back to article Who honestly has a crown prince in their threat model? UN report officially fingers Saudi royal as Bezos hacker

The Crown Prince of Saudi Arabia, Mohammad bin Salman, has been officially fingered as the man responsible for hacking Amazon CEO Jeff Bezos’s iPhone X, causing a massive stir in diplomatic circles. Following a report yesterday that Bezos’s smartphone had been compromised by a malware-poisoned video sent directly by bin Salman …

  1. David 132 Silver badge

    No wonder Bezos is fuming.

    6GB of exfiltrated data? That'll cost him hundreds of dollars, even if he's on AT&T's cheapest plan.

    Poor guy.

    I'm setting up a GoFundMe, anyone care to chip in?

    1. Stuart 22

      Lose less data with your iPhone

      Thank goodness he was using an iPhone - with almost any Android he would have had to shell out for the extra 256GB off his SD card ...

      1. Michael Wojcik Silver badge

        Re: Lose less data with your iPhone

        That's unfair. Many Android devices don't have an SD-card slot.

  2. JohnFen

    Alarmingly small?

    > One odd detail: according to the report, Bezos used an alarmingly small amount of data (averaging 430KB a day) in his day-to-day use of his phone

    Wait, that's odd? That's roughly how much I use, too. What's alarming about it?

    1. Rustbucket

      Re: Alarmingly small?

      The 430KB of data was purely data egress. If he was using the phone for mainly browsing and a few emails his uploads may not have been terribly high.

      1. JohnFen

        Re: Alarmingly small?

        That just makes the comment more mysterious to me, then. My total data usage, ingress+egress is around a half a meg a day, assuming we're just talking about cell data use.

        1. Das Schaf

          Re: Alarmingly small?

          I have similar data usage, approx half to one meg per day on mobile data. I think we are in the minority though.

    2. Claverhouse Silver badge

      Re: Alarmingly small?

      Are you too Supreme Leader of The Largest Company on Earth and The Richest One Man in the Universe ?

      One uses one's cell-phone more when one is in command of everything.

      1. CrazyOldCatMan Silver badge

        Re: Alarmingly small?

        cell-phone more when one is in command of everything

        It's entirely possible that he has more than one phone.. (yes, yes, I know - stretching the bounds of possibility I know. But even the Orange One has more than one phone and he's only the POTUS and a pauper compared to Bezos. In fact, the only think I thing OO exceeds Bezos in is the number of wives/mistresses he's cheated on..)

        1. Kabukiwookie

          Re: Alarmingly small?

          In the defence of those women, it did look bigger when he was holding it himself.

      2. Haynomonous

        Re: Alarmingly small?

        One uses one's cell-phone less when one is in command of everything- one has people to do that kind of thing for one.

    3. jmch Silver badge

      Re: Alarmingly small?

      He might have more than 1 phone?

    4. Anonymous Coward
      Anonymous Coward

      Re: Alarmingly small?

      I agree. Almost all my phone usage happens when I'm on wifi, so I use very little data most of the time.

      As far as noticing it, most carriers in the US offer "unlimited" plans that throttle after a couple dozen GB. If 6 GB was spit out it wouldn't even change his bill - not that he's looking at his bills or whoever does would ask him about excess usage costing an extra $20 or whatever.

  3. Chris G

    Not much of a surprise when you consider a couple of years back MBS arrested a good portion of his family, dozens of ministers and ex ministers and the the premier of Lebanon, he also purloined the funds belonging to most of the arrestees having accused all of them of being corrupt. All of this mostly to consolidate his position.

    I suppose after this post I should avoid countries with very large beaches.

    1. I ain't Spartacus Gold badge

      Saudi politics still doesn't beat Iran's for oddness. When Mahmoud Ahmadinejad was President (I'm not going to lie - I had to look up the spelling) he had a bit of a falling out with the Supreme Leader. Not too major as both are from the most authoritarian wings of the state, meaning things had to be kept in bounds - so the move made was to charge one of his ministerial allies with Sourcery. Not something you see on a charge sheet every day.

      1. Robert Carnegie Silver badge

        "Sourcery" is a humorous book by Sir Terry Pratchett? Rather a good one, Rincewind is in it.

