A journalist for the New York Times, Ben Hubbard, recently discovered that his phone had been hacked not once, but twice by malicious parties during his work around the Middle East.
Both times, his iPhone was infiltrated using NSO Group’s Pegasus spyware, which The Pegasus Project has long been working to dismantle and identify its victims (some of which have ended up murdered). In fact, there were a total of four attempts discovered in the code on Hubbard’s phone: the first two came in the form of dangerous links sent via a WhatsApp message, and a text message.
NSO Group, the creator and owner of the Pegasus software used in these attacks, is a large surveillance firm based in Israel, which typically grants the use license of the spyware to government agencies for the purpose of tracking criminals and terrorists.
However, such a tool is very easily prone to misuse, and has already been grossly abused by multiple governments in many countries, where it has been illegally used to keep tabs on dozens of innocent civilians.
As it turned out, I didn’t even have to click on a link for my phone to be infected.
As a New York Times correspondent who covers the Middle East, I often speak to people who take great risks to share information that their authoritarian rulers want to keep secret. I take many precautions to protect these sources because if they were caught they could end up in jail, or dead […]
As it turned out, I didn’t even have to click on a link for my phone to be infected.
To try to determine what had happened, I worked with Citizen Lab, a research institute at the Munk School of Global Affairs at the University of Toronto that studies spyware.
The first two attempts were via a text message and WhatsApp message. These would only have worked if Hubbard clicked on the links, and he was too savvy to fall for that. But there is no way to prevent a zero-click exploit.
Bill Marczak, a senior fellow at Citizen Lab […] found that I had been hacked twice, in 2020 and 2021, with so-called “zero-click” exploits, which allowed the hacker to get inside my phone without my clicking on any links. It’s like being robbed by a ghost […]
Based on code found in my phone that resembled what he had seen in other cases, Mr. Marczak said he had “high confidence” that Pegasus had been used all four times.
There was also strong evidence suggesting Saudi Arabia was behind each of the attacks. NSO has twice suspended the country’s use of Pegasus over abuses.
Hubbard further explains that he has since taken some specific precautions to protect himself. For one, he’s started using Signal, an encrypted messaging app. That way, even “if a hacker makes it in, there won’t be much to find,” he says.
One good thing to know, Hubbard explains, is that among other spyware companies, NSO does not allow its licensed users to target phone numbers in the United States, to avoid political trouble. However, foreign contacts stored in the phone are far from safe—which is why Hubbard has taken to storing all his sensitive contacts and information offline, outside of his phone.
There are no guarantees, but there are preventative measures
The important lesson Hubbard emphasized was that the reality is, anybody could be hacked using a zero-click exploit, and they most likely wouldn’t even know about it. Apple has patched the vulnerabilities that earlier attacks revealed, but has clearly been missing others that continue to be exploited. And even once those are patched up, we can never be 100% sure we’ve covered them all.
Being offline is the only surefire guarantee of cybersecurity, but while that’s not an option for most of us, we could at least learn something from the precautions Hubbard detailed to at least try to stay as safe as we can.
This isn’t the first time by a long shot…
NSO firmly denied involvement, but the grisly part of that investigation was that it was possibly this Pegasus-enabled infiltration that led to the grisly death and dismemberment of Jamal Khashoggi, a Saudi journalist. His wife had been hacked and watched through her phone for the months leading up to Jamal’s death.