Doubt is today being cast on a reported Jeff Bezos iPhone hack, which was said to have given attackers full access to the photos and messages stored on his iPhone X.
The report was based on analysis by a cybersecurity firm commissioned by the Amazon founder to find out how private messages and photos were obtained by the National Enquirer …
Analysis by cybersecurity company FTI Consulting found that malware was embedded into a video file sent to Bezos from a WhatsApp account belonging to the Saudi crown prince, reports the New York Times.
On the afternoon of May 1, 2018, Jeff Bezos received a message on WhatsApp from an account belonging to Saudi Arabia’s crown prince, Mohammed bin Salman […]
The video, a file of more than 4.4 megabytes, was more than it appeared, according to a forensic analysis that Mr. Bezos commissioned and paid for to discover who had hacked his iPhone X. Hidden in that file was a separate bit of code that most likely implanted malware that gave attackers access to Mr. Bezos’ entire phone, including his photos and private communications.
However, Cyberscoop cites other cybersecurity experts saying that the FTI report is incomplete, and provides only circumstantial evidence of the malware attack.
The published information has left many observers unsatisfied. Alex Stamos, the former CISO of Facebook, which owns WhatsApp, said the FTI report didn’t go far enough in its analysis.
“This FTI forensics report is not very strong. Lots of odd circumstantial evidence, for sure, but no smoking gun,” Stamos said. “The funny thing is that it looks like FTI potentially has the [device] sitting right there, they just haven’t figured out how to test it.”
In particular, experts noted that FTI hadn’t managed to decrypt the fake video file to see exactly what it contained.
“Sufficient information to decrypt the file should be present in the forensic extraction performed by FTI,” said Citizen Lab research fellow Bill Marczak, who wrote a blog post on other issues FTI failed to address.
Matt Green, an associate professor of computer science at Johns Hopkins, told CyberScoop the .enc file cited in the report indicates the keys to decrypt the downloader would have been found alongside the file itself.
“This is encrypted using keys that should also be stored on the device which raises the question of why they haven’t decrypted it and examined what’s inside,” Green told CyberScoop. “This should be decryptable using local keys if they’re around.”
CNN says that not all cybersecurity experts are as critical of FTI’s claim of a Jeff Bezos iPhone hack, however.
The report’s limited results are a reminder that it can be extremely challenging to reconstruct the activities of a determined, well-resourced hacker, said Kenneth White, a security engineer and former adviser to the Defense Department and Department of Homeland Security.
“I think it has to be evaluated in the context of the entire investigation; it’s just one part of the story,” said White. “Some of the technical critiques around how the forensics were performed and what data were and were not analyzed are fair, but this is in no way a ‘typical’ phone hacking case, if there is such a thing” […]
“There’s an absurd amount of Monday morning quarterbacking going on,” said [another] expert, who spoke on condition of anonymity in order to preserve professional relationships with the report’s critics. “This isn’t a movie — things don’t proceed in a perfect, clean way. It’s messy, and decisions are made the way they’re made.”