There’s no evidence the Saudis hacked Jeff Bezos’s iPhone

There’s no evidence the Saudis hacked Jeff Bezos’s iPhone.

This is the conclusion of the all the independent experts who have reviewed the public report behind the U.N.’s accusations. That report failed to find evidence proving the theory, but instead simply found unknown things it couldn’t explain, which it pretended was evidence.

This is a common flaw in such forensics reports. When there’s evidence, it’s usually found and reported. When there’s no evidence, investigators keep looking. Todays devices are complex, so if you keep looking, you always find anomalies you can’t explain. There’s only two results from such investigations: proof of bad things or anomalies that suggest bad things. There’s never any proof that no bad things exist (at least, not in my experience).

Bizarre and inexplicable behavior doesn’t mean a hacker attack. Engineers trying to debug problems, and support technicians helping customers, find such behavior all the time. Pretty much every user of technology experiences this. Paranoid users often think there’s a conspiracy against them when electronics behave strangely, but “behaving strangely” is perfectly normal.

When you start with the theory that hackers are involved, then you have an explanation for the all that’s unexplainable. It’s all consistent with the theory, thus proving it. This is called “confirmation bias”. It’s the same thing that props up conspiracy theories like UFOs: space aliens can do anything, thus, anything unexplainable is proof of space aliens. Alternate explanations, like skunkworks testing a new jet, never seem as plausible.

The investigators were hired to confirm bias. Their job wasn’t to do an unbiased investigation of the phone, but instead, to find evidence confirming the suspicion that the Saudis hacked Bezos.

Remember the story started in February of 2019 when the National Inquirer tried to extort Jeff Bezos with sexts between him and his paramour Lauren Sanchez. Bezos immediately accused the Saudis of being involved. Even after it was revealed that the sexts came from Michael Sanchez, the paramour’s brother, Bezos’s team double-downed on their accusations the Saudi’s hacked Bezos’s phone.

The FTI report tells a story beginning with Saudi Crown Prince sending Bezos a message using WhatsApp containing a video. The story goes:

The downloader that delivered the 4.22MB video was encrypted, delaying or preventing further study of the code delivered along with the video. It should be noted that the encrypted WhatsApp file sent from MBS’ account was slightly larger than the video itself.

This story is invalid. Such messages use end-to-end encryption, which means that while nobody in between can decrypt them (not even WhatsApp), anybody with possession of the ends can. That’s how the technology is supposed to work. If Bezos loses/breaks his phone and needs to restore a backup onto a new phone, the backup needs to have the keys used to decrypt the WhatsApp messages.

Thus, the forensics image taken by the investigators had the necessary keys to decrypt the video — the investigators simply didn’t know about them. In a previous blogpost I explain these magical WhatsApp keys and where to find them so that anybody, even you at home, can forensics their own iPhone, retrieve these keys, and decrypt their own videos.

The above story implicates the encrypted file because it’s slightly larger than than the unencrypted file. One possible explanation is that these extra bytes contain an exploit, virus, or malware.

However, there’s a more accurate explanation: all encrypted WhatsApp videos will be larger than the unencrypted versions by between 10 and 25 bytes, for verification and padding. It’s a standard way how encryption works.

This is a great demonstration of confirmation bias in action, how dragons breed on the edge of maps. When you expect the encrypted and unencrypted versions to be the same size, this anomaly is inexplicable and suggestive of hacker activity. When you know how the encryption works, how there’s always an extra 10 to 25 bytes, then the idea is silly.

It’s important to recognize how much the story hinges on this one fact. They have the unencrypted video and it’s completely innocent. We have the technology to exonerate that video, and it’s exonerated. Thus, if a hack occurred, it must be hidden behind the encryption. But when we unmask the encryption and find only the video we already have, then the entire report will break down. There will no longer be a link between any hack found on the phone and the Saudis.

But even if there isn’t a link to the Saudis, there may still be evidence the phone was hacked. The story from the FTI forensics report continues:

We know from a comprehensive examination of forensics artifacts on Bezos’ phone that within hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos’ phone began, continuing and escalating for months thereafter. … The amount of data being transmitted out of Bezos’ phone changed dramatically after receiving the WhatsApp video file and never returned to baseline. Following execution of the encrypted downloader sent from MBS’ account, egress on the device immediately jumped by approximately 29,000 percent.

I’ve performed the same sort of forensics on my phones and have found that there no such thing as some sort of normal “baseline” of traffic, as described in this Twitter thread. One reason is that users do unexpected things, like forward an email that has a large attachment, or visiting a website that causes unexpectedly high amounts of traffic. Another reason is that the traffic isn’t stored in nice hourly or daily buckets as the above story implies. Instead, when you use the app for a months, you get just a single record of how much data the app has sent for months. For example, I see one day where the Uber app exfiltrated 56-megabytes of data from my phone, which seems an inexplicable anomaly. However, that’s just the date the record is recorded, reflecting months of activity as Uber has run in the background on my phone.

I can’t explain all the bizarre stuff I see on my phone. I only ever download podcasts, but the records show the app uploaded 150-megabytes. Even when running over months, this is excessive. But lack of explanation doesn’t mean this is evidence of hacker activity trying to hide traffic inside the podcast app. It just means something odd is going on, probably a bug or inefficient design, that a support engineer might want to know about in order to fix.


Further FTI investigation might find more evidence that actually shows a hack or Saudi guilt, but the current report should be considered debunked. It contains no evidence, only things it’s twisted to create the impression of evidence.

Bezos’s phone may have been hacked. The Saudis may be responsible. They certainly have the means, motive, and opportunity to do so. There’s no evidence exonerating the Saudis as a whole.

But there is evidence that will either prove Saudi culpability or exonerate that one video, the video upon which the entire FTI report hinges. And we know that video will likely be exonerated simply because that’s how technology works.

The entire story hinges on that one video. If debunked, the house of cards fall down, at least until new evidence is found.

The mainstream press has done a crapy job. It’s a single-sourced story starting with “experts say”. But it’s not many experts, just the FTI team. And they aren’t unbiased experts, but those hired specifically to prove Besos’s accusation against the Saudis. Rather than healthy skepticism looking for other experts to dispute the story, the press has jumped in taking Bezos’s side in the dispute.

I am an expert, and as I’ve shown in this blogpost (and linked posts with technical details), I can absolutely confirm the FTI report is complete bunk. It contains no evidence of a hack, just anomalies it pretends are evidence.

*** This is a Security Bloggers Network syndicated blog from Errata Security authored by Robert Graham. Read the original post at: