Some of their assumptions are really stretching, especially the bit about the picture of the woman looking vaguely like his girlfriend, as if that’s an indicator that they know about her. They seem to be working backwards from their conclusion and trying to stretch the evidence to the explain what they want to be true.
I actually was more convinced that MBS was involved before reading the report. Now seeing this, plus the story that AMI paid her brother 200k for leaked texts that WSJ saw and verified, really has me doubting.
The report also concludes that they need to jailbreak the phone to do more analysis, but hadn't yet for undisclosed reasons. Bezos was using an iPhone X, which is trivial to jailbreak with checkra1n .
So yeah, FTI didn't know what they were doing.
Great! May be useful to decrypt also the whatsapp videos, mentioned in Lev Parnas' excerpts.
FTR, Just found that there are many other tools available for decrypt whatsapp in last two years.
Also, I think on some level surely Bezos must know this report is fishy? One of the pieces of evidence is that he got a message from MbS out of the blue claiming that what he'd heard about the Saudis wasn't true, which supposedly showed evidence of non-public knowledge. Except that Bezos had been dropping hints publicly that he thought the Saudis were behind this leak of his text messages in the days before.
Treatment in the US press reminded me of our own massive demonstrations before the Iraq war (which also never made it to the front pages of our “journals of record”.)
How about moving pictures? Would that do?
The technical details are extremely poor and give 0 evidence of a hack. Worst, they sometime don’t make any sense at all, like the bit talking about a “Downloader” included in the video file.
I’m baffled that Bezos would give it any credibility whatsoever.
I think that sums up the whole problem.
If he really wanted them to get to the bottom of this, he would have hired a specialist firm. He's not an idiot for sure.
He’s not an idiot, but he isn’t a security expert. It’s actually really difficult to evaluate the competency of security experts. He got some government guy with a flashy resume who then contracted it out to some generic business consulting firm. Which is a reasonable thing for a layperson like Bezos to do, but a bad way to get actual technical experts. He would have been far better off emailing some of the security teams at Amazon for recommendations.
Not even close. A few dozen or so, most of which aren’t iOS or forensics experts. Also, nobody had this report until after it was written.
If you think executives can evaluate the competency of experts in niche fields, you are absolutely kidding yourself. This is also why nearly every CISO in the industry has absolutely no idea what they are doing.
There just isn't a way to proof anything without resorting to either a trusted third party, or maybe (in the future) some application of cryptography. And the number of people or institutions enjoying widespread acceptance as trustworthy third parties is rapidly approaching zero, partly because this "don't trust anybody" shtick has become so common.
Gavin de Becker is a good example here. He is, or used to be, among those who enjoy some trust, at least among his profession. Extending trust based on such a track record is somewhat valid, considering the mechanism: a lot of his value as a witness in court, or the court of public opinion, rests with the idea that his reputation is always more to him than any single case. That logic isn't bulletproof, of course. But it's valuable to also consider the cost of the fundamentalist position that nothing short of 100% scientific proof should ever be considered: the absence of trust won't motivated people to better make their case, because that's near impossible with our current means. All it will lead to is more of the current free-for-all license to define their own "facts".
> Gavin de Becker is a good example here. He is, or used to be, among those who enjoy some trust, at least among his profession.
Gavin de Becker is a literal nobody when it comes to iOS security or digital forensics. This is like saying that since Warren Buffet is a trustworthy source of investment advice, it makes sense to hire him to write your firewall rules.
I can't make any sense of that. The phone is the end in "end-to-end". It contains the decryption keys. Why would "the downloader" be any different to decrypt than the video? Also they show a screenshot of the video being sent through WhatsApp... but they're saying that the video was downloaded via some malicious executable? I would have thought the video would contain the malicious code. That makes no sense.
> Advanced weapons grade mobile malware typically installs itself to the root filesystem of a device to maintain persistence and avoid detection.
This report sounds like bullshit. It sounds like they looked at the cellular data use, noticed an increase after this whatsapp message was sent, and did a bunch of random stuff they barely understood to fill out the report. Their list of "forensic tools" or whatever includes like... grep. And virutalbox. They also didn't jailbreak the phone and look at the filesystem, so I'm not sure what they even looked at besides just sniffing the wifi traffic.
EDIT: I reread the report. Jeff Bezos' phone was not hacked. They are claiming that a video attachment in whatsapp contained a malicious executable that gained full filesystem access to his iPhone based on absolutely nothing other than the fact that his cellular data upload increased. Most of that increase happened almost a year later. The guy just started using iCloud photo backups or sent someone videos via imessage or something. There are way simpler explanations for why the media got his text messages. Like, you know, the person he sent them to showed somebody.
The thing about the women looking similar is really reaching and doesn't make any sense. We already have other reports that Bezos' GF showed texts to her brother who sold them from other reports.
Finally, what's with really rich people sending their electronics to 3rd party security firms and not letting the Feds analyze anything directly? You'd think that if this was really some matter of national security or whatever, you'd want an investigation by people with subpoena power. But I guess that doesn't matter for some reason?
If you give it to the FBI, you have no guarantees. It’s property of the government and is archived and stored indefinitely as evidence. The FBI do not do private investigative services for important rich people, they investigate crimes.
I was under the distinct impression that hacking someone's phone was not legal.
