Hacker News new | past | comments | ask | show | jobs | submit login
Report on the Bezos Phone Hack [pdf] (documentcloud.org)
213 points by bb88 27 days ago | hide | past | web | favorite | 65 comments



There is pretty much no actual evidence here and at least a few indications that they are not iOS forensics experts. Bezos did not choose the right company to handle this work.

Some of their assumptions are really stretching, especially the bit about the picture of the woman looking vaguely like his girlfriend, as if that’s an indicator that they know about her. They seem to be working backwards from their conclusion and trying to stretch the evidence to the explain what they want to be true.

I actually was more convinced that MBS was involved before reading the report. Now seeing this, plus the story that AMI paid her brother 200k for leaked texts that WSJ saw and verified, really has me doubting.


The report claimed they couldn't decrypt the whatsapp video, so Dino A. Dai Zovi (head of security for CashApp) published code [1] to do it.

The report also concludes that they need to jailbreak the phone to do more analysis, but hadn't yet for undisclosed reasons. Bezos was using an iPhone X, which is trivial to jailbreak with checkra1n [2].

So yeah, FTI didn't know what they were doing.

[1]: https://twitter.com/dinodaizovi/status/1221324029841244161

[2]: https://checkra.in/


> so Dino A. Dai Zovi (head of security for CashApp) published code to do it.

Great! May be useful to decrypt also the whatsapp videos, mentioned in Lev Parnas' excerpts.

FTR, Just found that there are many other tools available for decrypt whatsapp in last two years.[0]

[0] https://github.com/search?o=desc&q=whatsapp+decrypt&s=update...


It looks like the experts that AP are paying attention to came to the same conclusion too: https://apnews.com/e3cf702ac669dc9b3d1497a1157bd0b0

Also, I think on some level surely Bezos must know this report is fishy? One of the pieces of evidence is that he got a message from MbS out of the blue claiming that what he'd heard about the Saudis wasn't true, which supposedly showed evidence of non-public knowledge. Except that Bezos had been dropping hints publicly that he thought the Saudis were behind this leak of his text messages in the days before.


Is this the same AP that reported "thousands" of Iraqis demonstrated the other day? (There were actually a million people, according to Iraq's own government.)


AP reported "tens of thousand" and the government may have its own reasons for inflating a number, so I wouldn't take that as necessarily the last word in accurate counting.


No AP reporting, including the pictures used, were the distortion of facts. There are pictures of this event and you can find it on the net. It was massive.

Treatment in the US press reminded me of our own massive demonstrations before the Iraq war (which also never made it to the front pages of our “journals of record”.)


If you would post a link to one of these pictures that unequivocally shows a crowd of around a million, that would be helpful.



This report is a joke and makes no sense.

The technical details are extremely poor and give 0 evidence of a hack. Worst, they sometime don’t make any sense at all, like the bit talking about a “Downloader” included in the video file.

I’m baffled that Bezos would give it any credibility whatsoever.


>Bezos did not choose the right company to handle this work.

I think that sums up the whole problem.


It also assumes that he hired them to find out the truth, rather than to create plausible deniability for Sanchez or whichever one of her relatives that had shared Bezos's dick pics.

If he really wanted them to get to the bottom of this, he would have hired a specialist firm. He's not an idiot for sure.


He didn’t hire them for plausible deniability.

He’s not an idiot, but he isn’t a security expert. It’s actually really difficult to evaluate the competency of security experts. He got some government guy with a flashy resume who then contracted it out to some generic business consulting firm. Which is a reasonable thing for a layperson like Bezos to do, but a bad way to get actual technical experts. He would have been far better off emailing some of the security teams at Amazon for recommendations.


One of the main skills a good executive needs is evaluating the competence of people they hire without knowing those people's jobs. Bezos is one of the best people in the world, and I'm sure he can smell bullshit better, and from farther away than any of us here. An inebriated baboon can see that these people don't know what they're talking about. Bezos likely has hundreds, if not thousands of industry-leading security experts working for him at Amazon. A five minute due diligence check by them would result in advice to hire someone else, and likely in a recommendation on who to hire.


