The world of cybersecurity is constantly evolving, with new threats emerging almost daily, making it difficult for the average person to keep up. My job is to ensure that everyone in my circle and those who follow my blogs and social posts are aware of the common and relevant threats they could fall victim to if they don’t take action.
One of the threats I want to highlight today is zero-click attacks. Zero-click attacks are not particularly new and have existed since the early 2010s. However, they have become more prevalent in recent years, so I want to shed more light on them today. If you’re keen to learn more about zero-click attacks and how to protect yourself, keep reading. Let’s start things off with the basics.
What Are Zero-Click Attacks?
Just like the name suggests, a zero-click attack is a type of cyberattack that requires no action from the victim. Unlike traditional attacks that rely on phishing emails or malicious downloads that require users to click on links or files, zero-click exploits can compromise a device without the user clicking a link, opening a file, or installing software.
These attacks exploit software or hardware vulnerabilities to execute malicious code without user involvement. Since one-click attacks don’t need any action from the user, even cybersecurity-aware users can be affected.
How Zero-Click Attacks Work
As stated earlier, zero-click attacks exploit software or hardware vulnerabilities to execute malicious code remotely. These vulnerabilities, often known as zero-day exploits, exist in operating systems, messaging apps, or communication protocols and are unknown to the software vendors at the time of the attack. Hackers exploit security flaws in apps to deliver malware that takes control of some of the device features without the user’s knowledge.
Common Attack Vectors
Some of the common attack vectors or paths that attackers use to execute zero-click attacks include:
- Messaging Apps (iMessage, WhatsApp, Signal, Telegram): Messages with hidden malicious code can exploit system flaws.
- Emails with Rich Media: Attackers can create email attachments or previews that can trigger vulnerabilities in email clients.
- Multimedia Files: A maliciously coded image, video, or audio file can be enough to exploit a device’s rendering process.
- Wi-Fi Exploits: Attackers can inject malicious packets into a device via unpatched Wi-Fi vulnerabilities if they get access to the network that the target device is connected to.
Why Zero-Click Attacks Are So Hard to Stop
- The Sophistication of Attackers: Many zero-click attacks are carried out by nation-state actors or highly skilled cybercriminals with advanced resources. These attackers also often use custom malware designed specifically for the target’s device, making detection harder.
- Challenges in Detecting and Patching Vulnerabilities: Unlike traditional malware infections, zero-click exploits don’t leave clear traces. The malware often self-destructs or operates in memory to avoid detection. Most of the vulnerabilities that lead to zero-click attacks aren’t known until after an attack, so companies like Apple, Google, and Microsoft must race to identify and fix them.
Who Is at Risk?
Zero-click attacks often target high-value individuals, but they are not limited to governments or corporations—anyone can be a victim. High-profile individuals like government officials, journalists, and executives are prime targets for espionage and surveillance.
Businesses, especially in finance, tech, healthcare, and defense, are also prime targets for zero-click attacks. However, everyday users aren’t immune, especially if attackers find a common vulnerability in an app or Operating system that is easy to exploit.
Real-world Examples of Zero-Click Attacks
Some real-world examples of zero-clicks attacks include:
Pegasus Spyware Developed by NSO Group
Pegasus is a military-grade spyware that can infect devices without any user interaction. Attackers send an invisible, malicious message via WhatsApp or iMessage, exploiting software flaws to install spyware. It is commonly used by governments to monitor activists, journalists, and political opponents. Once installed on the device, it can record calls, access messages, track location, and even turn on cameras/microphones.
Apple iMessage Zero-Click Vulnerabilities
Apple’s iMessage has been a major target for zero-click attacks due to its complex media processing features. In 2021, Citizen Lab reported that iPhones were infected with Pegasus using an iMessage exploit called FORCEDENTRY. However, Apple patched several zero-day vulnerabilities in iMessage in iOS 14 and 15 after they were used in real-world attacks.
Android Exploits Used by State-Sponsored Hackers
Android devices have also been targeted by zero-click exploits, particularly those using vulnerabilities in messaging and multimedia apps. For example, in 2020, Google’s Project Zero team discovered zero-click vulnerabilities in Android’s graphics processing system that could be exploited remotely. Journalists and dissidents in the Middle East and Asia were reportedly targeted by state-backed hacking groups using these exploits.
Best Practices to Protect Yourself from Zero-Click Attacks
Now that we know how zero-click attacks work and how they are executed, let’s explore the best practices you can implement to protect yourself;
Keep Software and Devices Updated
Install the latest security patches and updates for your OS and apps. Consider, enabling automatic updates to ensure vulnerabilities are patched as soon as possible. Avoid using outdated or unsupported devices, as they may have unpatched security flaws.
Use Strong Security Settings for Messaging and Email Apps
For example, you can enable disappearing messages in the apps that support them to reduce exposure to stored data. You should also consider using encrypted email services like ProtonMail or Tutanota to minimize attack risks.
Disable Unnecessary App Permissions
Restrict access to sensitive device features (microphone, camera, location, etc.). Turn off auto-download features in messaging apps to prevent malicious files from executing automatically. You should also use app permission managers (built into Android and iOS) to audit which apps have access to critical functions.
Take Advantage of Security Features on your Device
Google, Apple, and Microsoft have done a good job of providing users with more security features to protect themselves. For instance, iOS has a lockdown mode feature that, when turned on, restricts certain device functions to reduce potential vulnerabilities. For example, most message attachments are blocked, some web technologies are disabled, and incoming FaceTime calls from unknown contacts are prevented.
Google also offers the Advanced Protection Program, which does almost the same thing for Android. You can take advantage of these features if you think you are in danger of facing sophisticated attacks.
Avoid Installing Unverified Apps
Download apps only from official stores (Google Play, Apple App Store) and avoid third-party APKs as much as you can. Regularly review app permissions and uninstall apps that ask for unnecessary access beyond what they need to function. If the need arises, you can use sandboxing tools like Shelter (for Android) or virtualized environments for testing untrusted apps.
Regularly Restart Your Device
Some zero-click exploits run only in memory (RAM) and don’t persist after a device reboot.
Apple has specifically recommended restarting iPhones regularly to remove certain types of zero-attack malware infections.
Avoid Using Public WiFi networks
Public Wi-Fi networks can be vulnerable, and your device could be affected if an attacker targeting you gains access to the public Wi-Fi network you are connected to. You should also consider disabling automatic connection to Wi-Fi networks to avoid rogue access points that exploit device vulnerabilities.
Key Takeaway
Zero-click threats have become increasingly common in the past few years, and any of us could be victims if we don’t take action. As mentioned in this article, these are highly sophisticated attacks designed to target specific individuals of interest. However, any of us could fall into that category, which is why it is crucial to take protective measures, such as regularly updating your devices and using secure apps.
If any of your devices, such as a laptop, tablet, or phone, no longer support the latest operating system, it is advisable to upgrade to a newer device. Older devices may have known vulnerabilities that attackers could exploit to steal your data or take control of your device.