“We encourage FTI to decrypt the .enc file, examine its contents, and check whether decryption yields a benign or malicious file”
Those not living under a large rock will, by now, have caught up with the news that Amazon owner Jeff Bezos’s phone was “hacked” after an allegedly infected Whatsapp message was sent to him by the Saudi Crown Prince, Mohammad Bin Salman (“MBS”).
A full report by consultancy FTI, which was tasked with analysing the phone, failed to explicitly find any malware, but did identify that hours after a suspicious video file was sent to Bezos by MBS on May 1, 2018 “a massive and unauthorized exfiltration of data from Bezos’ phone began, continuing and escalating for months thereafter.”
The full report, leaked by Vice’s Motherboard, shows that the FTI team used a tool from Cellebrite (Cellebrite UFED 4PC Ultimate and Physical Analyzer) to pull forensic images from the phone. But security experts say it appears strikingly incomplete and even somewhat amateurish. Did they overlook the “murder weapon”?
Here’s what Facebook’s former CISO Alex Stamos had to say.
This FTI forensics report is not very strong. Lots of odd circumstantial evidence, for sure, but no smoking gun.
The funny thing is that it looks like FTI potentially has the murder weapon sitting right there, they just haven't figured out how to test it. https://t.co/eA130NKKmi
— Alex Stamos (@alexstamos) January 22, 2020
As he noted: “How did FTI see enough of the video to characterize it and perform a “cursory analysis” but not an in-depth analysis?
“If they have the locally cached messages, then they should also have the ephemeral encryption key to decrypt the entire video. If the video is the initial point of exploitation, then there MUST be some evidence of that in the video file itself. It’s true that this will just be a first stage exploit that pulls down the rest of the malware, but the actual exploit and a bit of ARM shell must be there… This is a major national security issue now more eyes need to be on the evidence.”
Many suggested that the report, if it was the final report furnished, did not provide nearly enough convincing evidence that MBS was indeed to blame. As Rob Graham puts it: “It uses phrases like ‘unauthorized exfiltration’ to mean ‘outgoing data we can’t explain’… Anomalies could simply be that in certain times, he’s near WiFi, and they get uploaded that way, and other times, he’s not, so uploads happen over cellular. Small changes that a person is unaware of can have massive impacts on traffic.
Okay. I read the report. I see nothing here that suggests Bezo's phone was hacked. It contains much that says "anomalies we don't understand", but lack of explanations point to incomplete forensics, not malicious APT actors.https://t.co/fxesTmeD40
— Rob ☃️ Graham (@ErrataRob) January 22, 2020
Whether the phone was indeed hacked or not, Motherboard’s Joseph Cox pointed to the challenge of not, perhaps, anticipating a Crown Prince to be part of your threat model.
phishing: pretend to be the crown prince
better phishing: be the crown prince
— Joseph Cox (@josephfcox) January 22, 2020
Security veteran The Grugq emphasised the point in another way: all operational security starts and ends with compartmentation, he emphasised. (For Bezos, this might have meant simply sending messages to his lover on a separate phone to the one he was exchanging messages with business people and political leaders.)
Two eternal truths:
1) compartmentation is the foundation of security
2) trust relationships are the foundation of compromise
— thaddeus e. grugq (@thegrugq) January 23, 2020
Citizen Labs’ senior researcher Bill Marczak again emphasised that more could have been done in terms of the forensics than FTI Consulting suggests.
He wrote: “FTI’s report mentions that they found an “encrypted downloader” (.enc file) through which the video was transmitted, as is standard for WhatsApp file transfers. FTI says they were unable to decrypt this file.”
He added: “It is possible to decrypt the contents of an .enc file from WhatsApp, given a forensic extraction of the phone, of the type that FTI mentions they performed.
“The first 32 bytes of the ZMEDIAKEY field of the ZWAMEDIAITEM table in WhatsApp’s ChatStorage.sqlite database should contain a key for each .enc file, and we have verified that these decryption instructions and code are sufficient to decrypt WhatsApp .enc files from a forensic extraction.”
“We encourage FTI to decrypt the .enc file, examine its contents, and check whether decryption yields a benign or malicious file.”
I wrote up a brief technical note on FTI Consulting's forensic report into the Jeff Bezos Hack, with some thoughts on where the investigation should go next: https://t.co/dDzokoWu3F
— Bill Marczak (@billmarczak) January 22, 2020