ARI SHAPIRO, HOST:
Amazon CEO and Washington Post owner Jeff Bezos is not the only person who has accused Saudi Arabia of hacking his phone. Ben Hubbard is working on a book about the Saudi crown prince. He's Beirut bureau chief for The New York Times. And in June of 2018, he got a suspicious text message with a link. He joins us now to explain what happened next.
Welcome back to the program.
BEN HUBBARD: Yeah, thank you.
SHAPIRO: So what'd that text message say?
HUBBARD: Well, it's - you know, just like anybody who carries a cellphone and has a busy life, my phone is always, you know, spitting up notifications and things at me. And this one had a text message in Arabic that said, Ben Hubbard and the story of the Saudi royal family. And it had a link to a website called arabnews365.com. And, you know, at first, I kind of said, wow, this is interesting. This appears to be an Arabic newspaper article about me and my work. Wow, that should be interesting. And then right after that, I said, but wait a second. This thing feels very fishy. I'm not going to click on this. I'm going to try to figure out what's going on, and...
SHAPIRO: So you didn't tap the link. What did you do?
HUBBARD: Well, first, I wanted to figure out if this was an actual article. So the first thing I did was Google the alleged headline in Arabic, which didn't turn up any results, so I knew that this story didn't exist. Then I actually contacted the editor of the real Arab News newspaper, which is a Saudi English-language newspaper. And he said, no, that's not our URL. We don't own that one. So that really let me know that this - there's something fishy about this text message. Stay away from it.
SHAPIRO: How did you figure out that it was probably from the Saudis?
HUBBARD: Well, just in the context of my work, a number of months later, I was reading a report by a group called Citizen Lab, which are - who are technology researchers at the University of Toronto. And they had uncovered a case of a Saudi dissident who had been hacked in a very similar way to the way that - you know, or at least to the text message that I got.
So since I cover Saudi Arabia, I was curious about this issue. I was reading their report. And lo and behold, far down in the report, there was a list of suspicious web domains that they had uncovered as part of this hacking network. One of them was arabnews365.com. And so I said, wow, eureka - like I know exactly what this is. I got in touch with them. And I said, hey, I think I got - you know, I got a text message containing this URL. What can you tell me about it?
SHAPIRO: And what'd they say?
HUBBARD: Well, they said send us a screenshot. We'll check out the link. And they were very quickly able to confirm that this fit into the pattern that they had sorted out from their previous research.
SHAPIRO: Could they tell you what would've happened if you had clicked on the link?
HUBBARD: Well, chances are good if I had clicked on the link, it would have basically taken over my entire phone for somebody remotely to get in and see all my information. And this could have included, you know, personal photos. It could have included passwords. It could have possibly allowed them to turn on my microphone or my camera remotely just to kind of hear what I'm saying, who I'm talking to and take a peek at whatever my phone happens to be looking at.
SHAPIRO: The Saudi Embassy in Washington has called Jeff Bezos' accusations of hacking absurd. They're calling for a further investigation. Have you contacted them about your belief that they tried to hack your phone?
HUBBARD: I did. I actually got in touch with them probably about a year ago and asked them, and I never received any comment. And then more recently gave them another chance, sent them the text message and said, you know, if you want to let me know if this was you, if this was not you, you know, whatever you want to say. And I, again, this time never received a response.
SHAPIRO: Has this changed your approach to technology and your reporting in any way? Are you more cautious or suspicious now?
HUBBARD: Well, I try to be - you know, I try to be careful about what, you know, what I click on, what sorts of videos I download, what sorts of websites I visit - things like that. One of the most difficult things about this technology is that it's often difficult to know whether your device has been hacked. And even if you can determine it's hacked, it's not like you're going to look inside and find a piece of software that you can directly point to one company and that you can also know that was sent by a specific country. A lot of times, it's much - you know, the evidence is a little bit murkier and a bit more circumstantial.
SHAPIRO: Who else has received these kinds of messages?
HUBBARD: Well, the ones that Citizen Lab has been able to verify so far by name - there were four other people in addition to me who all received these kinds of attempts in a two-month period between May and June 2018. One of them was a Saudi who runs a human rights organization in Britain. Another one is a quite well-known Saudi dissident who lives in Canada and has a sarcastic YouTube show where he, you know, often sort of makes fun of the kingdom's leaders and policies. There was a researcher for Amnesty International who also received one of these links. There was another guy who has a YouTube show who is also a Saudi. And then there was me.
SHAPIRO: That is Ben Hubbard, Beirut bureau chief for The New York Times.
Thanks for talking with us.
HUBBARD: Thank you. Transcript provided by NPR, Copyright NPR.