> Bezos likely has hundreds, if not thousands of industry-leading security experts working for him at Amazon.

Not even close. A few dozen or so, most of which aren’t iOS or forensics experts. Also, nobody had this report until after it was written.

If you think executives can evaluate the competency of experts in niche fields, you are absolutely kidding yourself. This is also why nearly every CISO in the industry has absolutely no idea what they are doing.


Really? In a company with 300K+ employees you estimate that there are only a few dozen people who can vet a security consultancy by checking if it previously did any successful iOS forensic work?


I have worked there, in security, so yes.


The theory about the similarly-looking women was laughable, I kept reading forgiving that one...


It's impossible to provide "actual evidence" isn't it? Sure, maybe detailed log files are more convincing than a single (hypothetical) page saying "X did it". But as far as I can tell from online discussions I've followed over the years, more details just adds possibilities to find real or imagined faults with what you're releasing. Example: Barack Obama's birth certificate.

There just isn't a way to proof anything without resorting to either a trusted third party, or maybe (in the future) some application of cryptography. And the number of people or institutions enjoying widespread acceptance as trustworthy third parties is rapidly approaching zero, partly because this "don't trust anybody" shtick has become so common.

Gavin de Becker is a good example here. He is, or used to be, among those who enjoy some trust, at least among his profession. Extending trust based on such a track record is somewhat valid, considering the mechanism: a lot of his value as a witness in court, or the court of public opinion, rests with the idea that his reputation is always more to him than any single case. That logic isn't bulletproof, of course. But it's valuable to also consider the cost of the fundamentalist position that nothing short of 100% scientific proof should ever be considered: the absence of trust won't motivated people to better make their case, because that's near impossible with our current means. All it will lead to is more of the current free-for-all license to define their own "facts".


No, it’s possible to prove way more than what is in the report. They failed to investigate many obvious things, and they misunderstood what they did look at (the data exfiltration traffic in particular, which is the only thing even approaching circumstantial evidence). Nobody is saying we need 100% solid proof, they’re saying that what is in this report is not only not 100%, but it’s not even 25%. It’s a total nothingburger. There is nothing in this report to suggest that there is even anything wrong with this phone, or that it was ever hacked by anyone, let alone MBS.

> Gavin de Becker is a good example here. He is, or used to be, among those who enjoy some trust, at least among his profession.

Gavin de Becker is a literal nobody when it comes to iOS security or digital forensics. This is like saying that since Warren Buffet is a trustworthy source of investment advice, it makes sense to hire him to write your firewall rules.


> Due to end-to-end encryption employed by WhatsApp, it is virtually impossible to decrypt the contents of the downloader to determine if it contained any malicious code in addition to the delivered video.

I can't make any sense of that. The phone is the end in "end-to-end". It contains the decryption keys. Why would "the downloader" be any different to decrypt than the video? Also they show a screenshot of the video being sent through WhatsApp... but they're saying that the video was downloaded via some malicious executable? I would have thought the video would contain the malicious code. That makes no sense.

> Advanced weapons grade mobile malware typically installs itself to the root filesystem of a device to maintain persistence and avoid detection.

This report sounds like bullshit. It sounds like they looked at the cellular data use, noticed an increase after this whatsapp message was sent, and did a bunch of random stuff they barely understood to fill out the report. Their list of "forensic tools" or whatever includes like... grep. And virutalbox. They also didn't jailbreak the phone and look at the filesystem, so I'm not sure what they even looked at besides just sniffing the wifi traffic.

