Cybersecurity experts urge skepticism over claims Saudis hacked Bezos's phone

Jeff Bezos, CEO of Amazon, unveils the Fire Phone at an event in 2014. (Photo: Mike Kane/Bloomberg via Getty Images)
Jeff Bezos, CEO of Amazon, unveils the Fire Phone at an event in 2014. (Photo: Mike Kane/Bloomberg via Getty Images)

WASHINGTON — When Jeff Bezos’s personal security consultant Gavin De Becker published what amounted to a startling indictment of the National Enquirer on Saturday, alleging that the tabloid publication may have worked with Saudi Arabia to expose the Amazon CEO’s affair, there was one thing missing: any evidence for the claim.

“Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information,” De Becker wrote in an op-ed in the Daily Beast, adding that it was “unclear” if the Saudis had actually worked with the Enquirer, which first published details of the affair.

De Becker’s lack of details on the alleged hack may be because he doesn’t want to tip his hand in advance of an FBI investigation or any potential court proceedings. However, the notable lack of technical detail has led multiple cybersecurity experts to call for further details before speculating on the events, Saudi capabilities or the potential consequences of that behavior.

“If the Gulf states are going hog-wild on U.S. persons, that would be big news,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation. “But it’s also a claim that requires evidence.”

Dave Venable, a former intelligence officer at the National Security Agency who advises on information-security issues, agreed. “While it wouldn’t be surprising if Jeff Bezos’ claims of Saudi Arabia’s involvement in the hack turn out to be true, any claim of this magnitude needs to be backed up with strong forensic evidence,” he told Yahoo News.

In the last decade, technology used to spy on people and monitor or steal personal information from inside digital devices has proliferated across the Middle East and North Africa, where governments have different views of civil liberties and privacy — as well as what might constitute a crime. Companies like NSO Group in Israel and Hacking Team in Italy have sold tools and capabilities to governments, particularly in the oil-rich Gulf nations like Saudi Arabia and the United Arab Emirates.

However, De Becker’s op-ed does not indicate that the investigative team had obtained forensic evidence of an intrusion into any of Bezos’s devices, nor does it suggest that evidence, if it exists, has been reviewed by outside peers, as has been done with other notable hacking cases.

It’s possible that the well-resourced team within Amazon did its own forensics, or that De Becker obtained intelligence from another source. However, there are independent organizations with a strong track record on similar issues, like Citizen Lab at the University of Toronto, which relies on multiple forensic experts who track Middle Eastern spyware, particularly on mobile devices.

Citizen Lab experts have published extensively on companies including NSO Group, which markets and sells advanced hacking tools to governments around the world, including Saudi Arabia. If NSO or another regional company was involved, Citizen Lab would likely be familiar with the type of forensic evidence Amazon’s team may have been analyzing.

NSO Group denied that its tools were used to hack Bezos.

Independent security experts and former intelligence officials suggested that Saudi digital capabilities remain nascent; the oil-rich kingdom still heavily relies on outsourcing hacking tools from companies like NSO and, before that, Hacking Team.

“If the purchased tool is sophisticated, it might be designed to leave no evidence,” said Timo Steffens, an author focused on researching targeted cyberattacks and attribution online. However, he continued, “unless there is forensic evidence, anything mentioned in that article is rather weak in front of a court.”

De Becker’s new claims follow what has been a whirlwind story of power, wealth and celebrity. In January, Bezos and his wife announced they were divorcing, just before the National Enquirer published an investigation, which included leaked intimate texts, revealing that the Amazon founder had been having an affair with a former TV host, Lauren Sanchez. In February, Bezos revealed some of the backstory on Medium, including details of how David Pecker, CEO of the Enquirer’s parent company, AMI, was allegedly blackmailing him with racy photographs documenting the affair. Bezos also suggested there might be Saudi involvement in obtaining his private data.

Since then, Michael Sanchez, Lauren’s brother, came forward as the source of the leaked material. The Enquirer, which has acknowledged Sanchez as a source, has denied any cooperation with Saudi Arabia on the Bezos story.

The FBI declined to comment on whether it had opened an investigation or received evidence from De Becker.

Saudi Arabia has begun dipping its toes in the waters of creating its own domestic private capabilities — but largely remains dependent on outside entities. One company inside Saudi Arabia, according to a security expert from the region, is called Haboob.

That company also appears to be an industry novice. According to Joseph Cox, a digital-security journalist at Motherboard, an official from Haboob reached out to him to try and purchase hacking tools — not realizing that Cox is a journalist.

Read more from Yahoo News: