A New York Times journalist who was a victim of NSO’s Pegasus spyware recently described his experience in being a target for hacking and the security precautions he now has to take. The journalist, Ben Hubbard, says there were four hacking attempts made on his iPhone and two of them worked.
NSO’s Pegasus spyware used to attack NYT journalist
An investigation in July revealed how the Israeli-based company NSO’s Pegasus spyware was used to attack journalists and human rights activists. The spyware, which was intended to be used for crime prevention was misused by oppressive regimes to track journalists, political rivals, activists, or others who were dissident.
In a New York Times report, Hubbard explained how as a Middle East correspondent, he often speaks to people “people who take great risks to share information that their authoritarian rulers want to keep secret.” Though Hubbard took precautions to protect his sources, he still became a victim of the Pegasus spyware.
To figure out what happened, Hubbard worked with Citizen Lab, a research institute at the Munk School of Global Affairs at the University of Toronto that studies spyware. Hubbard found that he had been targeted with a suspicious text message in 2018, allegedly sent by Saudi Arabia. There was another hacking attempt from 2018 with a message sent via Whatsapp. Neither attempt succeeded.
Further investigations revealed two hacks in 2020 and 2021 were successful using a “zero-click” exploit which allowed the hacker to get inside his device. Pegasus is believed to be used for all of the attacks however the NSO Group has died the allegations that its spyware was used saying, “technical and contractual reasons and restrictions” meant Hubbard could not have been a target in the recent incidents.
The journalist is even more cautious of his information now taking a number of precautions to keep his sensitive data safe.
I store sensitive contacts offline. I encourage people to use Signal, an encrypted messaging app, so that if a hacker makes it in, there won’t be much to find.
Many spyware companies, including NSO, prevent the targeting of United States phone numbers, presumably to avoid picking a fight with Washington that could lead to increased regulation, so I use an American phone number.
I reboot my phone often, which can kick out (but not keep off) some spy programs. And, when possible, I resort to one of the few non-hackable options we still have: I leave my phone behind and meet people face to face.
In September, Apple’s release of iOS 14.8 and iOS 12.5.5 added an extra layer of security that previously allowed Pegasus to take control of a target’s iPhone.