
Probably "technical" should be removed from the title.

~~~
dang
Ok, removed. It doesn't seem to be how the article refers to itself, though I
can't be sure because the thing is unsearchable.

~~~
gouggoug
I think the parent was being sarcastic, referring to the really poor quality
of the report.

------
gdm85
They lost me at "encrypted downloader". The WhatsApp video attachment format
allows for...a downloader? I strongly doubt that.

Perhaps what they should have written is that they cannot decrypt the video
and thus check for an exploit within it (it's commonly called payload, because
it doesn't have to be a downloader...).

I see from other comments here that I am not the only one doubting the report
wording at the very least.

~~~
eitland
Probably an exploit.

~~~
makomk
Nope, they seem to mean the encrypted file format used by WhatsApp to transmit
and store attachments, which a competent forensics outfit should be able to
decrypt: [https://medium.com/@billmarczak/bezos-hack-mbs-mohammed-
bin-...](https://medium.com/@billmarczak/bezos-hack-mbs-mohammed-bin-salman-
whatsapp-218e1b4e1242)

------
an-allen
This report is a pure, unadulterated, dumpster fire. No one is explaining how
a video file is a trojan vector. Also this report has way too much background
of the “Hacking Team” that really sounds suspect from me. I just feel if you
are trying to establish that this vector was the source of a trojan - youd
actually prove that instead of giving a page or two of conjecture on where
this code that you haven’t shown is malware - came from.

Also, obligatory, correlation does not imply causation. This report hinges on
the argument that “video received from MBS and shortly thereafter the total
data egress increased”. Okay what data was egressed? Where was it egressed to?
Just basic things are missing from this report that are relevant.

Absolute garbage.

~~~
mrobins
> Also this report has way too much background of the “Hacking Team” that
> really sounds suspect from me.

Consultants write like high school students with a ten page research paper
requirement. If you don’t have real content pad it with extra background,
bulleted lists and superfluous tables.

The final product needs to be long enough so people think real work was done
but boring enough that they don’t actually read it.

------
TekMol
What does it mean that the malicious video was delivered via "an encrypted
downloader hosted on WhatsApp's media server"?

~~~
comex
It means that they don't know what they're talking about.

A "downloader" refers to part of an exploit payload (or other malware) that
downloads additional code. But an attacker can only use a downloader _after_
triggering an exploit and getting code execution. If they're right about there
being an exploit related to the video, it would presumably be in the video
file itself; otherwise there would be no need to send an irrelevant video. But
in that case, the exploit couldn't have been used to download the video in the
first place. And why would you need to use some special code to download a
video attachment, when that's presumably part of WhatsApp's builtin
functionality? Also, even if there was a downloader involved, it would be, as
the name suggests, the thing that does the downloading – not the thing that
was downloaded.

Whether or not there was an exploit, it seems almost certain that WhatsApp
automatically downloaded the video like any other attachment, and the
encryption was WhatsApp's own end-to-end encryption. Indeed, the report itself
cites WhatsApp's end-to-end encryption in point 22, so it seems like they
should be aware of that. Maybe they just don't know what "downloader" means,
or maybe their ignorance is deeper; I can't really tell.

------
ddalex
So the billionaires of this world, Bezos and MBS, exchange memes with photos
of pretty girls. And Bezos reads The Daily Mail. Just like the rest of us,
except having way more $$$.

~~~
ikeboy
The daily mail was loaded in the forensic test, likely as an ad in some other
page.

------
jonstewart
“Former Chief of Staff of FBI’s Cyber Division” => Outlook Calendar Expert

------
l33tman
Does this refer to the GIF-parsing double-free remote whatsapp exploit
discussed in detail on HN some months ago?

[https://news.ycombinator.com/item?id=21135424](https://news.ycombinator.com/item?id=21135424)

------
thierryzoller
His internal team could have done better.

------
tasssko
This is interesting, privacy and security work both ways. Protecting us and
our data and enabling malicious actors. I have turned off Auto Downloads on
Whatsapp.

~~~
mk89
I never understood why that feature is not disabled by default. I am so tired
of this madness for frictionless UX everywhere. Just because someone has to
have everything readily available without having to click.

Where is the UX when someone sends stupid dumb pictures constantly in groups
you belong to? And those get downloaded automatically. Or where is the UX when
someone hacks your phone thanks to this "feature" enabled?

Even IE disabled this feature!

~~~
inapis
I’m still grateful that this feature is still available behind a toggle and
not whatsapp using its smarts to decide what should be downloaded or not. But
I can understand the desire for frictionless user experience because for vast
majority of the population this is not an issue. If you hold something of
significance it is upto you to practise and execute sensible security
measures.

------
ghostpepper
I don't understand why they refer to the list of 192 URLs that all turned out
to be legitimate as "IOCs"

Why would a device reaching out to bing/wikipedia/medium be considered an
indicator of compromise, or even a suspected IOC?

------
ComodoHacker
Well, no direct evidence, just co-timed egress data spikes, which no one
noticed for 9 months. If there was a hack, it was a pretty successful one.

------
alexandercrohde
tl; dr: nothing is proven yet in either direction. The report acknowledges
"ongoing work" is needed to root the phone.

Maybe they should have waited to publish until they did that.

------
imvetri
Don't read. Read comments and save your time.

------
captnswing
by downloading the pdf, will my iphone get infected? :)

------
nif2ee
if this is true and MBS wants to silence Jeff Bezos just because his owned
paper attacks him, mind you this paper just like every other major western
paper attacks him day and night since the murder of the Saudi "journalist" so
silencing one paper won't make any difference anyway. Why would he send this
infected video which is probably linked to a backdoor only a very few have
knowledge about, from his own Whatsapp account not from some associate or a
friend of Bezos who is in his contacts? This whole story doesn't seem logical
to me.

------
Slartie
This was really boring from a security or forensics perspective. Nothing
really substantial in there. But fortunately there are other angles to view
this document from: if this is authentic, it says that the richest man on the
entire planet...

...uses a two year old phone. I mean, I like my iPhone X too, but hey, if I
had like north of 100 billion dollars, I would certainly spend about 1500 of
those dollars for the newest iPhone generation every year (especially if my
older generation has an unfixable bootloader bug compromising its entire
security architecture).

...exchanges silly meme pictures with ostensibly funny texts with his
billionaire friends.

~~~
gizmodo59
May be he did not find any good reason to upgrade? Sometimes its just not
worth the time rather than the money part. I'm sure a lot of people here feel
the same even though they have the means to buy one every year.