        1. I ain't Spartacus Gold badge

          I don’t think the series really hits its stride with Wyrd Sisters. After which it’s consistently excellent right up until the not really finished final book. My favourite early one is probably Pyramids. Others disagree though and suggest people start with Mort.

          I seem to remember one of the charges against King Charles I was "mischiefs", the little scamp. Still not a patch on sourcery though.

        2. Kabukiwookie

          It's amazing how much damage one can do with a sock and a half-brick.

  4. DCFusor

    People who are known to target their perceived opponents fighting?

    Wow, no one to root for, then.

  5. Anonymous Coward


    It should be noted that the Saudi government invested in the Hacking Team via the shell company Tablem after the Hacking Team data breach to keep the company from going bankrupt (and that they had attempted, unsuccessfully, to buy the company outright prior to that - kudos to El Reg - ).

    As Khashoggi showed, the Saudis will stop at nothing to exact revenge on whomever they feel like.

    1. Claverhouse Silver badge

      Re: Tablem

      I imagine they shall not send a delegation carrying their own bone saws to Mr. Bezos' office.


      Mr. Trump would send the mother of all tweets to the Saudis if they hurt a hair of his little pal's head.

  6. Winkypop Silver badge

    Saudi hacking styles

    Be careful which type you choose.

    - The Bezos

    - The Kashoggi

  7. doublelayer Silver badge

    Amusing typo

    "Facebook recently sued NGO Group over its Pegasus software"

    I'm assuming this was the spell checker? It's NSO group. Incidentally, as they aren't exactly hiding that they have this malware, I'm surprised and displeased their company hasn't been raided by law enforcement with a raft of computer abuse charges.

    1. Michael Wojcik Silver badge

      Re: Amusing typo

      Displeased I can see, but surprised? The police states love NSO Group and the like. Even if some prosecutor (in Israel; action anywhere else would be purely symbolic) decided to go after them, they have many powerful customers, if not friends.

  8. Mark 85


    Is El Reg including the comments section going to be a target of the malware? It couldn't just be the Prince's phone was compromised and he or the hackers just passed it along? Nah.. who'd dare hack a prince's phone.

    1. 9Rune5

      Re: Hmm....

      We don't think anyone would be stupid enough to use their own kit to transmit malicious content.

      So the prince was obviously framed.

      But nobody would be stupid enough to try to frame somebody by using somebody's equipment to transmit malicious content, so it is obviously not that either.

      They think we aren't smart enough to realize that it must have been the prince in the first place.

      Seriously though: Bezo is heading back to the mobile phone business. Pointing out a security flaw in the iPhone is his opening salvo. Expect new Saudi-safe Kindle phones in your favorite amazon store within the month. The product logo will be a keffiyeh with a red line running diagonally from bottom left to upper right inside a red circle. Possibly a cruise missile will figure somewhere inside the logo as well, but I'm told (by thelittle voice inside my head) Bezo's team hasn't fully committed to it yet.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmm....

        I did have a Fire Phone. It wasn't dreadful (but I bought heavily discounted).

        I think it's more likely that a number of internet security providers will have a new investor, and that the Saudi state may experience a DDOS attack of unprecedented scale in the near future.

        1. A random security guy

          Re: Hmm....

          Doubt it. The US government protects the Saudis. Start a DDoS against the Saudis and they will ask the US for help.

      2. GnuTzu
        Thumb Up

        Re: Hmm....

        And, to state it more explicitly: any hacked phone would do to hide the true origin, so there must be a motivation to hack a dignitaries phone. But, why these two? What kind of war is someone trying to start?

    2. lglethal Silver badge

      Re: Hmm....

      I doubt anybody who would be in a position to know the Crown Princes mobile number and who possessed more than 2 brain cells, would dare hack the Crown Princes phone. That's how you end up in a shallow grave in a Wadi somewhere....

      It would be like hacking Putin's phone or Xi's. An invitation to a large shortening of your life expectancy.

      So assuming that it came from the Crown Prince or that he at least approved of the sending, it shows an amazing level of arrogance. He had to understand that eventually it would be found out, but he obviously doesnt care about any possible repercussions.