EDIT: I reread the report. Jeff Bezos' phone was not hacked. They are claiming that a video attachment in whatsapp contained a malicious executable that gained full filesystem access to his iPhone based on absolutely nothing other than the fact that his cellular data upload increased. Most of that increase happened almost a year later. The guy just started using iCloud photo backups or sent someone videos via imessage or something. There are way simpler explanations for why the media got his text messages. Like, you know, the person he sent them to showed somebody.


That's a really long document to say that they weren't able to find much of anything. They think his bandwidth usage went up for a long time after he got a WhatsApp message from MbS' number and couldn't actually analyze any malware. I have to wonder why they'd hack him with a video flying their own flag.

The thing about the women looking similar is really reaching and doesn't make any sense. We already have other reports that Bezos' GF showed texts to her brother who sold them from other reports.

Finally, what's with really rich people sending their electronics to 3rd party security firms and not letting the Feds analyze anything directly? You'd think that if this was really some matter of national security or whatever, you'd want an investigation by people with subpoena power. But I guess that doesn't matter for some reason?


Private companies keep it closely guarded and destroy any copies of it after the job is done. You can be reasonably confident that it won’t leave the analysis laptops.

If you give it to the FBI, you have no guarantees. It’s property of the government and is archived and stored indefinitely as evidence. The FBI do not do private investigative services for important rich people, they investigate crimes.


> The FBI do not do private investigative services for important rich people, they investigate crimes.

I was under the distinct impression that hacking someone's phone was not legal.

EDIT: Also, I don't know about the FBI specifically, but I would expect there to be someone to investigate reports of foreign espionage. And I have a lot of questions about whether anything from this report can be used in court now, should they identify anyone who can be held accountable.

One last thing... isn't that also an implication that they think that keeping the contents of the phone secret is more important than national security? Just what else is on there?


Given the motivations of a private company or the FBI, who would you really choose? I'd go private with anything sensitive, they can't arrest me and they have a profit motive in protecting my data.


It would be odd for them to arrest Bezos for having his own phone hacked.


The only part I appreciated is the description of the preparation of the lab, which sounded quite good and proper.


Two questions (which aren't really explained in this report):

1. Did he have to actually play the video, or was simply receiving the message enough to compromise his phone?

2. It says after his phone was compromised, a large amount of data was extracted from his phone. Was this only WhatsApp specific data (cached pics and videos from messages sent within the app) or did the malware actually have full access to all of the files on his phone?

Because of iOS's sandboxing and permission system I would not have expected that a vulnerability in WhatsApp itself would be able to grant access to the entire phone. That seems like it would be much bigger news if it were the case.


They don't know. They weren't able to actually find the exploit code, so they don't know how it worked or what level of access it achieved. Or whether there even was an exploit at all.

That said, if there was an exploit, I'd be surprised if it didn't escape the iOS sandbox. As an exploit category, iOS sandbox escapes are medium difficulty. Not as easy as WebKit exploits, or privilege escalation on some other operating systems (...such as macOS), but still plentiful. Or from a buyer's perspective, more expensive, but readily available. MBS doesn't exactly have issues with expense.

By the way, image/video parsing vulnerabilities are somewhat rare themselves, at least in stacks that only handle a small number of formats (not something like ffmpeg or VLC with a bazillion file format parsers that nobody's looked at in decades).


> As an exploit category, iOS sandbox escapes are medium difficulty.

Are there any published explanations of exploits that achieve this? Just curious what it would look like.


Project Zero has some excellent writeups.

Here is one from last year where the author exploited a kernel vulnerability that’s directly accessible from within the sandbox:

“voucher_swap: Exploiting MIG reference counting in iOS 12”

https://googleprojectzero.blogspot.com/2019/01/voucherswap-e...

And here is a massive writeup, also from last year, analyzing the privilege escalation parts of no fewer than five different exploit chains, which were found bundled together in a real attack, each targeting a different range of iOS versions. Not five exploits, five chains. It’s a great read:

“A very deep dive into iOS Exploit chains found in the wild”

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-d...


