Zero-Click Attacks Explained and Why They’re So Dangerous

Zero-click attack definition

Unlike most cyberattacks, zero-click attacks do not require any interaction from the users they target, such as For example, clicking a link, enabling macros, or launching an executable file. They are sophisticated, often used in cyber espionage campaigns, and typically leave very little trace – which makes them dangerous.

Once a device is compromised, an attacker can install surveillance software or use a much more destructive strategy, encrypting the files and holding them for ransom. In general, a victim cannot tell when and how they were infected by a zero-click attack, meaning there is little users can do to protect themselves.

How zero-click attacks work

Fueled by the fast-growing surveillance industry, zero-click attacks have become increasingly popular in recent years. One of the most popular spyware programs is NSO Group’s Pegasus, which is used to monitor journalists, activists, world leaders, and corporate executives. Although it is not clear how each victim was targeted, it is believed that at least some of them received one WhatsApp call they didn’t even have to answer.

Messaging apps are often the target of zero-click attacks because they receive large amounts of data from unknown sources without requiring any intervention from the device owner. Most often, the attackers exploit a flaw in the validation or processing of data.

Other lesser-known types of zero-click attacks have stayed under the radar, says Aamir Lakhani, cybersecurity researcher at Fortinet’s FortiGuard Labs. He cites two examples: parser application exploits (“while a user is viewing an image in a PDF or email application, the attacker silently exploits a system without requiring user clicks or interactions”) and “WiFi Proximity attacks that try to find exploits use a WiFi stack and load the exploit code into it [the] user area [in the] kernel to take over systems remotely.”

Zero-click attacks are often based on zero-day vulnerabilities unknown to the software vendor. Because the manufacturer doesn’t know they exist, they can’t issue patches to fix them, which can put users at risk. “Even very alert and aware users cannot avoid these double zero-day, zero-click attacks,” says Lakhani.

These attacks are often used against high value targets because they are expensive. “Zerodium buying vulnerabilities on the open market, pays up to $2.5 million for zero-click vulnerabilities against Android,” said Ryan Olson, vice president of threat intelligence, Unit 42 at Palo Alto Networks.

Examples of zero-click attacks

The target of a zero-click attack can be anything from a smartphone to a desktop computer to an IoT device. One of the first defining moments in her story happened in 2010 when Security researcher Chris Paget demonstrated at DEFCON18 how phone calls and text messages can be intercepted using a Global System for Mobile Communications (GSM) vulnerability, explaining that the GSM protocol is broken by design. During his demo, he showed how easy it was for his International Mobile Subscriber Identity (IMSI) catcher to intercept the audience’s cell phone traffic.

Another early zero-click threat was discovered in 2015 when the Shedun Android malware family exploited the legitimate capabilities of the Android Accessibility Service to install adware without the user having to do anything. “By gaining permission to use the accessibility service, Shedun can read the text displayed on the screen, determine if an application installation prompt appears, scroll through the permissions list, and finally press the Install button without physical interaction from the user,” acc Danger.

A year later, in 2016, things got even more complicated. A zero-click attack was implemented in the United Arab Emirates’ monitoring tool Karma, which took advantage of a zero-day found in iMessage. Karma only needed a user’s phone number or email address. An SMS was then sent to the victim, who didn’t even have to click a link to become infected.

As soon as this text arrived on an iPhone, the attackers could see photos, emails and location data, among other things. Named the hacking entity that used this tool Project Ravenincluding US intelligence hackers who helped the UAE monitor governments and human rights activists.

Towards the end of that decade, zero-click attacks began to be noticed more frequently as surveillance companies and nation-state actors began developing tools that required no action from the user. “Attacks we previously saw via links in SMS became zero-click attacks via network injection,” says Etienne Maynier, technologist at Amnesty International.

Amnesty and Citizen Lab worked on several cases involving NSO Group’s Pegasus spyware, which has been linked to several murders, including that of the Washington Post journalist Jamal Khashoggi. Once installed on a phone, Pegasus can read text messages, track calls, monitor a victim’s location, access the device’s microphone and camera, collect passwords, and collect information from apps.