EDIT: Also, I don't know about the FBI specifically, but I would expect there to be someone to investigate reports of foreign espionage. And I have a lot of questions about whether anything from this report can be used in court now, should they identify anyone who can be held accountable.
One last thing... isn't that also an implication that they think that keeping the contents of the phone secret is more important than national security? Just what else is on there?
1. Did he have to actually play the video, or was simply receiving the message enough to compromise his phone?
2. It says after his phone was compromised, a large amount of data was extracted from his phone. Was this only WhatsApp specific data (cached pics and videos from messages sent within the app) or did the malware actually have full access to all of the files on his phone?
Because of iOS's sandboxing and permission system I would not have expected that a vulnerability in WhatsApp itself would be able to grant access to the entire phone. That seems like it would be much bigger news if it were the case.
That said, if there was an exploit, I'd be surprised if it didn't escape the iOS sandbox. As an exploit category, iOS sandbox escapes are medium difficulty. Not as easy as WebKit exploits, or privilege escalation on some other operating systems (...such as macOS), but still plentiful. Or from a buyer's perspective, more expensive, but readily available. MBS doesn't exactly have issues with expense.
By the way, image/video parsing vulnerabilities are somewhat rare themselves, at least in stacks that only handle a small number of formats (not something like ffmpeg or VLC with a bazillion file format parsers that nobody's looked at in decades).
Are there any published explanations of exploits that achieve this? Just curious what it would look like.
Here is one from last year where the author exploited a kernel vulnerability that’s directly accessible from within the sandbox:
“voucher_swap: Exploiting MIG reference counting in iOS 12”
And here is a massive writeup, also from last year, analyzing the privilege escalation parts of no fewer than five different exploit chains, which were found bundled together in a real attack, each targeting a different range of iOS versions. Not five exploits, five chains. It’s a great read:
“A very deep dive into iOS Exploit chains found in the wild”
It more tedious, but exploit on social don't automagically leak personal data from your OS library.
Now a year later the story has resurfaced and it’s all the same conspiracy theories based on nothing.
This report demonstrates as clearly as you could hope that there was no real analysis and no real evidence of any of the absolutely extraordinary claims made by Besos and de Becker. 
From what I can tell, the only reasonable conclusion is that this whole thing was a retaliatory attack on MBS and on AMI. Yet a year later, the news headlines are all parroting that the report proves MBS personally orchestrated this exploit.
We are now at the point of theater of the absurd. This story has been a smoldering load of garbage from the very beginning.  I can’t believe it keeps coming around.
The closest I can find to an honest accounting is this WSJ op-ed , which many here won’t like because it ties the totally flawed reporting on this story back to similar flaws in the Russiagate reporting. That is, a story the media wants to be true just a bit too badly.
 - https://medium.com/@jeffreypbezos/no-thank-you-mr-pecker-146...
 - https://www.thedailybeast.com/jeff-bezos-investigation-finds...
 - https://www.wsj.com/articles/jeff-bezos-tries-to-wag-the-dog...
Perhaps what they should have written is that they cannot decrypt the video and thus check for an exploit within it (it's commonly called payload, because it doesn't have to be a downloader...).
I see from other comments here that I am not the only one doubting the report wording at the very least.
Also, obligatory, correlation does not imply causation. This report hinges on the argument that “video received from MBS and shortly thereafter the total data egress increased”. Okay what data was egressed? Where was it egressed to? Just basic things are missing from this report that are relevant.
Consultants write like high school students with a ten page research paper requirement. If you don’t have real content pad it with extra background, bulleted lists and superfluous tables.
The final product needs to be long enough so people think real work was done but boring enough that they don’t actually read it.
A "downloader" refers to part of an exploit payload (or other malware) that downloads additional code. But an attacker can only use a downloader after triggering an exploit and getting code execution. If they're right about there being an exploit related to the video, it would presumably be in the video file itself; otherwise there would be no need to send an irrelevant video. But in that case, the exploit couldn't have been used to download the video in the first place. And why would you need to use some special code to download a video attachment, when that's presumably part of WhatsApp's builtin functionality? Also, even if there was a downloader involved, it would be, as the name suggests, the thing that does the downloading – not the thing that was downloaded.
Whether or not there was an exploit, it seems almost certain that WhatsApp automatically downloaded the video like any other attachment, and the encryption was WhatsApp's own end-to-end encryption. Indeed, the report itself cites WhatsApp's end-to-end encryption in point 22, so it seems like they should be aware of that. Maybe they just don't know what "downloader" means, or maybe their ignorance is deeper; I can't really tell.
Where is the UX when someone sends stupid dumb pictures constantly in groups you belong to? And those get downloaded automatically. Or where is the UX when someone hacks your phone thanks to this "feature" enabled?
Even IE disabled this feature!
Why would a device reaching out to bing/wikipedia/medium be considered an indicator of compromise, or even a suspected IOC?
Maybe they should have waited to publish until they did that.
...uses a two year old phone. I mean, I like my iPhone X too, but hey, if I had like north of 100 billion dollars, I would certainly spend about 1500 of those dollars for the newest iPhone generation every year (especially if my older generation has an unfixable bootloader bug compromising its entire security architecture).
...exchanges silly meme pictures with ostensibly funny texts with his billionaire friends.
This is part of his personality, here billionaire Jeff Bezos explaining why he is driving old Honda Accord: https://youtu.be/iJQdj9EhQoQ
– “It’s perfectly good car”.