WhatsApp uses system address book for a few things, has photo sharing, and has video calling so it's reasonably likely it had been granted access to contacts, photos, camera, and microphone.


Yeah I suppose we should not be surprised by that, I'm just curious whether the exploit 1) only gave access to data that WhatsApp would normally have permission to access, or 2) gave access to the entire phone regardless of permissions.


These apps ask for camera roll and camera access permissions and usually get them, which would render sandboxing (for photos and videos) irrelevant.


Pro-tip only give access to camera for social apps. If you want to share fast use camera from within app. If you want to share something from your photo library copy/paste between apps.

It more tedious, but exploit on social don't automagically leak personal data from your OS library.


Photo access is also location history access from reading the gps tags and time stamps from my photo history, so I grant photo access to approximately zero apps. I will paste photos in if I need to.


This story has frustrated me from the very first Bezos blog post [1] as a fairly obvious counterintelligence operation.

Now a year later the story has resurfaced and it’s all the same conspiracy theories based on nothing.

This report demonstrates as clearly as you could hope that there was no real analysis and no real evidence of any of the absolutely extraordinary claims made by Besos and de Becker. [2]

From what I can tell, the only reasonable conclusion is that this whole thing was a retaliatory attack on MBS and on AMI. Yet a year later, the news headlines are all parroting that the report proves MBS personally orchestrated this exploit.

We are now at the point of theater of the absurd. This story has been a smoldering load of garbage from the very beginning. [3] I can’t believe it keeps coming around.

The closest I can find to an honest accounting is this WSJ op-ed [4], which many here won’t like because it ties the totally flawed reporting on this story back to similar flaws in the Russiagate reporting. That is, a story the media wants to be true just a bit too badly.

[1] - https://medium.com/@jeffreypbezos/no-thank-you-mr-pecker-146...

[2] - https://www.thedailybeast.com/jeff-bezos-investigation-finds...

[3] - https://news.ycombinator.com/item?id=19535965

https://news.ycombinator.com/item?id=19539943

[4] - https://www.wsj.com/articles/jeff-bezos-tries-to-wag-the-dog...


The media doesn't shy even from starting wars over this stuff (the gas attacks that weren't in Syria, WMD in Iraq, etc.). Expect them to make many layers of conclusions like this to support some goal in, I dunno, replacing MbS with someone they like better after a while.


Probably "technical" should be removed from the title.


Ok, removed. It doesn't seem to be how the article refers to itself, though I can't be sure because the thing is unsearchable.


I think the parent was being sarcastic, referring to the really poor quality of the report.


This report is a pure, unadulterated, dumpster fire. No one is explaining how a video file is a trojan vector. Also this report has way too much background of the “Hacking Team” that really sounds suspect from me. I just feel if you are trying to establish that this vector was the source of a trojan - youd actually prove that instead of giving a page or two of conjecture on where this code that you haven’t shown is malware - came from.

Also, obligatory, correlation does not imply causation. This report hinges on the argument that “video received from MBS and shortly thereafter the total data egress increased”. Okay what data was egressed? Where was it egressed to? Just basic things are missing from this report that are relevant.

Absolute garbage.


> Also this report has way too much background of the “Hacking Team” that really sounds suspect from me.

Consultants write like high school students with a ten page research paper requirement. If you don’t have real content pad it with extra background, bulleted lists and superfluous tables.

The final product needs to be long enough so people think real work was done but boring enough that they don’t actually read it.


They lost me at "encrypted downloader". The WhatsApp video attachment format allows for...a downloader? I strongly doubt that.

Perhaps what they should have written is that they cannot decrypt the video and thus check for an exploit within it (it's commonly called payload, because it doesn't have to be a downloader...).

I see from other comments here that I am not the only one doubting the report wording at the very least.


Probably an exploit.


Nope, they seem to mean the encrypted file format used by WhatsApp to transmit and store attachments, which a competent forensics outfit should be able to decrypt: https://medium.com/@billmarczak/bezos-hack-mbs-mohammed-bin-...


