The Question Isn’t Whether NSO Hacked Jeff Bezos’ Phone – but Whether It Was Even Hacked at All

‘There is zero information and 100 percent speculation. We don’t know if it was infected at all, it’s simply suspicions ... or Bezos’ paranoia and fear,’ says Israeli security expert

Saudi Arabia's Crown Prince Mohammed bin Salman in Jeddah, Saudi Arabia, on June 24, 2019 and Jeff Bezos, Amazon founder and CEO, in Washington, on September 13, 2018.
,AP

It is very tempting to say unambiguously that Israeli cyberattack firm NSO Group is behind the hacking of the iPhone belonging to Jeff Bezos, the CEO of Amazon and the richest person in the world. The spyware development company vehemently denies that its software was used in breaking into Bezos’ phone – and truth is, for now, that the expert report published on the incident provides no evidence whatsoever to contradict these claims – but it also supplies no evidence that can prove it either.

All the headlines stated – without any doubt or hesitation – that the phone was hacked by tools made by the Israeli company, but they were not based on a single shred of real evidence. Instead they relied on a somewhat complex formulation from the report of United Nations human rights experts:   

Hijacking the Holocaust for Putin, politics and powerHaaretz Weekly Ep. 57

“The most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group’s Pegasus or, less likely, Hacking Team’s Galileo, that can hook into legitimate applications to bypass detection and obfuscate activity,” states the report. “The amount of data being transmitted out of Bezos’ phone changed dramatically after receiving the WhatsApp video file and never returned to baseline. Following execution of the encrypted downloader sent from MBS’ account, egress on the device immediately jumped by approximately 29,000 percent.” 

What does this all mean?

The bottom line is that a few hours after Bezos received a WhatsApp message from the account belonging to Saudi Crown Prince Mohammed bin Salman, his iPhone suddenly began sending huge amounts of data – thousands of times as much as before, and which never returned to its normal, previous levels.

The researchers believe the most reasonable explanation is that the phone was attacked with advanced penetration tool, which use the tools of the operating system on the victim’s phone to hack it in a way that leaves no trace, or almost no trace.

The report does not prove it was NSO’s tools that conducted the break-in, but does say that during the period of the attack, which occurred on May 1, 2018, NSO’s Pegasus software was the most appropriate tool for such an attack, as opposed to the other software used by Saudi Arabia at the time.

But the UN researchers seem to have forgotten to mention one very important thing: Was the phone really hacked?

The UN report is in practice a summary version of the report produced by a firm called FTI Consulting, which conducted the examination of Bezos’ iPhone. The 17-page report, which was published on the MotherBoard website, describes a long list of technical examinations they conducted, and included a forensic examination using tools made by Israeli firm Cellebrite.  

So what did FTI’s experts find?

“There is zero information and 100 percent conjectures. We don’t know if there was even an infection, we simply suspect it,” an experienced Israeli security expert, who requested to remain anonymous, told Haaretz. “There is zero information that allows us to determine if it is NSO, NSA [U.S. National Security Agency] or the paranoia and fears of Jeff Bezos.”

Israeli NSO Group company on a building where they had offices in Herzliya, Israel, August 25, 2016.
Daniella Cheslow,AP

The report says the in-depth search of the phone found 192 potential indicators of a hack – but after an examination no link was found between any of them and the attack. These indicators were ruled out because they didn’t lead anywhere, and not to the command and control servers of any malware that was allegedly installed on the phone. But the report includes a list of 50 very suspicious artifacts they found, all links to websites – and all these were ruled out as being involved in the hack.

The only real evidence is the video clip Prince Mohammed sent, but this too was problematic because after studying the clip, the researchers found nothing out of the ordinary or suspicious. The problem was here they hit a dead end, because the video was sent via an encrypted WhatsApp channel, and they were unable to determine if it contained any malware too.

In short, the report has zero real evidence, and the smoking gun is completely circumstantial.

Is there anything else the researchers could have done?

The experts admit in their report that they did not “jailbreak” the phone, which means escalating your privileges on it to access the entire operating system – because Apple imposes limitations on what users can access.

In addition, other experts have made a number of recommendations as to how to delve deeper into the suspicions and what else to look for – along with comments from some that maybe the experts hired were not really that expert after all.

The researchers did not contact Citizen Lab, a Toronto University organization leading the research into use of NSO Group's services in cases of human rights abuses. In recent years Citizen Lab developed tools to better identify the various versions and exploits used by Pegasus and map any misuse of its software.

Dr. Bill Marczak, Research Fellow at Citizen Lab, suggested in a post detailing several recommendations for the researchers that they decrypt the Whatsapp downloader. According to him, it is not such an impossible fit as the FTI Consulting researchers were led to believe.