On November 8, 2018, Amazon CEO Jeff Bezos received an unexpected text message over WhatsApp from Saudi Arabian leader Mohammed bin Salman. The two had exchanged numbers a few months prior, in April, at a small dinner in Los Angeles, but weren’t in regular contact; Bezos had previously received only a video file from the crown prince in May that reportedly extolled Saudi Arabia’s economy. The November text had an attachment as well: an image of a woman who looked like Lauren Sanchez, with whom Bezos had been having an unreported affair.
That message appears to have been a taunt; American Media Inc., publisher of The National Inquirer, would several months later make details of the affair public. But it’s the initial contact in May that has set off another firestorm with MBS at the center. That video file was loaded with malware, investigators now say. The crown prince’s own account had been used to hack Bezos’ phone.
Such brazen targeting of a private citizen—the richest man in the world, no less—is alarming to say the least. It underscores the dangers of an unchecked private market for digital surveillance, and raises serious questions about other prominent US figures who have known relationships with the crown prince, like White House adviser Jared Kushner and President Donald Trump himself.
“This reported surveillance of Mr. Bezos, allegedly through software developed and marketed by a private company and transferred to a government without judicial control of its use, is, if true, a concrete example of the harms that result from the unconstrained marketing, sale, and use of spyware,” United Nations special rapporteurs David Kaye and Agnes Callamard said in a statement. Details provided by the UN suggest that the malware originated from a private vendor, such as Israel’s NSO Group or the Italian Hacking Team. The tie to MBS was first reported Tuesday by The Guardian.
Bezos became a Saudi target not because of Amazon but for his ownership of The Washington Post, which had published a series of critical stories about the kingdom. The November text from MBS came one month after Saudi officials murdered Post columnist and Saudi dissident Jamal Khashoggi inside the country’s Istanbul consulate. The UN probe into the attack on Bezos is based at least in part on a forensics analysis commissioned by Bezos himself and completed by FTI Consulting, a cybersecurity consulting firm. The findings are not definitive, and the firm ranked them at medium to high confidence. Similarly, the UN made clear that while its investigation indicated these results, attribution is not certain.
“All FTI Consulting client work is confidential. We do not comment on, confirm, or deny client engagements or potential engagements,” the firm told WIRED in a statement.
The Saudi embassy denied the allegations on Twitter Tuesday evening: “Recent media reports that suggest the Kingdom is behind a hacking of Mr. Jeff Bezos’ phone are absurd. We call for an investigation on these claims so that we can have all the facts out.”
According to the UN’s findings, the Saudi regime began exfiltrating large amounts of data from Bezos within hours of sending the tainted MP4 video file. FTI Consulting found that six months before the video download, Bezos’ phone averaged about 430 kilobytes of data coming from the phone per day, a small amount. Within hours of receiving the video, that number rose and the phone started averaging 101 megabytes for months afterward. The UN reports that this number sometimes even jumped into the gigabyte range, several orders of magnitude over the pre-hack baseline—indicating data exfiltration through malware.
The UN report points to Pegasus malware, developed by the cyberarms dealer NSO Group, which has adapted it for use on numerous iOS and Android versions over the past four years. Saudi Arabia first bought Pegasus from NSO Group in November 2017, according to the UN. Investigators suggest Galileo, a Hacking Team product, as another possibility. Analysis of those tools by third-party and academic researchers have shown that both are capable of compromising a device and accessing almost any data on it, from text messages, calls, contacts, and emails to apps, browsing history, and even location data.