Surgeon David Nott claims his laptop was targeted after he was broadcast video-calling medics on Skype.
Last week, a celebrated British doctor claimed he was hacked after suspected Russian warplanes targeted a Syrian hospital he was supporting online.
David Nott gave remote instructions to Syrian medics via Skype and WhatsApp as they performed surgery in an underground hospital.
Nott, who is based in London, has dedicated much of his time to aiding medics in conflict zones, even winning a Pride of Britain award for his work.
But he claims his laptop was hacked and the details of the secret hospital were stolen, after the facility was bombed by enemy warplanes.
Nott was filmed by BBC Newsnight video-calling one surgeon. The footage was broadcast on TV and online, which the surgeon believes led to his laptop being targeted.
The doctor’s comments spread rapidly after the story was published by the Telegraph, with even the UK tabloids reporting on it.
But all may not be as it seems, claims one security researcher.
It was more likely the fact that the BBC broadcast the Syrian medic’s phone number than a laptop hack that revealed the hospital’s GPS coordinates, claims analyst Graham Cluley.
During the video session, which the BBC filmed through Nott’s computer, the phone number belonging to the medic based in Aleppo was shown in full.
The attackers were more likely to have used this to pinpoint the location of the makeshift hospital, Cluley commented, than to have hacked the London doctor’s laptop.
Cluley wrote: “Clearly that phone number should not have been broadcast. Although it’s quite likely that the hospital’s bombing had nothing to do with the ‘Newsnight’ report, and that Mr Nott’s computer and Skype account were not hacked, it’s not entirely implausible that a determined intelligence agency might have used a different route to determine the operating theater’s location.
“For instance, if I wanted to know precisely where the Syrian surgeons were, I might be tempted to infect the smartphone which has that number, rather than the British consultant.
“I think that would be a good deal more straightforward, and could result in much more reliable information about someone’s location than an IP address.”
Tracking a phone number is by far an easier and more accessible way to find someone – especially if, as has been claimed, Russia was behind the attack.
The phone could have been tracked by accessing the mobile base station, which receives all incoming and outgoing calls within the area.
This method is commonly used by law enforcement to track a suspect.
But it could also be done by a normal citizen too, by using a fake mobile base station, which can intercept calls for as little as $1,500.
And the most simple but effective way? By infecting the phone via a phishing scam.
An attacker could easily send a message to the phone number with a link containing a bug, which could then plant a tracker on the device.
Of course, this method isn’t fool-proof as it requires a convincing message to encourage the victim to click the link.
And this kind of method could also be used to target laptops such as Nott’s, by tricking him into downloading malware to steal data – and possibly the medic’s phone number.
The question of whether the bombing on the hospital was linked to Nott has also been brought into play.
Cluley claims that the hospital was targeted before Nott’s interview was broadcast, and so the bombing could have nothing to do with him.
The BBC is also playing this card and claims that their Newsnight show had nothing to do with the incident.
A spokesperson commented: “The bombing of the M10 hospital in Aleppo was a tragedy, but we haven’t seen any evidence to suggest that the attack was linked to the Newsnight report or the many other media stories about the work of David Nott and the doctors in the hospital.
“The hospital had already been targeted many times before our report, and the suggestion of such a link remains purely speculative.”
The video in question was removed from the BBC website last week, after Nott’s claims surfaced.
As a precaution, the British Red Cross confirmed it is providing security training to all of its staff, to minimize the future risk of a hack.