      1. CrazyOldCatMan Silver badge

        Re: Hmm....

        he obviously doesnt care about any possible repercussions

        Well - he knows full well that Trump isn't exactly Bezos' friend (especially as Bezos isn't a dictator known to have killed off lots of people[1] - that seems to be the sure-fire way to get Trump fawning on you).

        [1] Except, of course, via workplace injuries in Amazon warehouses. But, since that's due to neglect and indifference rather than deliberate action it doesn't count.

      2. Michael Wojcik Silver badge

        Re: Hmm....

        It's also a mistake to assume the powerful know or care much about OPSEC. It's pretty common for people in power to trip themselves up by using personal devices. Even when they try to do it properly, they often achieve decent security in one area but screw it up in another (as with El Chapo, for example), or use a mechanism that fails under a different mode of investigation (as with Petraeus).

  9. Version 1.0 Silver badge

    Who else has seen the movie?

    I doubt that the movie was only sent once, you think Trump watched it too?

    Probably not because he'd have tweeted about it originally, but I bet a few other people have seen it.

  10. lglethal Silver badge

    So lessons learned for the everyman:

    1) Dont become Whatsapp friends with Heads of States (or De facto Heads of States for that matter)

    2) If the Crown Prince of a country sends you a video message - DONT LOOK AT IT!

    3) If you're "invited" to a Saudi Embasssy, just say NO!

  11. amanfromMars 1 Silver badge

    Mandy Rice-Davies Applies ..... MRDASNAFUBAR

    An annex [PDF] accompanying the UN assessment suggests the spyware was supplied to Saudi Arabia by the NSO Group in the form of surveillanceware called Pegasus*. ... NSO, at least, has denied any involvement.

    Well, they would, wouldn't they.

    * Pegasus ...... "invasive software from NSO Group, a secretive Israeli security firm that is being sued by WhatsApp's owner, Facebook, over allegations that it compromised users' accounts." ....... Tales of Sticky Shenanigans and Dastardly Deeds?:-)

    1. Cliff Thorburn

      Re: Mandy Rice-Davies Applies ..... MRDASNAFUBAR

      Constant yearnings for exponential learnings is IT not?

      Nothing would shock or surprise anymore about what seems to be accepted prima facie follies when the masses simply meander into mass mind controlled clickbait, simply more mass media manipulation malware merchandise monitoring for market manipulation advantage undoubtedly.

      1. amanfromMars 1 Silver badge

        Re: Mandy Rice-Davies Applies ..... MRDASNAFUBAR

        Amen to that, CT. IT aint no more complicated than that.

        And all of that renders IT and mass media operations an extraordinarily vulnerable and effectively indefensible attack vector, albeit only for those who realise and would wield it.

        1. Aleph0

          Re: Mandy Rice-Davies Applies ..... MRDASNAFUBAR

          Oh gawd, I seem to have understood two AMFM comments in a row. Time to switch to the higher-dosage dried frog pills...

      2. Mike Moyle

        Re: Mandy Rice-Davies Applies ..... MRDASNAFUBAR

        amanrommars1; is that you?

    2. CrazyOldCatMan Silver badge

      Re: Mandy Rice-Davies Applies ..... MRDASNAFUBAR


      Anyone else remember Pegasus Mail? One of the first PC-based email clients I used (required Trumpet Windsock I seem to remember).

      I think it's still going..

  12. Anonymous Coward
    Anonymous Coward

    US Connection

    I wouldn't be surprised to also find some assistance from the current US Administration, considering its antipathy towards Bezos and its coziness with KSA.

    1. I ain't Spartacus Gold badge

      Re: US Connection

      Well there are some interesting coincidences in that it was the National Enquirer who had the videos and weren't publishing them but trying to get some sort of agreement out of Bezos. And of course it was also the National Enquirer who were allies of Trump buying up the stories of women that had alleged they'd slept with him, then not publishing them. Which may turn out to be a breach of campaign finance law.

      So there are some interesting coincidences at least - if nothing more sinister.

      And neither the Crown Prince or Trump like the Washington Post, for different reasons.

