Those not living under a large rock will, by now, have caught up with the news that Amazon owner Jeff Bezos’s phone was “hacked” after an allegedly infected Whatsapp message was sent to him by the Saudi Crown Prince, Mohammad Bin Salman (“MBS”).

A full report by consultancy FTI, which was tasked with analysing the phone, failed to explicitly find any malware, but did identify that hours after a suspicious video file was sent to Bezos by MBS on May 1, 2018 “a massive and unauthorized exfiltration of data from Bezos’ phone began, continuing and escalating for months thereafter.”

The full report, leaked by Vice’s Motherboard, shows that the FTI team used a tool from Cellebrite (Cellebrite UFED 4PC Ultimate and Physical Analyzer) to pull forensic images from the phone. But security experts say it appears strikingly incomplete and even somewhat amateurish. Did they overlook the “murder weapon”?

Here’s what Facebook’s former CISO Alex Stamos had to say.

As he noted: “How did FTI see enough of the video to characterize it and perform a “cursory analysis” but not an in-depth analysis?

“If they have the locally cached messages, then they should also have the ephemeral encryption key to decrypt the entire video. If the video is the initial point of exploitation, then there MUST be some evidence of that in the video file itself. It’s true that this will just be a first stage exploit that pulls down the rest of the malware, but the actual exploit and a bit of ARM shell must be there… This is a major national security issue now more eyes need to be on the evidence.”

Many suggested that the report, if it was the final report furnished, did not provide nearly enough convincing evidence that MBS was indeed to blame. As Rob Graham puts it: “It uses phrases like ‘unauthorized exfiltration’ to mean ‘outgoing data we can’t explain’… Anomalies could simply be that in certain times, he’s near WiFi, and they get uploaded that way, and other times, he’s not, so uploads happen over cellular. Small changes that a person is unaware of can have massive impacts on traffic.

Whether the phone was indeed hacked or not, Motherboard’s Joseph Cox pointed to the challenge of not, perhaps, anticipating a Crown Prince to be part of your threat model.

Security veteran The Grugq emphasised the point in another way: all operational security starts and ends with compartmentation, he emphasised. (For Bezos, this might have meant simply sending messages to his lover on a separate phone to the one he was exchanging messages with business people and political leaders.)

Citizen Labs’ senior researcher Bill Marczak again emphasised that more could have been done in terms of the forensics than FTI Consulting suggests.

He wrote: “FTI’s report mentions that they found an “encrypted downloader” (.enc file) through which the video was transmitted, as is standard for WhatsApp file transfers. FTI says they were unable to decrypt this file.”

He added: “It is possible to decrypt the contents of an .enc​ file from WhatsApp, given a forensic extraction of the phone, of the type that FTI mentions they performed.

“The first 32 bytes of the ​ZMEDIAKEY​ field of the ​ZWAMEDIAITEM​ table in WhatsApp’s ​ChatStorage.sqlite​ database should contain a key for each .enc file, and we have verified that these decryption instructions and code are sufficient to decrypt WhatsApp ​.enc​ files from a forensic extraction.”

“We encourage FTI to decrypt the .enc file, examine its contents, and check whether decryption yields a benign or malicious file.”

See also: Android Zero Days Now Worth More than iOS: Exploit Broker