Forensic Investigators Find That Jeff Bezos’ iPhone Was Likely Compromised Directly by the Crown Prince of Saudi Arabia

Mehul Srivastava, Financial Times:

Forensic experts hired by Jeff Bezos have concluded with “medium to high confidence” that a WhatsApp account used by Saudi Crown Prince Mohammed bin Salman was directly involved in a 2018 hack of the Amazon founder’s phone.

A report on the hack, which has been seen by the Financial Times, says Mr Bezos’ phone started surreptitiously sharing vast amounts of data immediately after receiving an apparently innocuous, but encrypted video file from the prince’s WhatsApp account in May 2018.

Kim Zetter and Joseph Cox of Vice obtained that report:

That file shows an image of the Saudi Arabian flag and Swedish flags and arrived with an encrypted downloader. Because the downloader was encrypted this delayed or further prevented “study of the code delivered along with the video.”

Investigators determined the video or downloader were suspicious only because Bezos’ phone subsequently began transmitting large amounts of data. “[W]ithin hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos’ phone began, continuing and escalating for months thereafter,” the report states.

Investigators say in the report that their efforts were hampered somewhat by WhatsApp’s encryption, but they have suggested that a followup step would be to jailbreak Bezos’ iPhone to examine its file system.

Also of note: Bezos creates an encrypted backup of his iPhone using iTunes; he has iCloud Backups disabled. But investigators were not able to extract the encrypted backup. It’s unclear whether Bezos forgot his password or was unable to supply it for another reason.