      However I'd not get involved in a conspiracy with Trump - given that he's not exactly either competent or discrete. But on t'other hand, Bin Salman and his cronies aren't exactly what I'd call exemplars of competence either...

      1. Michael Wojcik Silver badge

        Re: US Connection

        Yes, there's no need for a conspiracy here. Everyone acting according to their inclinations explains the involvement of MBS and the National Enquirer just fine. I'm sure Trump would have approved, and they may tipped him off that something along these lines was happening, but there was no reason to let him know the details.

        I don't even think there was much of a plan here. MBS has a collection of hacking toys from NSO Group and Hacking Team, and decided to play with them by seeing if he could steal info from Bezos. He or a toady skimmed over it, found the embarrassing material, and forwarded it to someone (possibly David Pecker at AMI, possibly Dylan Howard at the Enquirer), who decided to try to pressure Bezos. But it turned out Bezos was running short of fucks to give that day.

  13. Jemma

    You had me at..

    UN fingers Saudi royal

    Hopefully with a Bangalore torpedo.

  14. Danny 2

    Ethical Hacking

    Bezos not only cheated on his wife, he cheated her out of a fair divorce settlement - she only got $35b while his net worth is still $115b.

    We are all super-rich in IT, so it's understandable that a poor Arab kid working at his dad's petrol station would try to hack us to expose our moral failings.

    1. A random security guy

      Re: Ethical Hacking

      $35B is not cheating. Plus $115B may be hard to monetize or transfer. Also, it may not have been in her best interest. Let me explain: If you transfer 50% ownership of a company it leads to a transfer of power, board seats issues etc. leaving you a company with a different management.

      It is better to get the $35B and have Bezos grow it as the company's valuation grows.

      And cheating on your wife or husband? Do you know how many people cheat in the US? Women cheat as much as men. It is not a crime, misdemeanor, or even a minor violation.

      1. Danny 2

        Re: Ethical Hacking

        Ironies intended as humour I thought would be obvious even to Americans:

        "Only $35 billion"

        "We are all super-rich in IT"

        MBS as "a poor Arab kid working at his dad's petrol station"

        The rest of it was serious though.

  15. Fruit and Nutcase Silver badge

    Crown Jewels

    So, it was action by a Crown Prince that led to Bezos publishing pictures of his Crown Jewels.

  16. joker197cinque

    How a video can be delivered through "an encrypted downloader hosted on WhatsApp’s media server" ?

    I read all the report and I found it very interesting.

    I don't understand however how it was possible through whatsapp, sending the video via "an encrypted downloader hosted on WhatsApp’s media server".

    I mean, what's the difference to just directly send an mp4 file or via this encrypted downloader ?

    This is what VICE writes (and report too):

    "They did not find any malicious code embedded in the video file, but discovered that the video was delivered via an encrypted downloader hosted on WhatsApp’s media server."

    Thanks for an explanation

    1. Danny 2

      How a video can be delivered through "an encrypted downloader hosted on WhatsApp’s media server" ?

      This is what VICE writes (and report too):

      Hiya. First, this is El Reg and so we can't quote Vice (or the Daily Mail) as a source.

      Ta for your thanks for an explanation. The "encrypted downloader" is a red herring. Any good hacking tool can remove traces of itself from the version it leaves behind. Blame Ken Thompson.

    2. Fruit and Nutcase Silver badge

      Re: How a video can be delivered through ...

      They did find an encrypted payload within the file - which they could not decrypt in order to ascertain if it was malicious. What is the probability that it was not benign? The encrypted nature of the final delivery mechanism was irrelevant.

      "...but it seems an encrypted blob of code in the 4MB video file was able to run spyware on the phone, presumably via a software flaw. The team was unable to decrypt the payload.

      1. Red Ted

        Re: How a video can be delivered through ...

        It occurs to me that once the phone is infected and someone has root level access, they could update the video file to remove the exploit code (or even plant it having removed the original exploit from elsewhere).

        1. joker197cinque

          Re: How a video can be delivered through ...

          Makes sens, thanks for help

      2. joker197cinque

        Re: How a video can be delivered through ...