What does it mean that the malicious video was delivered via "an encrypted downloader hosted on WhatsApp's media server"?


It means that they don't know what they're talking about.

A "downloader" refers to part of an exploit payload (or other malware) that downloads additional code. But an attacker can only use a downloader after triggering an exploit and getting code execution. If they're right about there being an exploit related to the video, it would presumably be in the video file itself; otherwise there would be no need to send an irrelevant video. But in that case, the exploit couldn't have been used to download the video in the first place. And why would you need to use some special code to download a video attachment, when that's presumably part of WhatsApp's builtin functionality? Also, even if there was a downloader involved, it would be, as the name suggests, the thing that does the downloading – not the thing that was downloaded.

Whether or not there was an exploit, it seems almost certain that WhatsApp automatically downloaded the video like any other attachment, and the encryption was WhatsApp's own end-to-end encryption. Indeed, the report itself cites WhatsApp's end-to-end encryption in point 22, so it seems like they should be aware of that. Maybe they just don't know what "downloader" means, or maybe their ignorance is deeper; I can't really tell.


So the billionaires of this world, Bezos and MBS, exchange memes with photos of pretty girls. And Bezos reads The Daily Mail. Just like the rest of us, except having way more $$$.


The daily mail was loaded in the forensic test, likely as an ad in some other page.


“Former Chief of Staff of FBI’s Cyber Division” => Outlook Calendar Expert


Does this refer to the GIF-parsing double-free remote whatsapp exploit discussed in detail on HN some months ago?

https://news.ycombinator.com/item?id=21135424


His internal team could have done better.


This is interesting, privacy and security work both ways. Protecting us and our data and enabling malicious actors. I have turned off Auto Downloads on Whatsapp.


I never understood why that feature is not disabled by default. I am so tired of this madness for frictionless UX everywhere. Just because someone has to have everything readily available without having to click.

Where is the UX when someone sends stupid dumb pictures constantly in groups you belong to? And those get downloaded automatically. Or where is the UX when someone hacks your phone thanks to this "feature" enabled?

Even IE disabled this feature!


I’m still grateful that this feature is still available behind a toggle and not whatsapp using its smarts to decide what should be downloaded or not. But I can understand the desire for frictionless user experience because for vast majority of the population this is not an issue. If you hold something of significance it is upto you to practise and execute sensible security measures.


Yes, I agree. It should be turned off by default.


I don't understand why they refer to the list of 192 URLs that all turned out to be legitimate as "IOCs"

Why would a device reaching out to bing/wikipedia/medium be considered an indicator of compromise, or even a suspected IOC?


Well, no direct evidence, just co-timed egress data spikes, which no one noticed for 9 months. If there was a hack, it was a pretty successful one.


tl; dr: nothing is proven yet in either direction. The report acknowledges "ongoing work" is needed to root the phone.

Maybe they should have waited to publish until they did that.


Don't read. Read comments and save your time.


by downloading the pdf, will my iphone get infected? :)


This was really boring from a security or forensics perspective. Nothing really substantial in there. But fortunately there are other angles to view this document from: if this is authentic, it says that the richest man on the entire planet...

...uses a two year old phone. I mean, I like my iPhone X too, but hey, if I had like north of 100 billion dollars, I would certainly spend about 1500 of those dollars for the newest iPhone generation every year (especially if my older generation has an unfixable bootloader bug compromising its entire security architecture).

...exchanges silly meme pictures with ostensibly funny texts with his billionaire friends.


May be he did not find any good reason to upgrade? Sometimes its just not worth the time rather than the money part. I'm sure a lot of people here feel the same even though they have the means to buy one every year.


Well, at least it is not a Nokia 3310.

This is part of his personality, here billionaire Jeff Bezos explaining why he is driving old Honda Accord: https://youtu.be/iJQdj9EhQoQ

– “It’s perfectly good car”.




Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: