I Was Hacked. The Spyware Used Against Me Makes Us All Vulnerable.

https://www.nytimes.com/2021/10/24/insider/hacking-nso-surveillance.html

Version 0 of 1.

Times Insider explains who we are and what we do, and delivers behind-the-scenes insights into how our journalism comes together.

BEIRUT, Lebanon — In Mexico, the government hacked the cellphones of journalists and activists. Saudi Arabia has broken into the phones of dissidents at home and abroad, sending some to prison. The ruler of Dubai hacked the phones of his ex-wife and her lawyers.

So perhaps I should not have been surprised when I learned recently that I, too, had been hacked.

Still, the news was unnerving.

As a New York Times correspondent who covers the Middle East, I often speak to people who take great risks to share information that their authoritarian rulers want to keep secret. I take many precautions to protect these sources because if they were caught they could end up in jail, or dead.

But in a world where we store so much of our personal and professional lives in the devices we carry in our pockets, and where surveillance software continues to become ever more sophisticated, we are all increasingly vulnerable.

As it turned out, I didn’t even have to click on a link for my phone to be infected.

To try to determine what had happened, I worked with Citizen Lab, a research institute at the Munk School of Global Affairs at the University of Toronto that studies spyware.

I hoped to find out when I had been hacked, by whom and what information had been stolen. But even with the help of professional internet sleuths, the answers were elusive.

What the investigation did find was that I had a run-in with the growing global spyware industry, which sells surveillance tools to governments to help them fight crime and track terrorists.

But the companies that sell these tools operate in the shadows, in a market that is largely unregulated, allowing states to deploy the technology as they wish, including against activists and journalists.

In 2018, I had been targeted with a suspicious text message that Citizen Lab determined had likely been sent by Saudi Arabia using software called Pegasus. The software’s developer, the Israel-based NSO Group, denied its software had been used.

This year, a member of The Times’s tech security team found another hacking attempt from 2018 on my phone. The attack came via an Arabic-language WhatsApp message that invited me by name to a protest at the Saudi Embassy in Washington.

Bill Marczak, a senior fellow at Citizen Lab, said there was no sign that either attempt had succeeded since I had not clicked on the links in those messages.

But he also found that I had been hacked twice, in 2020 and 2021, with so-called “zero-click” exploits, which allowed the hacker to get inside my phone without my clicking on any links. It’s like being robbed by a ghost.

In the second case, Mr. Marczak said, once inside my phone, the attacker apparently deleted traces of the first hack. Picture a thief breaking back into a jewelry store he had robbed to erase fingerprints.

Tech security experts told me it was nearly impossible to definitively identify the culprits.

But based on code found in my phone that resembled what he had seen in other cases, Mr. Marczak said he had “high confidence” that Pegasus had been used all four times.

In the two attempts in 2018, he said, it appeared that Saudi Arabia had launched the attacks because they came from servers run by an operator who had previously targeted a number of Saudi activists.

It was not clear which country was responsible for the 2020 and 2021 hacks, but he noted that the second one came from an account that had been used to hack a Saudi activist.

I have been writing about Saudi Arabia for years and published a book last year about Crown Prince Mohammed bin Salman, the kingdom’s de facto ruler, so Saudi Arabia might have reasons for wanting to peek inside my phone.

NSO denied its products had been involved in the hacks, writing in an email that I “was not a target of Pegasus by any of NSO’s customers” and dismissing Mr. Marczak’s findings as “speculation.”

The company said it had not had the technology described in the 2018 attempts, and that I could not have been a target in 2020 or 2021 because of “technical and contractual reasons and restrictions” that it did not explain.

The Saudi Embassy in Washington did not respond to a request for comment.

NSO declined to say more on the record, but The Times reported that the company had canceled its contracts with Saudi Arabia in 2018 after Saudi agents killed the dissident writer Jamal Khashoggi, only to resume doing business with the kingdom the following year, adding contractual restrictions on the use of the software.

NSO shut down the Saudi system again this year after Citizen Lab found that the government had used Pegasus to hack the phones of 36 employees of the Arabic satellite network Al Jazeera.

Assigning responsibility for a particular hack is difficult, said Winnona DeSombre, a fellow at the Atlantic Council who studies commercial spyware, because many companies sell products similar to Pegasus, many countries use them and the software is designed to be covert.

She compared the process of analyzing the limited data left on compromised devices to “blind men touching the elephant.”

“You can’t say without the shadow of a doubt,” she said.

The traces left on my phone did not indicate how long the hackers had been inside or what they took, although they could have stolen anything: photos, contacts, passwords and text messages. They would have also been able to remotely turn on my microphone and camera to eavesdrop or spy on me.

Did they steal my contacts so they could arrest my sources? Comb through my messages to see who I’d talked to? Troll through photos of my family at the beach? Only the hackers knew.

As far as I know, no harm has come to any of my sources because of information that may have been stolen from my phone. But the uncertainty was enough to make me lose sleep.

Last month, Apple fixed the vulnerability that the hackers had used to get into my phone this year, after being informed of it by Citizen Lab. But other vulnerabilities may remain.

As long as we store our lives on devices that have vulnerabilities, and surveillance companies can earn millions of dollars selling ways to exploit them, our defenses are limited, especially if a government decides it wants our data.

Now, I limit the information I keep on my phone. I store sensitive contacts offline. I encourage people to use Signal, an encrypted messaging app, so that if a hacker makes it in, there won’t be much to find.

Many spyware companies, including NSO, prevent the targeting of United States phone numbers, presumably to avoid picking a fight with Washington that could lead to increased regulation, so I use an American phone number.

I reboot my phone often, which can kick out (but not keep off) some spy programs. And, when possible, I resort to one of the few non-hackable options we still have: I leave my phone behind and meet people face to face.