If the Saudis actually hacked Jeff Bezos' phone, here are the details security experts want to know

  • Cybersecurity experts say they want more information to back up the stunning claims that Saudi Arabia may have been involved in a plot to hack Amazon CEO Jeff Bezos' cell phone.
  • Bezos' security chief wrote an article in The Daily Beast this week asserting that Bezos' phone had been compromised by the Saudis, possibly in collusion with Enquirer publisher American Media Inc.
  • AMI denied the claims.
Amazon founder Jeff Bezos pictured in Washington, D.C., on Sept. 1, 2018.
Joshua Roberts/File Photo
Amazon founder Jeff Bezos pictured in Washington, D.C., on Sept. 1, 2018.

This week, Amazon CEO Jeff Bezos' top security staffer, Gavin de Becker, wrote about an alleged plot by the Saudi Arabian government to hack the billionaire's phone. He also suggested a connection between the hack and National Enquirer publisher American Media Inc., which published details of Bezos' affair with Lauren Sanchez and threatened to publish explicit texts the pair exchanged.

De Becker offered little proof, aside from circumstantial details. He also said the article was the last he'd talk about it.

AMI refuted any connection to the Saudis, saying they got information about Bezos from Sanchez's brother. "There was no involvement by any other third party whatsoever," the company said.

If the Saudis were involved, that claim would have significant national security implications -- it would mean that a foreign government somehow got access to the phone of a major American business mogul. Given the seriousness of the charges, security experts are curious to see more concrete proof.

Getting to the real claims

De Becker speculated the Saudis sought to expose Bezos' affair as retaliation, after the Bezos-owned Washington Post published reports criticizing the Saudi government's apparent involvement in the killing of Post columnist Jamal Khashoggi.

De Becker's piece describes a great deal of drama surrounding AMI, including missteps made by the company in the past, the wording of emails from AMI that he says are suspicious and some contacts between the Saudis and AMI. He stops short of alleging that AMI got the information from the Saudis, but it's strongly implied.

De Becker also cited news articles detailing the surveillance capabilities of the Saudis, including the extensive surveillance they reportedly conducted on Khashoggi before he was killed.

All of this is circumstantial to his central claim: "Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos' phone, and gained private information."

He also said the information confirming this allegation had been turned over to federal authorities, which is why he said he is no longer addressing the matter.

CNBC spoke with three cybersecurity experts who have experience working on issues involving Saudi Arabia, who asked to remain anonymous because they did not have their employers' permission to speak to media. While the claims are in the realm of possibility, they said, they're also stunning allegations that need more concrete information to back them up.

Here's what we don't know.

  • Which tools? To understand how the Saudis had access to Bezos' cell phone, security practitioners would need to understand what tools the hackers used. Was it a known form of malware, or something new and custom-created? Did they bribe someone for access or files? Which leads to the second, related question ...
  • Was the access remote? It's possible to attack an individual's personal mobile device remotely, but these attacks are advanced and relatively rare in the real world. Russians have employed these tactics against NATO soldiers for instance, and the United Arab Emirates has also been toying with this type of remote monitoring, according to a Reuters report earlier this year. To have a foreign government using one of these tactics to monitor a U.S. business mogul's phone would be stunning.
  • Or was the access physical? If someone from Saudi Arabia had Bezos' phone in hand, or someone in Bezos' orbit planted the malware, that is less of a national security question. But it's definitely a question that Amazon's board would want to have answered, as it points to a need for better cybersecurity protections for the CEO's technology.
  • Who within the Saudi government actually executed the espionage plan? It's difficult to pinpoint exactly who is responsible for launching such an attack, but U.S. government investigators are getting much better at it. Recent indictments of Russian, Chinese, Iranian and North Korean hackers show that investigators can now finger exactly who is involved in a specific incident. If this attack was indeed sponsored by the Saudis, an investigation should be able to give more detail or even outline individuals responsible.

Claims of hacking can often fall neatly into a wider narrative involving political intrigue, and the Bezos/AMI saga is chock full of it.

But separating these narrative details from the actual nuts-and-bolts of what Bezos' team is alleging about the Saudis is going to take a lot more digging.