By Dustin Volz and Robert McMillan

A report concluding that Saudi Arabia likely hacked into Jeff Bezos' smartphone has spurred questions and confusion among cybersecurity experts, even as it has prompted renewed scrutiny of the kingdom and its crown prince.

Cyberforensics specialists said the report, which is dated November 2019 but didn't surface publicly until this week, relied heavily on circumstantial evidence to make the case that a WhatsApp account associated with Saudi Crown Prince Mohammed bin Salman was probably used to hack into the iPhone of Mr. Bezos, the founder of Amazon.com Inc. and owner of the Washington Post. They say the audit left several major technical questions about the incident unexplained and in need of more examination.

"It is not a conclusive report," said Bill Marczak, a researcher with Citizen Lab, a Toronto-based technology watchdog that has tracked Saudi Arabia's use of surveillance tools. "It raises some interesting questions, some of which I think require further explanation."

The report was produced by business-advisory firm FTI Consulting following an investigation commissioned by Mr. Bezos. Gavin de Becker, a security consultant hired separately by Mr. Bezos, publicly alleged last March that the investigators had determined "with high confidence" that the Saudis had accessed private information on Mr. Bezos' phone.

The FTI report has already caused ripples, with two United Nations officials on Wednesday publicizing its analysis and calling on the U.S. to conduct further investigations, including into Saudi Arabia's alleged use of commercial spyware to target political opponents with intrusive digital surveillance.

FTI, which is based in Washington and has a presence in more than two dozen countries, has repeatedly declined to comment publicly about its study, citing client confidentiality. The report said it had concluded -- with "medium to high confidence" -- that the WhatsApp account associated with Prince Mohammed was used to compromise Mr. Bezos' phone, likely by sending a video file in May 2018 that contained an image of the Saudi Arabian and Swedish flags and an encrypted file.

Investigators said that video file appeared to contain malicious code, citing as evidence that the phone began transmitting large amounts of data hours after it was received.

Saudi Arabia has denied the allegations, calling them absurd. Saudi officials close to the crown prince said they were aware of a plan to hack Mr. Bezos' phone, but not of any attempt to blackmail him, The Wall Street Journal reported on Wednesday.

A spokesman for Mr. Bezos declined to comment.

On Thursday, a White House spokesman said Saudi Arabia was an "important ally" and declined to say whether the Trump administration planned to investigate the matter.

The FTI investigation appeared to forgo important investigatory steps that could have yielded a fuller picture of what occurred on Mr. Bezos' iPhone X, forensics specialists said.

Perhaps the most important piece of evidence absent from the report, experts say, is the malicious software allegedly used to hack into Mr. Bezos' phone. The FTI report suggests this so-called malware may lie in an encrypted file sent to Mr. Bezos' phone, but FTI said it wasn't able to decrypt this file.

That is something it should be able to do, according to both Mr. Marczak and Alex Stamos, director of the Stanford Internet Observatory at Stanford University, who until August 2018 was chief security officer at Facebook Inc., which owns WhatsApp.

According to Mr. Stamos, the report suggests that FTI investigators had access to the data necessary to decrypt the file in question and examine it for malicious software. "They don't seem to understand how to properly decrypt WhatsApp attachments," Mr. Stamos said.

In its report, FTI said it received Mr. Bezos' iPhone X in May 2019 and began efforts to try to collect evidence, keeping the device in a lab secured and staffed 24 hours a day, with no other electronic devices allowed in or out. The report didn't say whether the phone was prohibited from connecting to the network.

The FTI report indicates that the firm didn't perform a "jailbreak" of the phone -- a way of circumventing the security restrictions that hamper the viewing of files on the phone. A jailbreak is an important step in many forensics investigations, particularly those searching for sophisticated hacking software, Mr. Stamos said. "If your goal is to determine if there is nation-state-level malware on a device, you can't do that without a jailbreak," he said.

A person familiar with the investigation acknowledged that a jailbreak of the iPhone would likely be necessary to obtain more definitive results, and that FTI investigators still wanted to do that, as the report's final page states. But there were circumstances that have delayed that effort, this person said, while declining to provide specifics.

The report indicates that the investigation may have been hampered by a common security issue: password problems. Investigators wrote that they lacked the password for the iTunes backup for Mr. Bezos' phone -- the report didn't explain why Mr. Bezos couldn't provide it -- and that in May they bypassed the phone's backup encryption password to create a copy of the phone's files. That is a common investigative technique when the backup password is missing, but it reduces the amount of phone data available to investigators, said Sherri Davidoff, the chief executive of LMG Security, a Missoula, Mont.-based cybersecurity company that conducts forensic investigations.

The FTI review also didn't explain whether Mr. Bezos was duped into clicking on a malicious file, or if malware had been automatically installed on his device -- a rare but powerful hacking technique.

Experts said the massive surge in outgoing data that began hours after Mr. Bezos received the file could signal malicious activity. While the timing of the surge was suspicious, experts said it was circumstantial evidence that alone isn't sufficient to conclude that a hack took place.

FTI isn't among the firms best known for cyberforensics investigations. Founded 38 years ago, it advises companies across the globe on a range of sensitive matters, including corporate litigation and forensic accounting. It has been involved in several other prominent cases, including the Enron and WorldCom bankruptcies and the investigation into the use of steroids in Major League Baseball.

The company has sought to expand its cybersecurity portfolio rapidly in recent years, and in 2017 hired Anthony Ferrante as its global head of cybersecurity. Mr. Ferrante, a veteran of the Federal Bureau of Investigation who was chief of staff of the agency's cyber division, served as director for cyber incident response at the National Security Council during the Obama administration. Mr. Ferrante was the author of the report on Mr. Bezos' phone.

FTI maintains close ties to law enforcement, recruiting heavily from the FBI and U.S. intelligence agencies, and Mr. Ferrante has been involved in other high-profile investigations.

Several former U.S. cybersecurity officials who have worked with Mr. Ferrante described him as a straightforward investigator with real technical skills. "Anthony is a professional," said one former colleague. "He is not the kind of person who puts something out without real confidence."

Mr. Ferrante declined to comment.

Write to Dustin Volz at dustin.volz@wsj.com and Robert McMillan at Robert.Mcmillan@wsj.com

(END) Dow Jones Newswires

January 24, 2020 06:44 ET (11:44 GMT)

Copyright (c) 2020 Dow Jones & Company, Inc.
Amazon.com (NASDAQ:AMZN)
Historical Stock Chart
From Mar 2024 to Apr 2024 Click Here for more Amazon.com Charts.
Amazon.com (NASDAQ:AMZN)
Historical Stock Chart
From Apr 2023 to Apr 2024 Click Here for more Amazon.com Charts.