Times Insider explains who we are and what we do, and provides behind-the-scenes information on how our journalism comes together.
BEIRUT, Lebanon – In Mexico, the government hacked the cell phones of journalists and activists. Saudi Arabia has broken into dissident phones at home and abroad, sending some to jail. The ruler of Dubai hacked the phones of his ex-wife and his lawyers.
So maybe I shouldn’t have been surprised when I recently learned that I too had been hacked.
Still, the news was baffling.
As a New York Times correspondent covering the Middle East, I often speak to people who take great risks to share information their authoritarian leaders want to keep secret. I take a lot of precautions to protect these sources because if they were caught they could end up in jail or even dead.
But in a world where we store so much of our personal and professional life in the devices we carry in our pockets, and where surveillance software continues to become more and more sophisticated, we are all increasingly vulnerable.
It turned out that I didn’t even have to click a link to get my phone infected.
To try to determine what had happened, I worked with Citizen Lab, a research institute at the Munk School of Global Affairs at the University of Toronto that studies spyware.
I hoped to know when I had been hacked, by whom, and what information had been stolen. But even with the help of professional internet sleuths, the answers were elusive.
What the investigation revealed was that I had an altercation with the growing global spyware industry, which sells surveillance tools to governments to help them fight crime and track down terrorists.
But the companies that sell these tools operate in the shadows, in a largely unregulated market, allowing states to deploy the technology as they see fit, including against activists and journalists.
In 2018, I was the target of a suspicious text message which, according to Citizen Lab, was likely sent from Saudi Arabia using software called Pegasus. The software developer, the Israeli group NSO, has denied that its software was used.
This year, a member of the Times tech security team discovered another 2018 hack attempt on my phone. The attack took place via a WhatsApp message in Arabic that invited me by name to a protest at the Saudi Embassy in Washington.
Bill Marczak, principal researcher at Citizen Lab, said there was no sign that either attempt was successful since I had not clicked on any links in those posts.
But he also discovered that I had been hacked twice, in 2020 and 2021, with so-called “zero click” exploits, which allowed the hacker to enter my phone without me clicking on any links. It’s like being stolen by a ghost.
In the second case, Mr Marczak said, once inside my phone, the attacker apparently deleted the traces of the first hack. Imagine a thief breaking into a jewelry store he had robbed to erase fingerprints.
Technical security experts told me that it was almost impossible to definitively identify the culprits.
But based on the code found in my phone which looked like what he had seen in other cases, Mr Marczak said he had “great confidence” that Pegasus had been used all four times.
In the two attempts in 2018, he said, it emerged that Saudi Arabia launched the attacks because they came from servers run by an operator who had previously targeted a number of Saudi activists.
It was not clear which country was responsible for the 2020 and 2021 hacks, but he noted that the second was from an account that had been used to hack a Saudi activist.
I’ve been writing about Saudi Arabia for years and last year published a book about Crown Prince Mohammed bin Salman, the kingdom’s de facto ruler, so Saudi Arabia might have reason to want to throw a eye inside my phone.
NSO denied that its products were involved in the hacks, writing in an email that I “was not targeted by Pegasus by any of NSO’s customers” and calling Mr. Marczak’s findings “speculation.”
The company said it did not have the technology described in the 2018 attempts, and that I could not have been a target in 2020 or 2021 due to “technical and contractual reasons and restrictions” that it did not explain.
The Saudi Embassy in Washington did not respond to a request for comment.
NSO declined to say more about the case, but The Times reported that the company canceled contracts with Saudi Arabia in 2018 after Saudi agents killed dissident writer Jamal Khashoggi, to resume business with the kingdom the following year, adding contractual restrictions. on the use of the software.
NSO shut down the Saudi system again this year after Citizen Lab discovered that the government had used Pegasus to hack the phones of 36 employees of the Arab satellite network Al Jazeera.
It is difficult to attribute responsibility for a particular hack, said Winnona DeSombre, a member of the Atlantic Council that studies commercial spyware, because many companies sell products similar to Pegasus, many countries use them and software is designed to be secret.
She compared the process of analyzing the limited data left on the compromised devices to “blind men touching the elephant”.
“You can’t say without a shadow of a doubt,” she said.
The traces left on my phone did not indicate how long the hackers had been inside or what they had taken, although they could have stolen anything: photos, contacts, passwords and texts. . They could also have remotely turned on my microphone and camera to listen to me or spy on me.
Did they steal my contacts so they could stop my sources? Review my messages to see who I spoke to? Browse photos of my family at the beach? Only the pirates knew.
As far as I know, none of my sources were harmed because of information that could have been stolen from my phone. But the uncertainty was enough to make me lose sleep.
Apple last month fixed the vulnerability that hackers used to break into my phone this year, after being notified by Citizen Lab. But other vulnerabilities may remain.
As long as we store our lives on devices with vulnerabilities and surveillance companies can make millions of dollars selling ways to exploit them, our defenses are limited, especially if a government decides it wants our data.
Now I limit the information I keep on my phone. I store sensitive contacts offline. I encourage people to use Signal, an encrypted messaging app, so that if a hacker does, there won’t be much to find.
Many spyware companies including NSO prevent targeting of US phone numbers presumably to avoid a fight with Washington which could lead to increased regulation so I am using a US phone number.
I restart my phone often, which can disable (but not prevent) some spyware. And, when possible, I resort to one of the few non-hackable options we still have: I leave my phone behind and meet people face to face.