Home
News
You are here

Journalist's iPhone hacked by Saudi Arabia with Pegasus spyware

Published: Oct 27, 2021, 10:26 AM

4comments

Journalist's iPhone hacked by Saudi Arabia with Pegasus spyware

A journalist for the New York Times, Ben Hubbard, recently discovered that his phone had been hacked not once, but twice by malicious parties during his work around the Middle East.

Both times, his iPhone was infiltrated using NSO Group's Pegasus spyware, which The Pegasus Project has long been working to dismantle and identify its victims (some of which have ended up murdered). In fact, there were a total of four attempts discovered in the code on Hubbard's phone: the first two came in the form of dangerous links sent via a WhatsApp message, and a text message.

When Hubbard failed to take the bait and click on them, two more attacks were initiated—this time zero-click hacks (requiring zero action on the victim's part, such as clicking a link, in order to work). This time, both of them were successful, infiltrating the journalist's phone and privacy, and putting him and his sensitive contacts' very lives at serious risk.

NSO Group, the creator and owner of the Pegasus software used in these attacks, is a large surveillance firm based in Israel, which typically grants the use license of the spyware to government agencies for the purpose of tracking criminals and terrorists.

However, such a tool is very easily prone to misuse, and has already been grossly abused by multiple governments in many countries, where it has been illegally used to keep tabs on dozens of innocent civilians.

According to researchers, all four of the attacks on Hubbard's phone likely originated from Saudi Arabia, a country which has a lengthy track record of abusing Pegasus spyware (and has already had their Pegasus license suspended two times).

Hubbard has since published an article detailing his experience and the conclusions he drew from it, making sure others are aware of the sheer dangers possible with technology deemed relatively safe (such as iPhones).

As it turned out, I didn’t even have to click on a link for my phone to be infected.

As a New York Times correspondent who covers the Middle East, I often speak to people who take great risks to share information that their authoritarian rulers want to keep secret. I take many precautions to protect these sources because if they were caught they could end up in jail, or dead […]

As it turned out, I didn’t even have to click on a link for my phone to be infected.

To try to determine what had happened, I worked with Citizen Lab, a research institute at the Munk School of Global Affairs at the University of Toronto that studies spyware.

The first two attempts were via a text message and WhatsApp message. These would only have worked if Hubbard clicked on the links, and he was too savvy to fall for that. But there is no way to prevent a zero-click exploit.

Bill Marczak, a senior fellow at Citizen Lab […] found that I had been hacked twice, in 2020 and 2021, with so-called “zero-click” exploits, which allowed the hacker to get inside my phone without my clicking on any links. It’s like being robbed by a ghost […]

Based on code found in my phone that resembled what he had seen in other cases, Mr. Marczak said he had “high confidence” that Pegasus had been used all four times.

There was also strong evidence suggesting Saudi Arabia was behind each of the attacks. NSO has twice suspended the country’s use of Pegasus over abuses.

Hubbard further explains that he has since taken some specific precautions to protect himself. For one, he's started using Signal, an encrypted messaging app. That way, even "if a hacker makes it in, there won't be much to find," he says.

One good thing to know, Hubbard explains, is that among other spyware companies, NSO does not allow its licensed users to target phone numbers in the United States, to avoid political trouble. However, foreign contacts stored in the phone are far from safe—which is why Hubbard has taken to storing all his sensitive contacts and information offline, outside of his phone.

Hubbard also explains that rebooting your phone regularly can kick out some active spy programs, although it isn't an effective method at keeping them off. Last but not least, the NYT journalist, says, "I resort to one of the few non-hackable options we still have: I leave my phone behind and meet people face to face."

There are no guarantees, but there are preventative measures

The important lesson Hubbard emphasized was that the reality is, anybody could be hacked using a zero-click exploit, and they most likely wouldn't even know about it. Apple has patched the vulnerabilities that earlier attacks revealed, but has clearly been missing others that continue to be exploited. And even once those are patched up, we can never be 100% sure we've covered them all.

Being offline is the only surefire guarantee of cybersecurity, but while that's not an option for most of us, we could at least learn something from the precautions Hubbard detailed to at least try to stay as safe as we can.

This isn't the first time by a long shot...

Last time we heard of licensed governments abusing NSO's Pegasus spyware was back in August, when 37 journalists and human rights activists had been either attempted to or successfully hacked by an Israeli surveillance firm, and had their phones riddled with military-grade spyware.

NSO firmly denied involvement, but the darker part of that investigation was that it was possibly this Pegasus-enabled infiltration that led to the grisly death and dismemberment of Jamal Khashoggi, a Saudi journalist. His wife had been hacked and watched through her phone for the months leading up to Jamal's death.