Motherboard has obtained and published a copy of the forensics report that suggests that Jeff Bezos's phone was hacked by Prince Mohammad Bin Salman Al Saud, possibly in a scheme to obtain kompromat that could be used as leverage to prevent the Washington Post of reporting on the death of Jamal Khashoggi, who was murdered and mutilated by agents of the prince.
The report explains how the attribution was made, and describes the mechanism by which Bezos's phone was likely compromised, and references the NSO Group's notorious Whatsapp malware, which bears similarities to the tool seemingly used to attack Bezos's phone.
Motherboard consulted Sarah Edwards from the SANS Institute to assess the forensics work and she was lukewarm, calling the report "significantly incomplete," explaining that because the experts hadn't jailbroken Bezos's phone, they weren't able to access its full filesystem.
The forensic investigators encountered at least two obstacles in conducting their exam of Bezos's phone. The first related to the encrypted downloader. Farrante’s team first examined the attachment alone before deciding they needed to do a full forensic imaging and analysis of the phone’s contents and traffic. They used a tool from Cellebrite (Cellebrite UFED 4PC Ultimate and Physical Analyzer) to grab forensic images from the phone and set up a secure makeshift lab to do the forensics over two days.
They did not find any malicious code embedded in the video file, but discovered that the video was delivered via an encrypted downloader hosted on WhatsApp’s media server.
“Due to end-to-end encryption employed by WhatsApp, it is impossible to decrypt the contents of the downloader to determine if it contained any malicious code in addition to the delivered video,” the investigators found.
Here Is the Technical Report Suggesting Saudi Arabia’s Prince Hacked Jeff Bezos’ Phone [David Gilbert/Motherboard]