In Bezos phone hack, UN wants answers on Saudi prince's alleged role

Data sent from Jeff Bezos' phone spiked 29,000% after allegedly receiving a video on WhatsApp from the Saudi crown prince, a UN analysis says.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Ben Fox Rubin Former senior reporter
Ben Fox Rubin was a senior reporter for CNET News in Manhattan, reporting on Amazon, e-commerce and mobile payments. He previously worked as a reporter for The Wall Street Journal and got his start at newspapers in New York, Connecticut and Massachusetts.
Alfred Ng
Ben Fox Rubin
4 min read
Jeff Bezos takes part in a memorial service for Jamal Khashoggi

Jeff Bezos (third from right) takes part in a memorial service for Jamal Khashoggi in October 2019, near the Saudi consulate in Istanbul.

Osman Orsal/Getty Images

The United Nations is calling for an investigation after receiving information suggesting that Saudi Arabia's crown prince was potentially involved in hacking the phone of Jeff Bezos, CEO of Amazon and owner of The Washington Post. 

The statement alleges that the hack was an attempt by Saudi Crown Prince Mohammed bin Salman to "influence, if not silence, The Washington Post's reporting on Saudi Arabia." 

Watch this: Jeff Bezos' phone hack started with a WhatsApp message: a timeline

The UN said Saudi authorities had shown a pattern of targeted cyberattacks on its political opponents, including Washington Post columnist Jamal Khashoggi, who was assassinated by Saudi government officials in October 2018 in Istanbul, Turkey.

"The alleged hacking of Mr. Bezos's phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents," the UN said Wednesday in a statement. 

Bezos' phone was hacked in May 2018 after receiving a WhatsApp message from the Saudi crown prince's personal account, according to a forensics investigation by business advisory firm FTI Consulting. 

The Saudi embassy has denied any involvement with Bezos' phone hack, calling for an investigation into the allegations. 

On Wednesday morning, Bezos posted on Twitter a message with the hashtag "#Jamal" and a picture of Bezos at a Khashoggi memorial built in Istanbul a year after his murder. Amazon's press office didn't respond to a request for comment.

Sen. Ron Wyden, a Democrat from Oregon, sent Bezos a letter on Wednesday requesting answers on the hack and his cybersecurity team's forensics investigation. The letter requested technical details from the investigation, including the IP addresses of where the spyware had sent Bezos' data and what kind of surveillance software was used. 

"To help Congress better understand what happened -- and to help protect Americans against similar attacks -- I encourage you to provide my office with information regarding your case," Wyden wrote.

The forensics research found no known malware on Bezos' hacked iPhone , according to the UN. It did find a video file sent from the crown prince's account to Bezos on WhatsApp, but didn't find any malicious code on the clip itself. 

However, the malware could have been hidden on an encrypted downloader hosted on WhatsApp's media server. The researchers weren't able to analyze the contents of the downloader because of WhatsApp's end-to-end encryption. 

"It is later established, with reasonable certainty, that the video's downloader infects Mr. Bezos' phone with malicious code," the research found.

Through cellular data analysis, the researchers found that within hours after Bezos received the video, there was a spike in activity on his phone, siphoning out data from his device at a rate 29,156% higher than usual.

On the trail of spyware

The researchers determined that the malware planted on Bezos' phone most likely came from the NSO Group, an Israeli surveillance organization that Facebook is suing over alleged hacks targeting WhatsApp, which is owned by Facebook. 

"This reported surveillance of Mr. Bezos, allegedly through software developed and marketed by a private company and transferred to a government without judicial control of its use, is, if true, a concrete example of the harms that result from the unconstrained marketing, sale and use of spyware," the UN said.

On Nov. 14, 2019, Facebook confirmed to the researchers that "sending a specifically crafted MP4 [video] file to a WhatsApp user" was a method to install malicious spyware, according to the report. 

Facebook didn't respond to a request for comment. 

Gavin de Becker, a private investigator hired by Bezos, has publicly alleged since early last year that Saudi Arabia had hacked the Amazon CEO's phone and accessed private information. However, he hadn't previously provided direct evidence of this alleged hack. 

De Becker's claims came at the same time Bezos was fighting an alleged blackmail attempt by the National Enquirer tabloid, which revealed his relationship with former TV reporter Lauren Sanchez while he was still married to MacKenzie Bezos. The couple is now divorced.

On Nov. 8, 2018, Mohammed bin Salman's WhatsApp account sent a single photo to Bezos' account, showing an image of a woman resembling Sanchez. The image was captioned, "Arguing with a woman is like reading the Software License agreement. In the end you have to ignore everything and click 'I agree,'" and was sent in the midst of Bezos' marriage unraveling. 

The National Enquirer's reporting included text messages from Bezos to Sanchez; Bezos' investigation into how those leaked text messages helped reveal the alleged Saudi plot. The National Enquirer denied any involvement of the Saudi government in its reporting, instead pointing to Michael Sanchez, Lauren Sanchez's brother, as the source of the texts.

De Becker had said it wasn't clear how much, if anything, the National Enquirer's owner, AMI, knew about the alleged Saudi hack. But he did mention that David Pecker, AMI's CEO, has ties to the Saudi government and bin Salman.

Originally published Jan. 22,  7:12 AM PT.
Update, 11:13 a.m.: Adds Bezos tweet.
Update, 11:35 a.m.: Adds letter from Sen. Ron Wyden.