Cybersecurity experts said there were still many unanswered questions from an investigation commissioned by Jeff Bezos that concluded the billionaire's cellphone was hacked, apparently after receiving a video file with malicious spyware from the WhatsApp account of Saudi Crown Prince Mohammed bin Salman.
The experts said the evidence in the privately commissioned report does not show with certainty that Bezos' phone was actually hacked, much less how it was compromised or what kind of malware was used.
The report on the investigation, which was managed by FTI Consulting was made public Wednesday, according to The Associated Press.
“In some ways, the investigation is very incomplete. … The conclusions they’ve drawn I don’t think are supported by the evidence. They veered off into conjecture,” said Robert Pritchard, the director of UK-based consultancy Cyber Security Expert.
Similarly, the former chief security officer at Facebook, who now directs a cyber policy center at Stanford, wrote that the report is filled with circumstantial evidence, but no smoking gun.
“The funny thing is that it looks like FTI potentially has the murder weapon sitting right there, they just haven't figured out how to test it," Alex Stamos wrote on Twitter.
One sticking point centered on WhatsApp's end-to-end encryption, which the report said made it “virtually impossible to decrypt contents of the downloader to determine if it contained malicious code" — meaning the investigators could not conclude whether the video file sent from Prince Mohammed bin Salman's WhatsApp account was infected and used to hack Bezos' phone.
Bill Marczak, a senior research fellow at Citizen Lab, disputed that assertion, saying it is possible to decrypt the contents of a WhatsApp file. In a post written for The Medium, Marczak shared a link to decryption instructions and code.
The FTI investigators did not reach out to WhatsApp to seek assistance, a Facebook spokesperson said.
FTI did not respond to emails and text messages seeking comment, AP said.
The company said in a statement that all FTI's work for clients is confidential and that the company does not “comment on, confirm or deny client engagements.”
Matt Suiche, a French entrepreneur who founded cybersecurity firm Comae Technologies, said the video file was presumably on the iPhone because the report showed a screenshot of it. If the file had been deleted, he said the report should have stated this or explained why it was not possible to retrieve it.
“They’re not doing that. It shows poor quality of the investigation,” Suiche said.
The report on the investigation was managed by FTI Consulting and overseen by Anthony Ferrante, a former head of the FBI's Cyber Division.
The report's conclusions drew heavily from the unusually high volume of data that left Bezos' iPhone X within 24 hours of receiving the video file from Prince Mohammed's WhatsApp account on May 1, 2018, a month after the two exchanged phone numbers. The size of the file, the investigators suggested, indicated a malware payload may have been included.
Saudi Arabia has denied as “absurd” the hacking reports.
