As internet users, we are always told to stay extra vigilant when clicking on links and email attachments and to abide by the best security practices. While this advice applies to most cyberattacks, it, unfortunately, cannot protect us from the ruthless zero-click attack.
Zero-click attacks infiltrate devices and systems without a warning or aspect of human interaction, making them extremely hard to detect and defend against.
But is a zero-click attack the same as a zero-day attack? And what makes it significantly more dangerous than mainstream attacks? Read on to find out.
What Is a Zero-Click Attack?
Not all cyberattacks are equal or require a user blunder to proliferate. As the name implies, a zero-click attack takes place with “zero” mouse clicks, key presses, or user interactions.
Hackers mainly gear these attacks towards abusing vulnerabilities that already exist in software or a messaging app. Sometimes hackers sell these vulnerabilities on the black market, or companies will offer generous rewards to those who find them.
Zero-click attacks are a personal favorite of attackers as they don’t require any social engineering tactics to persuade the victims into clicking malicious links or attachments. They also don’t demand any user interaction with the victims, making it extremely hard to track the attackers.
How Does a Zero-Click Attack Work?
Zero-click attacks mostly target apps that provide messaging or voice calling capabilities, such as WhatsApp or iMessage, since these services receive and parse data from unknown sources.
Hackers specially craft a piece of data such as a hidden text message, email, voicemail, or image file and deliver it to a target device over a wireless connection by using Wi-Fi, NFC, Bluetooth, GSM, or LTE. This data delivery then provokes an unknown vulnerability at the hardware or software level.
Zero-click attacks are notorious for targeting iPhones and iPads, and the vulnerability has existed since September 2012, when Apple first released the iPhone 5 with iOS 6.
What Makes a Zero-Click Attack So Dangerous?
Zero-click attacks are highly sophisticated. Advanced and well-funded hackers develop them to leave no trace behind, making them all the more dangerous. A zero-click email attack, for instance, can copy the entire inbox before deleting itself.
Needless to say, a zero-click attack takes security threats to a whole new level. Here are some reasons why zero-click attacks are much more lethal than mainstream cyberattacks:
- Zero-click attacks do not require a victim to click a link, download an attachment, or stumble on a malware-laced website. Since everything happens behind the scenes, the users are completely unaware.
- The attackers do not need to waste time setting up an elaborate trap or bait to lure victims into performing a task. This expedites the proliferation of a zero-click attack.
- Zero-click attacks install specifically targeted tracking tools or spyware on the victim’s devices by sending a message to a user’s phone that produces no notification. Users do not even need to touch their phones for infections to begin.
- These attacks mostly target people in power or knowledge of cybersecurity, as attackers can’t trick them into clicking malicious links.
- Zero-click attacks do not leave behind any traces or indicators of compromise.
- Zero-click attacks employ the most advanced hacking techniques which can bypass any endpoint security, antivirus, or firewall system.
Besides the above-mentioned reasons, zero-click attacks thrive greatly on the ever-growing consumption of mobile devices by taking advantage of network coverage, Wi-Fi vulnerabilities, and the availability of valuable data.
Along with being deceptive, these attacks are also expanding rapidly with the growing use of technology.
Are Zero-Click and Zero-Day Attacks the Same?
Most people get confused between zero-click and zero-day attacks. While “zero” is the common denominator here, both attacks have mostly different connotations.
A zero-day attack happens once attackers exploit a software or hardware vulnerability and release malware before a developer has an opportunity to create a patch to fix the vulnerability.
A zero-click attack, as we’ve already discussed, requires zero clicks or interactions to take place. However, there is still a correlation between both types of attacks because sometimes zero-click attacks exploit the deepest and most underlined zero-day flaws to carry out their attack.
To put it simply, since developers have not yet reported any zero-day flaws, zero-click attacks take advantage of that aspect, thus carrying out exploits that will be hard to detect or research.
Is Pegasus Spyware a Zero-Click Attack?
In September of 2021, Toronto-based The Citizen Lab announced the discovery of a zero-click attack that allowed hackers to install Pegasus malware on victim’s devices including iPhones, iPads, MacBooks, and Apple Watches.
This most recent case of Pegasus zero-click malware was discovered in Apple’s iMessage service.
Attackers transfer the Pegasus malware using a malicious PDF that automatically executes code rendering the infected devices into a listening device. Fortunately, Apple has since developed a patch for this vulnerability through iOS 14.8/iPadOS 14.8 for iPhones and iPads, and watchOS 7.6.2 for the Apple Watch Series 3, and later.
Tips to Protect Yourself Against Zero-Click Attacks
Unfortunately, due to the invisible nature of zero-click attacks, it is quite impossible to protect yourself against them. But the good news is that these types of attacks mostly target high-profile personalities for political espionage or financial reasons.
Even though you can’t mitigate zero-click attacks, the following tips can help minimize the risk:
- Always keep your devices, applications, and browsers up to date.
- Identifiers like your phone heating up, screen not loading, or calls getting disconnected can sometimes be related to zero-click attacks. So keep an eye out for such erratic behavior.
- Invest in robust anti-spyware and anti-malware tools.
- Always use a VPN when connecting to the internet in public or unknown places.
- For organizations, hiring external cybersecurity experts or bug bounty hunters can help you detect loopholes and weak points.
- If you’re a smartphone manufacturer or software developer, then you should meticulously test your products against vulnerabilities before releasing them to the public.
- Avoid jailbreaking a device. Along with being a risky practice, it can also increase a device’s vulnerability to remote attacks due to the installation of applications that aren’t on the general app store or play store.
- When installing a new app, carefully read the fine print and examine the permissions that it requests.
The fact that zero-click attacks require no human interaction should not deter you from trying your best to mitigate the risks. As a user, you should do everything in your power to make sure hackers cannot exploit your devices easily.
Keep Ahead of Zero-Click Attacks With Software Updates
While there is no guarantee of protection from zero-click attacks, the most effective way to curtail the risk is by keeping everything up to date.
Most software companies have code reviews amongst developers which they conduct to minimize vulnerabilities in their products before release. Developers eventually patch zero-click exploits in newer versions and releases.
In the battle against zero-click attacks, the only way to emerge victorious is to keep up with the latest developer updates.
Wondering how to update everything on your iPhone? We show you how to update iOS, what to do beforehand, and how to update iPhone apps, too.
About The Author