Some Directions for Further Investigation in the Bezos Hack Case

Bill Marczak
Jan 22 · 3 min read

Numerous media reports have mentioned that Saudi Crown Prince Mohammed bin Salman (MBS) purportedly hacked Amazon CEO Jeff Bezos’ iPhone using a malicious .mp4 video file sent as an attachment via WhatsApp. FTI Consulting, a business advisory firm, conducted a forensic investigation of Jeff Bezos’ iPhone, and prepared a report that was published by Motherboard. In this technical note, we present several directions for further investigation, given our review of the FTI report.

1. Double-Check the Video that MBS Sent to Bezos

According to the FTI report, a copy of the video that MBS sent to Bezos, which is the presumed vector for infection of Bezos’ phone, was found on device. The report includes a screenshot of the video as it appeared in the WhatsApp conversation between MBS and Bezos.

Based on a Google reverse image search, we suspect that the video in question may have been sourced from a Twitter user. The video is an Arabic-subtitled version (subtitles added by Twitter user @abdullahk5) of a video examining which countries have the highest per capita Internet data usage, and which countries have the lowest cost per gigabyte of Internet data. According to the video, Saudi Arabia has the highest per capita data usage (tied with Sweden), and has one of the lowest costs per gigabyte.

Twitter servers appear to host three copies of this video: one encoded at 320x180, one encoded at 640x360, and one encoded at 1280x720. The hashes and file sizes of the Twitter videos are listed below.

Resolution: 320x180
Filesize (bytes): 1786180
SHA256:
0d8fb1e31c955580d5c4bd41a7ff262e3cd45f54dd88e9adb3633425a952413c
Resolution: 640x360
Filesize (bytes): 4435756
SHA256:
7ea5a6036f2e3a4a33ca18f1ac33c6690cce86df371109af09a00574dda6509d
Resolution: 1280x720
Filesize (bytes): 10400078
SHA256:
193c90d8f915c41c72168c3fd46aee8644202b4d9aaef82873ae0adfcc52fb7b

Given that the video MBS sent to Bezos could be similar to or identical to one posted by a Twitter user, we encourage FTI to check whether the hash of the video is the same as the hash of any of the encodings of this video available on Twitter.

2. Decrypt the “Encrypted Downloader”

FTI’s report mentions that they found an “encrypted downloader” (.enc file) through which the video was transmitted, as is standard for WhatsApp file transfers. FTI says they were unable to decrypt this file.

Based on our understanding, it is possible to decrypt the contents of an .enc​ file from WhatsApp, given a forensic extraction of the phone, of the type that FTI mentions they performed. The first 32 bytes of the ​ZMEDIAKEY​ field of the ​ZWAMEDIAITEM​ table in WhatsApp’s ​ChatStorage.sqlite​ database should contain a key for each .enc file, and we have verified that these decryption instructions and code are sufficient to decrypt WhatsApp ​.enc​ files from a forensic extraction.

We encourage FTI to decrypt the .enc file, examine its contents, and check whether decryption yields a benign or malicious file.

3. Double-check the Spikes in Egress Traffic

The FTI report mentions that their forensic analysis revealed “notable spikes in egress traffic” from Bezos’ phone “within hours” after MBS sent the video file to Bezos, which continued for more than a year.

Based on the description in FTI’s report, we suspect that this information may have been gleaned from iOS’s ​DataUsage.sqlite​ file (available in a forensic extraction of the phone). This database contains a table called ​ZLIVEUSAGE​, which contains different types of date information, as well as metadata about the amount of data uploaded and downloaded by various apps. It is unclear to the authors how FTI interpreted this data. Clarification about how this data was interpreted would help evaluate their analysis of the date information, and contrast it with other possible explanations.

We recommend that FTI clarify their analysis of the entire contents of the DataUsage.sqlitefile, or any other files examined in their determination of egress traffic spikes.

Bill Marczak

Written by

Postdoc at UC Berkeley, Research Scientist at International Computer Science Institute, and Research Fellow at Citizen Lab. Partially funded by Berkeley CLTC.

More From Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade