Hacking smartphones is a lucrative business for security companies that provide forensic/spying tools to customers, including law enforcement agencies and governments. The iPhone is the Holy Grail of targets for hackers, and that’s because of Apple’s commitment to privacy and security. But security experts have never given up attempting to break into iPhones, and iOS devices do get hacked. The iPhone Pegasus family of hacking and spying tools is one of the most famous ones out there right now.
Apple recently patched a vulnerability that allowed attackers to hack into iPhones with the so-called “zero-click” attacks. These hacks often targeted particular individuals, like activists and journalists, rather than regular iPhone users. Still, the Pegasus hack is quite dangerous, and a New York Times reporter explained his experience when he was targeted by a Pegasus hack.
The iPhone hack you see coming
Ben Hubbard reports on Middle East matters for The Times, often speaking to sources who take significant risks to share information with the press. That’s what likely made him a target for unknown hackers. He explained in an article that after the recent Pegasus hacks revelations, he had found out that someone had hacked his iPhone.
The attackers attempted to get into his iPhone four different times, but he was able to spot two attempts. In 2018, he received a text message that contained a link. If clicked, the attack could have triggered the hack, allowing the attackers to get into the phone.
Citizen Lab determined that Saudi Arabia might have sent the message, likely using Pegasus software from the NSO Group. The Israeli company denied that its software was used. The Times’ own security team found a second attack that involved the same technique. Only this time, the attackers relied on WhatsApp to send a malicious link. Citizen Lab concluded that neither attempt was successful.
The “zero-click” attack that hacked Hubbard’s iPhone
More sophisticated attacks followed in 2020 and 2021, involving the “zero-click” exploits that software like Pegasus can enable. These are attacks that require no interaction from the user. The attacker can get into the iPhone without any indication to the target that something is amiss. This is what happened in Hubbard’s case — he didn’t even click a malicious link, but his iPhone was still hacked.
Citizen Lab found that the attacker attempted to delete traces of the first hack once inside the phone. Hubbard also notes that tech experts informed him it was nearly impossible to identify the culprits. But Pegasus is the likely program responsible for all four attempts.
Furthermore, the iPhone analysis only showed that attackers hacked the handset. But the researchers could not say how long the hackers had been inside the device or what they had stolen. They could have taken any type of content from the handset, including messages, photos, and passwords. They could have remotely turned on the microphone and camera to spy on the target.
Hubbard will never know the full extent of the attack or what data was lost. But he says the hack did not impact his sources. That might be a sign that the hack did not yield results.
The NSO Group also denied that Pegasus had been used in these “zero-click” hacks.
How to defend yourself
The NYT reporter explained what steps he’s taking to protect himself in addition to updating to the latest iOS version. He limits the information he keeps on the phone, like details for sensitive contacts.
Furthermore, he uses Signal to talk to people, and he reverted to a US phone number. Spyware companies like the NSO prevent the targeting of US phone numbers, he said. Hubbard said he also reboots his phone often, which can kick out some spy programs.
Read the full report, complete with more context about the hacks, at this link.