        Oh ok so you are saying that:

        1) Video file was crafted to contain the video itself + a small other (malicious) encrypted file

        2) Video file, upon receiving, was able (how?) to split itself into 2 files (clean video file and encrypted payload) and execute the payload.

        3) The video itself, upon splitting, resulted clean to forensic tools

        Is it correct ?

        However, I don't still get what "downloader hosted on WhatsApp’s media server" should mean. They are just describing the infected payload crafted into the videofile ? It is a bit misleading to me

        1. Fruit and Nutcase Silver badge

          Re: How a video can be delivered through ...


          A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE.

          As @Red Ted comments,once the exploit/Remote Code Executes it can do all manner of things - including removing traces of it. The question is why was that encrypted part left if there was some clear up performed. Could simply be an oversight - known to happen. As for why that part was encrypted - less chance of detection than if it were unencrypted code that could be fingerprinted/detected.

          Alternatively, could also leave some useful malicious code in encrypted form on the victim's device that can be accessed when required by other exploits/attacks, avoiding the need to download that code (again) and thereby reducing the chance of detection.

          1. joker197cinque

            Re: How a video can be delivered through ...

            Thank you for explanation and CVE, very helpful buddy.


        2. doublelayer Silver badge

          Re: How a video can be delivered through ...

          "However, I don't still get what "downloader hosted on WhatsApp’s media server" should mean. They are just describing the infected payload crafted into the videofile ? It is a bit misleading to me"

          In itself, it doesn't mean much; they're just stating where the file came from. It does indicate that it was not retrieved from an attacker-controlled location, and therefore that it is not possible to track that location to identify the attacker. Not much more detail comes from this one observation, but it is relevant information to understanding what happened.

          1. joker197cinque

            Re: How a video can be delivered through ...

            Thanks, you clarified a lot. I think that it should have been written differently, but it's just my opinion.


    3. Blazde Silver badge

      Re: How a video can be delivered through "an encrypted downloader ..

      The report states "It should be noted that the encrypted Whatsapp file sent from MBS' account was slightly larger than the video itself". The 'downloader' is just a file containing the original video (and maybe more?). The video now is 4.22MB. We aren't told how much 'slightly larger' the encrypted file is, but they can't decrypt it because presumably the session key has long been discarded or actively purged by the malware. Possibly the original video was larger and contained exploit+malware that has since cleaned itself.

  17. anonymous boring coward Silver badge

    Sociopaths are like that: Don't understand, nor care, how they will be perceived. Trump is another one. Lying comes natural to them. More natural than speaking truth.

    1. amanfromMars 1 Silver badge

      Dr StrangeLOVE will see you now ....... :-)

      Wow, to be so terrified of the truth that one would fling and cling to lies is a an Early Sure Sign of Real Trouble with Mental Health Issues which can Easily Deliver Madness and Mayhem.

      The Flip Side of that on a Parallel Course is Share Genius and Utility.

      Which do you think the Better Best Bet for the Future? Surely the Flip Side must be the Firm Favourite and a Worthy Runaway Winner.

  18. Mike Moyle

    "They also call for greater controls over 'the unconstrained marketing, sale and use of spyware' and a 'moratorium on the global sale and transfer of private surveillance technology.'”

    I see their point but, honestly, I'd rather have some way of seeing, in clear, some vague approximation of what the current state of the art is in surveillance tech, rather than let ALL advances in it be done in government agency black projects without any reasonable chance of oversight.

    ...or am I being naive?

  19. Jbeteta

    What nobody is commenting is that Apple iOS patches and fixes didn't help much.

    1. Michael Wojcik Silver badge

      Perhaps everyone read the article and understands the bug was in a third-party app?

      I think Apple's security is overrated by many (most?) users, but they're in the clear on this one. Unless you think they should do more extensive vetting of everything in the app store,1 which is a position one could argue, but doesn't seem economically feasible.

      1Say, by requiring apps be submitted as source, which Apple would run through static analysis and then build and deploy to the store. That's technically feasible but probably not a viable business model, since it would be resource-intensive for Apple and would meet resistance from app developers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like