Sign in / up

back to article Who honestly has a crown prince in their threat model? UN report officially fingers Saudi royal as Bezos hacker

The Crown Prince of Saudi Arabia, Mohammad bin Salman, has been officially fingered as the man responsible for hacking Amazon CEO Jeff Bezos’s iPhone X, causing a massive stir in diplomatic circles. Following a report yesterday that Bezos’s smartphone had been compromised by a malware-poisoned video sent directly by bin Salman …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *

Page:

    1. Fruit and Nutcase Silver badge
      Reply Icon

      Re: How a video can be delivered through ...

      They did find an encrypted payload within the file - which they could not decrypt in order to ascertain if it was malicious. What is the probability that it was not benign? The encrypted nature of the final delivery mechanism was irrelevant.

      "...but it seems an encrypted blob of code in the 4MB video file was able to run spyware on the phone, presumably via a software flaw. The team was unable to decrypt the payload.

      1 0 Reply
      1. Red Ted
        Reply Icon
        Holmes

        Re: How a video can be delivered through ...

        It occurs to me that once the phone is infected and someone has root level access, they could update the video file to remove the exploit code (or even plant it having removed the original exploit from elsewhere).

        2 0 Reply
        1. joker197cinque
          Reply Icon

          Re: How a video can be delivered through ...

          Makes sens, thanks for help

          0 0 Reply
      2. joker197cinque
        Reply Icon

        Re: How a video can be delivered through ...

        Oh ok so you are saying that:

        1) Video file was crafted to contain the video itself + a small other (malicious) encrypted file

        2) Video file, upon receiving, was able (how?) to split itself into 2 files (clean video file and encrypted payload) and execute the payload.

        3) The video itself, upon splitting, resulted clean to forensic tools

        Is it correct ?

        However, I don't still get what "downloader hosted on WhatsApp’s media server" should mean. They are just describing the infected payload crafted into the videofile ? It is a bit misleading to me

        0 0 Reply
        1. Fruit and Nutcase Silver badge
          Reply Icon

          Re: How a video can be delivered through ...

          CVE-2019-11931

          A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE.

          As @Red Ted comments,once the exploit/Remote Code Executes it can do all manner of things - including removing traces of it. The question is why was that encrypted part left if there was some clear up performed. Could simply be an oversight - known to happen. As for why that part was encrypted - less chance of detection than if it were unencrypted code that could be fingerprinted/detected.

          Alternatively, could also leave some useful malicious code in encrypted form on the victim's device that can be accessed when required by other exploits/attacks, avoiding the need to download that code (again) and thereby reducing the chance of detection.

          2 0 Reply
          1. joker197cinque
            Reply Icon

            Re: How a video can be delivered through ...

            Thank you for explanation and CVE, very helpful buddy.

            Cheers

            0 0 Reply
        2. doublelayer Silver badge
          Reply Icon

          Re: How a video can be delivered through ...

          "However, I don't still get what "downloader hosted on WhatsApp’s media server" should mean. They are just describing the infected payload crafted into the videofile ? It is a bit misleading to me"

          In itself, it doesn't mean much; they're just stating where the file came from. It does indicate that it was not retrieved from an attacker-controlled location, and therefore that it is not possible to track that location to identify the attacker. Not much more detail comes from this one observation, but it is relevant information to understanding what happened.

          0 0 Reply
          1. joker197cinque
            Reply Icon

            Re: How a video can be delivered through ...

            Thanks, you clarified a lot. I think that it should have been written differently, but it's just my opinion.

            Cheerts

            0 0 Reply
    2. Blazde Silver badge
      Reply Icon

      Re: How a video can be delivered through "an encrypted downloader ..

      The report states "It should be noted that the encrypted Whatsapp file sent from MBS' account was slightly larger than the video itself". The 'downloader' is just a file containing the original video (and maybe more?). The video now is 4.22MB. We aren't told how much 'slightly larger' the encrypted file is, but they can't decrypt it because presumably the session key has long been discarded or actively purged by the malware. Possibly the original video was larger and contained exploit+malware that has since cleaned itself.

      2 0 Reply
  2. anonymous boring coward Silver badge

    Sociopaths are like that: Don't understand, nor care, how they will be perceived. Trump is another one. Lying comes natural to them. More natural than speaking truth.

    5 0 Reply
    1. amanfromMars 1 Silver badge
      Reply Icon

      Dr StrangeLOVE will see you now ....... :-)

      Wow, to be so terrified of the truth that one would fling and cling to lies is a an Early Sure Sign of Real Trouble with Mental Health Issues which can Easily Deliver Madness and Mayhem.

      The Flip Side of that on a Parallel Course is Share Genius and Utility.

      Which do you think the Better Best Bet for the Future? Surely the Flip Side must be the Firm Favourite and a Worthy Runaway Winner.

      0 1 Reply
  3. Mike Moyle

    "They also call for greater controls over 'the unconstrained marketing, sale and use of spyware' and a 'moratorium on the global sale and transfer of private surveillance technology.'”

    I see their point but, honestly, I'd rather have some way of seeing, in clear, some vague approximation of what the current state of the art is in surveillance tech, rather than let ALL advances in it be done in government agency black projects without any reasonable chance of oversight.

    ...or am I being naive?

    0 0 Reply
  4. Jbeteta

    What nobody is commenting is that Apple iOS patches and fixes didn't help much.

    0 0 Reply
    1. Michael Wojcik Silver badge
      Reply Icon

      Perhaps everyone read the article and understands the bug was in a third-party app?

      I think Apple's security is overrated by many (most?) users, but they're in the clear on this one. Unless you think they should do more extensive vetting of everything in the app store,1 which is a position one could argue, but doesn't seem economically feasible.

      1Say, by requiring apps be submitted as source, which Apple would run through static analysis and then build and deploy to the store. That's technically feasible but probably not a viable business model, since it would be resource-intensive for Apple and would meet resistance from app developers.

      0 0 Reply

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like