Numerous media reports have mentioned that Saudi Crown Prince Mohammed bin Salman (MBS) purportedly hacked Amazon CEO Jeff Bezos’ iPhone using a malicious .mp4 video file sent as an attachment via WhatsApp. FTI Consulting, a business advisory firm, conducted a forensic investigation of Jeff Bezos’ iPhone, and prepared a report that was published by Motherboard. In this technical note, we present several directions for further investigation, given our review of the FTI report.
1. Double-Check the Video that MBS Sent to Bezos
According to the FTI report, a copy of the video that MBS sent to Bezos, which is the presumed vector for infection of Bezos’ phone, was found on device. The report includes a screenshot of the video as it appeared in the WhatsApp conversation between MBS and Bezos.
Based on a Google reverse image search, we suspect that the video in question may have been sourced from a Twitter user. The video is an Arabic-subtitled version (subtitles added by Twitter user @abdullahk5) of a video examining which countries have the highest per capita Internet data usage, and which countries have the lowest cost per gigabyte of Internet data. According to the video, Saudi Arabia has the highest per capita data usage (tied with Sweden), and has one of the lowest costs per gigabyte.
Twitter servers appear to host three copies of this video: one encoded at 320x180, one encoded at 640x360, and one encoded at 1280x720. The hashes and file sizes of the Twitter videos are listed below.
Filesize (bytes): 1786180
Filesize (bytes): 4435756
Filesize (bytes): 10400078
Given that the video MBS sent to Bezos could be similar to or identical to one posted by a Twitter user, we encourage FTI to check whether the hash of the video is the same as the hash of any of the encodings of this video available on Twitter.
2. Decrypt the “Encrypted Downloader”
FTI’s report mentions that they found an “encrypted downloader” (.enc file) through which the video was transmitted, as is standard for WhatsApp file transfers. FTI says they were unable to decrypt this file.
Based on our understanding, it is possible to decrypt the contents of an .enc file from WhatsApp, given a forensic extraction of the phone, of the type that FTI mentions they performed. The first 32 bytes of the ZMEDIAKEY field of the ZWAMEDIAITEM table in WhatsApp’s ChatStorage.sqlite database should contain a key for each .enc file, and we have verified that these decryption instructions and code are sufficient to decrypt WhatsApp .enc files from a forensic extraction.
We encourage FTI to decrypt the .enc file, examine its contents, and check whether decryption yields a benign or malicious file.
3. Double-check the Spikes in Egress Traffic
The FTI report mentions that their forensic analysis revealed “notable spikes in egress traffic” from Bezos’ phone “within hours” after MBS sent the video file to Bezos, which continued for more than a year.
Based on the description in FTI’s report, we suspect that this information may have been gleaned from iOS’s DataUsage.sqlite file (available in a forensic extraction of the phone). This database contains a table called ZLIVEUSAGE, which contains different types of date information, as well as metadata about the amount of data uploaded and downloaded by various apps. It is unclear to the authors how FTI interpreted this data. Clarification about how this data was interpreted would help evaluate their analysis of the date information, and contrast it with other possible explanations.
We recommend that FTI clarify their analysis of the entire contents of the DataUsage.sqlite file, or any other files examined in their determination of egress traffic spikes.