Last year, a 16-year-old Mexican schoolboy received an unsolicited text message making crude sexual taunts.
The text attempted to lure him into clicking on a link at the bottom of the message. Had he clicked on the link, his smartphone would have been secretly compromised, allowing those targeting him to monitor everything he did, steal login details, upload his contacts list and even spy on him through his phone’s own microphone and camera.
Whoever sent the message was using an incredibly sophisticated piece of spyware created by an Israeli company called NSO Group, which says it only sells its tools to governments and law enforcement agencies around the world. It is designed to track and monitor terrorists and other high-profile criminals.
The campaign targeting 16-year-old schoolboy Emilio Aristegui was part of a broader campaign against his mother Carmen Aristegui, a prominent investigative journalist, and 9 other journalists and activists in Mexico, according to a report released this week by researchers at the press freedom organisation Article 19 and Citizen Lab at the University of Toronto.
The researchers say they have no conclusive evidence attributing these messages to specific government agencies in Mexico. However, circumstantial evidence suggests that one or more of NSO’s government customers in Mexico are the likely operators.
Why we should care
Many people on this side of the Atlantic reading this report may be shocked to hear of a government using spying tools to hack the smartphones belonging to activists and journalists. At the same time, most people will likely shrug their shoulders and say: “Sure why would anyone want to spy on me, I’ve got nothing to hide?”
The “I’ve got nothing to hide” argument has been around for a long time, and echoes the “if you have nothing to hide, you have nothing to fear” which became a sort of mantra for the 1984-esqe CCTV monitoring of British citizens.
But this is not about having something to hide, it is about privacy. There are many things we all do everyday which we don’t want most people knowing about: How often did you go to the toilet today? Did you have sex today? Did you look up something online you wouldn’t tell your family or friends about?
We are all entitled to a private life, and that goes for our digital lives as well as our offline lives. And so, we should all be concerned about the use of hyper-sophisticated tools like those from the NSO Group being used against a 16-year-old boy.
The simple fact of the matter is that is you have enough resources, then you can pretty much hack into anything as long as it is connected to the internet. The problem for you and me is the cost of compromising our lives is dropping precipitously and the barrier which criminals have to hurdle to find out the most intimate details of our lives is getting lower and lower.
How to protect yourself
With such powerful tools available, the question arises, is there anything I can do to protect myself? The short answer is not really. If a committed adversary really wants to hack into your smartphone, then they will likely be able to succeed.
However, that doesn’t mean you should just give up completely and surrender your digital life to anyone who wants to to take a look.
Here are some basic ways to harden your online security to make what you do more private:
1. Stop giving away all your information
If an online service doesn't charge you anything, then you are the product. Google, Facebook, Twitter all use your data as payment.
When you sign up they require a minimum level of information, but ask for a whole lot more. If you don’t want Facebook knowing when your birthday is, then don’t tell it. If you don’t want Google to know what your favorite pet is, don’t tell it.
Oversharing of information is rife today on social media, and while we may blame Facebook and Snapchat, the real culprit is ourselves. If you don’t want anyone to know about it, just don’t share it.
2. Use the Tor browser
Tor, short for The Onion Router, is a modified version of the Firefox browser which anonymizes your identity by routing your IP address through multiple nodes until no one knows where the traffic is coming from or going to. Often associated with the dark web, it is not just a tool for criminals, but one that can be used by anyone who values their privacy.
3. Use VPNs
Just like Tor, a virtual private network or VPN will anonymise your identity online. But while Tor is only for browsing websites, VPNs can be used to cloak all your online activity on both your smartphone, laptop or desktop PC. The good ones — like Tor Guard or Private Internet Access — are not free, however.
4. Don’t eat the cookies
Third-party cookies are the little bits of code websites use to track your movements online. They are the reason why Facebook will show you adverts for the nappies you were just looking at on Amazon.
Now every major browser offers the ability to turn off tracking cookies. It won’t stop the more determined companies tracking you, but it does shut down the most common vector used by advertisers to build usage profiles.
5. Patch, patch, patch
Keep your software up to date. One of the easiest ways for any hacker to compromise your system is to use vulnerabilities in older versions of software. So whether it’s iOS, Android or Windows, always make sure you have installed the latest version available to you.
6. Free Wi-Fi may not be your friend
We all love connecting to free Wi-Fi, particularly when we’re travelling. But this is one of the easiest methods for hackers to compromise a lot of people’s data in a very short space of time. Make sure the network you are connecting to is safe, particularly in locations like airports and train stations.
7. Use encryption
Wherever possible use encrypted messaging services. Thankfully apps like WhatsApp and iMessage now use encryption by default, which means if someone intercepts your messages they won’t be able to see what you are saying. You can also encrypt your emails, though it’s not as easy to use. Here’s a good guide, plus Google says it’s working on baking encryption directly into Gmail soon.
8. Make sure the page is secure
If you are ever sharing sensitive information, such as credit card details, make sure there is a green padlock symbol up in the address bar.
This means that the website is encrypted, so no one can see your login or payment details.