NYT journalist describes his iPhone being hacked, and the precautions he now takes


A New York Times journalist covering the Middle East has described the experience of his iPhone being hacked, and the security precautions he now takes as a result.

Ben Hubbard says there were four attempts to hack his iPhone, and that two of them succeeded, with all the signs pointing to the use of NSO’s Pegasus spyware.


Our NSO guide explains the background.

NSO Group makes spyware called Pegasus, which is sold to government and law enforcement agencies. The company purchases so-called zero-day vulnerabilities (ones that are unknown to Apple) from hackers, and its software is said to be capable of mounting zero-click exploits – where no user interaction is required by the target.

In particular, it’s reported that simply receiving a particular iMessage – without opening it or interacting with it in any way – can allow an iPhone to be compromised, with personal data exposed.

NSO sells Pegasus only to governments, but its customers include countries with extremely poor human rights records – with political opponents and others targeted.

Apple fixed one of the key exploits used by NSO, but the company likely has others as the cat-and-mouse game continues.

iPhone being hacked was confirmed by Citizen Lab

Ben Hubbard writes that spyware experts Citizen Lab checked his iPhone, who confirmed four separate attacks, two of them successful zero-click ones.

As a New York Times correspondent who covers the Middle East, I often speak to people who take great risks to share information that their authoritarian rulers want to keep secret. I take many precautions to protect these sources because if they were caught they could end up in jail, or dead […]

As it turned out, I didn’t even have to click on a link for my phone to be infected.

To try to determine what had happened, I worked with Citizen Lab, a research institute at the Munk School of Global Affairs at the University of Toronto that studies spyware.

The first two attempts were via a text message and WhatsApp message. These would only have worked if Hubbard clicked on the links, and he was too savvy to fall for that. But there is no way to prevent a zero-click exploit.

Bill Marczak, a senior fellow at Citizen Lab […] found that I had been hacked twice, in 2020 and 2021, with so-called “zero-click” exploits, which allowed the hacker to get inside my phone without my clicking on any links. It’s like being robbed by a ghost […]

Based on code found in my phone that resembled what he had seen in other cases, Mr. Marczak said he had “high confidence” that Pegasus had been used all four times.

There was also strong evidence suggesting Saudi Arabia was behind each of the attacks. NSO has twice suspended the country’s use of Pegasus over abuses.

Precautions against future hacks

Hubbard says that he is now even more cautious, keeping the most sensitive data – his contacts – off his phone.

I store sensitive contacts offline. I encourage people to use Signal, an encrypted messaging app, so that if a hacker makes it in, there won’t be much to find.

Many spyware companies, including NSO, prevent the targeting of United States phone numbers, presumably to avoid picking a fight with Washington that could lead to increased regulation, so I use an American phone number.

I reboot my phone often, which can kick out (but not keep off) some spy programs. And, when possible, I resort to one of the few non-hackable options we still have: I leave my phone behind and meet people face to face.

Photo: Onur Binay/Unsplash