De Becker speculated the Saudis sought to expose Bezos’ affair as retaliation, after the Bezos-owned Washington Post published reports criticizing the Saudi government’s apparent involvement in the killing of Post columnist Jamal Khashoggi.
De Becker’s piece describes a great deal of drama surrounding AMI, including missteps made by the company in the past, the wording of emails from AMI that he says are suspicious and some contacts between the Saudis and AMI. He stops short of alleging that AMI got the information from the Saudis, but it’s strongly implied.
De Becker also cited news articles detailing the surveillance capabilities of the Saudis, including the extensive surveillance they reportedly conducted on Khashoggi before he was killed.
All of this is circumstantial to his central claim: “Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information.”
He also said the information confirming this allegation had been turned over to federal authorities, which is why he said he is no longer addressing the matter.
CNBC spoke with three cybersecurity experts who have experience working on issues involving Saudi Arabia, who asked to remain anonymous because they did not have their employers’ permission to speak to media. While the claims are in the realm of possibility, they said, they’re also stunning allegations that need more concrete information to back them up.
Here’s what we don’t know.
- Which tools? To understand how the Saudis had access to Bezos’ cell phone, security practitioners would need to understand what tools the hackers used. Was it a known form of malware, or something new and custom-created? Did they bribe someone for access or files? Which leads to the second, related question …
- Was the access remote? It’s possible to attack an individual’s personal mobile device remotely, but these attacks are advanced and relatively rare in the real world. Russians have employed these tactics against NATO soldiers for instance, and the United Arab Emirates has also been toying with this type of remote monitoring, according to a Reuters report earlier this year. To have a foreign government using one of these tactics to monitor a U.S. business mogul’s phone would be stunning.
- Or was the access physical? If someone from Saudi Arabia had Bezos’ phone in hand, or someone in Bezos’ orbit planted the malware, that is less of a national security question. But it’s definitely a question that Amazon’s board would want to have answered, as it points to a need for better cybersecurity protections for the CEO’s technology.
- Who within the Saudi government actually executed the espionage plan? It’s difficult to pinpoint exactly who is responsible for launching such an attack, but U.S. government investigators are getting much better at it. Recent indictments of Russian, Chinese, Iranian and North Korean hackers show that investigators can now finger exactly who is involved in a specific incident. If this attack was indeed sponsored by the Saudis, an investigation should be able to give more detail or even outline individuals responsible.
Claims of hacking can often fall neatly into a wider narrative involving political intrigue, and the Bezos/AMI saga is chock full of it.
But separating these narrative details from the actual nuts-and-bolts of what Bezos’ team is alleging about the Saudis is going to take a lot more digging.