Zero-click attacks

There’s a good chance you’ve heard of zero-day attacks before. And those attacks are bad enough. But there’s even worse: zero-click attacks.

Zero-click attacks are cyberattacks that don’t require user intervention as a trigger. The attack is automatically and usually invisibly executed as soon as the code hits your device. Zero-clicks are nasty attacks we should all be aware of, so we can at least attempt to steer clear from.

This post looks at what zero-click attacks are, how they work, and what you can do to mitigate them.

What is a zero-click attack?

Many of the more successful cyberattacks rely on phishing – fooling the victim into divulging a piece of sensitive information or opening an email, or clicking on a link. The point is that the victim must do something for the attacker to pull off the cyberattack. But zero-click attacks, as their name states, require zero user intervention.

Indeed, these types of attacks don’t need to employ social engineering tactics to fool the victim and trigger the attack. No trigger is required. As long as the zero-click vulnerability is present on the target system, the attackers can walk right in.

Because of that, zero-click vulnerabilities are considered the crown jewels of vulnerabilities, and both legitimate software vendors and shady hacker groups are willing to pay millions of dollars for their private disclosure.

Email and messaging applications tend to be the go-to targets of zero-click attacks. These apps constantly need to parse the data they receive to authenticate it as trusted. And the vulnerabilities potentially found in these kinds of evaluation mechanisms are often what make zero-click attacks possible. And the more complex the application, the larger the attack surface for zero-click vulnerabilities.

The vulnerabilities themselves could be anything – what defines a zero-click vulnerability/attack isn’t the exploited vulnerability itself but rather the fact that the attack doesn’t require any user interaction to be successful.

How do zero-click attacks work?

Here’s how a hypothetical zero-click attack could work:

  1. Bad actors identify a vulnerability within a mail or messaging application.
  2. The bad actors exploit the vulnerability by sending a meticulously crafted message to the target device. Attackers often use specially formed data, like a hidden text message or a pixel, to inject compromising code onto the device. But it could also be an authentication request, a voicemail, a video conferencing session, or even a phone call. Any of the above can be a vector to exploit a vulnerability in an application that processes and evaluates data.
  3. The vulnerability allows the attackers to infect the device remotely with malware, spyware, trojans, etc. – whatever they fancy.
  4. Once the device is infected, attackers can typically access the device’s contents, gain complete control over it, or even impersonate the owner and send messages on their behalf.
  5. By the time the victim realizes they’ve been attacked, it’s too late. The attack has already happened. And there’s likely no trace of the attacker’s compromising message on the device at this point.

As stated above, the specifics of a zero-click attack are difficult to pin down. They depend on the vulnerability being exploited and what the attacker is after. But they still tend to follow the same general structure illustrated above.

Real-world examples of zero-click attacks

Zero-click attacks may be rarer than other cyberattacks, but they’re far from hypothetical. Below are a few real-world examples of zero-click attacks.

Apple

In 2021, researchers at Citizen Lab discovered a zero-day exploit being used on a Bahraini human rights activist. The activist’s iPhone had been hacked by nation-state-level spyware. The exploit neutered Apple’s typically strong security.

When Citizen Lab, a leading internet watchdog based in Toronto, analyzed the activist’s iPhone 12 Pro, they found that a zero-click vulnerability enabled the hack. The zero-click attack was built upon a previously unknown security vulnerability in Apple’s messaging service, iMessage. By exploiting the vulnerability, attackers could push Pegasus spyware, developed by Israeli firm NGO Group, to the activist’s phone.

This hack was a pretty big deal, as reflected by the significant news coverage it received. It was able to subvert Apple’s latest – at the time – iOS versions (iOS 14.x) which had only been released a short time ago. The attack was able to defeat “BlastDoor” – one of Apple’s security features built into iOS to filter malicious data sent through the iMessage platform and, at least in theory, prevent these kinds of attacks. The attack was dubbed “ForcedEntry” because of its ability to enter the “BlastDoor.” Apple patched the vulnerability in a subsequent software update shortly after the discovery.

WhatsApp

In 2019, WhatsApp was found to be vulnerable to a zero-click attack. The attack was triggered by a missed call, which could exploit a flaw in WhatsApp’s source code. Using a zero-day exploit (a previously unknown and unpatched vulnerability) in conjunction with the zero-click vulnerability enabled the attacker to include spyware in the data exchange between the two devices that occurred, thanks to the missed call. Once loaded, the spyware disguised itself as a legitimate background resource, granting the attacker access to the data stored on the victim’s phone.