Khashoggi and his family were not the only victims. 2019, A bug in WhatsApp was exploited to address civil society and political figures in Catalonia. The attack began with a WhatsApp video call to the victim. There was no need to answer the call because the data sent to the chat app was not sanitized properly. This allowed the Pegasus code to run on the target device and effectively install the spyware software. WhatsApp has since patched this vulnerability and notified 1,400 affected users.

Another sophisticated zero-click attack related to NSO Group’s Pegasus was based on a vulnerability in Apple’s iMessage. In 2021, Citizen Lab found traces of this exploit used to target a Saudi activist. This attack relies on a flaw in iMessage’s GIF parsing and disguises a PDF document as a GIF with malicious code. In his analysis About the exploit, Google Project Zero stated: “The most striking finding is the depth of the attack surface, which is reachable from what will hopefully be a fairly limited sandbox.” The iMessage vulnerability was fixed in iOS 14.8 on September 13, 2021.

Zero-click attacks don’t just target phones. In 2021, a zero-click vulnerability gave unauthenticated attackers full control over Hikvision security cameras. Later that same year, a flaw in Microsoft Teams was found to be exploitable through a zero-click attack, giving hackers access to the target device across major operating systems (Windows, MacOS, Linux).

How to detect and mitigate zero-click attacks

Realistically, it’s pretty difficult to know if a victim is infected, and protecting yourself from a zero-click attack is almost impossible. “Zero-click attacks are a lot more common than we thought,” Maynier says. He recommends potential targets encrypt all their data, update their devices, use strong passwords and do whatever they can to protect their digital lives. There’s something else he tells them: “Bear in mind that you could be compromised and adapt accordingly.”

Still, users can do a few things to minimize the risk of being spied on. The easiest way is to restart the phone regularly if you own an iPhone. Amnesty experts have revealed that this could potentially prevent Pegasus from working on iOS – at least in the interim. This has the benefit of disabling any running code that hasn’t achieved persistence. The downside, however, is that restarting the device can erase signs of infection, making it much more difficult for security researchers to determine if a device has been compromised with Pegasus.

Users should also avoid jailbreaking their devices as this removes some of the security controls built into the firmware. Furthermore, since they can install unverified software on a jailbroken device, they are open to installing vulnerable code that could be a prime target for a zero-click attack.

As always, good safety hygiene can help. “Segmentation of networks, applications, and users, use of multi-factor authentication, use of strong traffic monitoring, good cybersecurity hygiene, and advanced security analytics can prove slowing or mitigating in certain situations,” says Lakhani. “[These] will also make post-exploitation activities more difficult for attackers, even if they are compromising [the] systems.”

Maynier adds that high-profile targets should separate data and have a device only for sensitive communications. He recommends users “keep as little information on their phone as possible (disappearing messages are a very good tool for this)” and keep it out of the room when having important personal conversations.

Organizations such as Amnesty and Citizen Lab have published guides instructing users to connect their smartphone to a PC and check if they have been infected with Pegasus. The software used for this, the Mobile Verification Toolkit, relies on well-known ones Indicators of compromise such as cached favicons and URLs in SMS messages. A user does not need to jailbreak their device to run this tool.

Additionally, Apple and WhatsApp have been sending messages to people who may have been the target of zero-click attacks aimed at installing Pegasus. After that, some of them turned to organizations like Citizen Lab to further analyze their devices.

However, technology alone will not solve the problem, says Amnesty’s Maynier. “It’s ultimately a matter of politics and regulation,” he adds. “Amnesty, EDRi and many other organizations Call for a global moratorium on the use, sale and transfer of surveillance technology until there is an adequate human rights legal framework that protects human rights defenders and civil society from the misuse of these tools.”

Policy responses need to cover different aspects of this problem, he says, from export controls to mandatory human rights due diligence for companies. “We need to stop these widespread abuses first,” Maynier added.

Copyright © 2022 IDG Communications, Inc.

About Willie Ash

Check Also

Don’t commit yourself! Here are solid alternatives for Apple’s weaker software

One of the best things about Apple’s Macintosh computers is that they come with a …