This attack was attributed to Israeli firm NSO Group, as in the Apple example above.

Jeff Bezos

In 2018, Amazon CEO Jeff Bezos had his text messages, instant messages, and potentially even voice recordings captured with the iPhone’s microphone after receiving a WhatsApp message from Crown Prince Mohammed bin Salman of Saudi Arabia. Clearly, you should make sure to trust your friends before giving them your WhatsApp handle. The WhatsApp message included a video containing malicious code that enabled the sender to funnel information from the victim’s phone. Bezos’s iPhone was compromised in this way for several months.

Can you know if you’ve been “zero-clicked?”

First, I should mention that zero-clicks are very high-value vulnerabilities. They tend to be used in targeted attacks against high-profile targets. The odds of a “regular user” being attacked this way are pretty low.

Still, if you end up falling victim to a zero-click attack, it’s going to be very difficult to detect. These exploits are stealthy and quiet. Remember, they don’t require any user intervention at all to succeed. And because the attackers have control of all the processes running on the phone, they often simply delete the message that initially infected the devices, removing all traces of their presence.

You might be able to figure it out by going over your phone’s network logs and looking for outlying IP addresses or domains. But that’s not a trivial undertaking; most people don’t have the know-how or resources to do this. Once your phone is infected with a zero-click exploit, there’s not much you can do short of wiping the device and purchasing a new one.

What can you do to mitigate zero-click attacks?

While the above may sound disheartening, it simply means that once you’re infected with a zero-click exploit, you’re pretty much cooked. But that doesn’t mean there’s absolutely nothing you can do to avoid such attacks. You can do a few things, but they aren’t specifically tailored to zero-click attacks – most are more common sense measures you should be taking anyway.

  • Ensure your operating system, firmware, and applications on all your devices are up to date. And always install security updates as soon as they’re available.
  • Unless you really know what you’re doing, only download applications from the official stores. Their app-vetting process can definitely keep everyday users safer.
  • Uninstall any applications you don’t use from all your devices—especially messaging apps.
  • You should also steer clear from “jailbreaking” or “rooting” your phone. It disables many of the security measures built into iOS and Android.
  • Enable your device’s password protection/facial recognition/fingerprint scanner for better security.
  • Use multi-factor authentication to access your accounts.
  • Set robust passwords for your logins (long, random, and unique passwords).
  • In case the above didn’t make it obvious, never reuse the same password for multiple accounts.
  • Make regular backups of all your devices. If any of your devices are ever compromised, you’ll be happy to know that you can restore them to an uncompromised state.
  • Block web browser pop-ups. And if they happen to pop up despite that, don’t click on them. Ever. Bad actors often use pop-ups to spread malware.
  • Use a firewall. All major operating systems have a built-in incoming firewall, and all off-the-shelf commercial routers provide a built-in NAT firewall. Make sure these are enabled. They could make all the difference in the world if you ever click a malicious link.
  • Use an antivirus program. And make sure only to buy genuine, well-known, and reviewed antivirus software from legitimate vendors. Always keep your antivirus application updated and configure it to run frequent scans regularly.
  • Don’t open attachments in emails unless you know who the sender is and that you’ve confirmed with them that they sent you the email in question and are aware of the attachment (and what it is).
  • Don’t click links (URLs) in emails unless you know who sent the URL, what its destination is, and that the sender is not being impersonated. Even then, scrutinize the link carefully. Check the link for incorrect spelling (i.e., faceboook instead of facebook or goggle instead of google). If you can reach the destination without using the link, do that instead.
  • Another good tip, especially if you work in a sensitive field that might raise your odds of being a target, is to use two smartphones – one for work and the other for your personal life. Segmenting your identity in that way can provide some mitigation relative to zero-click attacks.

Wrap Up

So that was a bird’s eye view of zero-click attacks. The bad news is that we have limited defenses against these attacks. But the good news is that the odds of falling victim to one are actually quite low, given that these high-value exploits tend to be reserved for high-value targets (i.e., politicians, activists, CEOs, etc.).

Still, you should follow the above advice and be mindful of where you happen to end up on the internet. I said it before, and I’ll say it again: the internet is a hostile place. Treat it as such.

As always, stay safe.