A “zero-click attack” sounds ominous, but are you and your equipment at risk? Let’s take a look at what a zero-click attack is, why they’re so concerned, and what you can do to protect yourself.
What are zero-click attacks?
As the name implies, a zero-click cyber attack can compromise a device without any action on the part of its owner. While other attack methods—phishing or smishing, for example—rely on social engineering to trick people into clicking on bad links or launching seemingly legitimate downloads, zero-click attacks use existing vulnerabilities in operating systems. To get it completely.
These should not be confused with zero-day attacks, which are vulnerabilities that are being actively exploited and need to be fixed immediately, but require user action to run. ZeroClick The attacks allow access to the device without the user taking any action, potentially trapping even the most tech-savvy people.
The most notable zero-click attack of late is Pegasus Software from the Israeli firm NSO Software. It’s been in the spotlight for years, with the University of Toronto’s Citizen Lab uncovering attacks on iOS and Android devices in 2018 and again in 2021. Although NSO denies any wrongdoing, Citizen Lab says Pegasus is used by customers to spy on activists and other high-profile hackers. Officer. In December, Google’s Project Zero team published a technical analysis of the so-called FORCEDENTRY exploit that was used by NSO Group to infect targeted iPhones with its Pegasus spyware via iMessage.
Zero-click attacks are so deadly because they are basically invisible; All an attacker has to do is send it to their phone or device—no clicks or taps needed on your part. Victims are usually unaware that anything is happening, so attackers can take their time getting around your device.
As security researcher David Balban said for IT Governance: “From a male factor standpoint, the beauty of a zero-click attack is that they don’t have to channel their efforts into social engineering or ‘spray and pray’ practices (as recently). No need to boil down to COVID-19-themed phishing with a low success rate).
How does Zero-Click Attack work?
Zero-click attacks exploit existing flaws in the data-verification functions of apps and operating systems. Any system that parses data to see if that data can be trusted is vulnerable to a zero-click attack. Attackers send bad code via email or messaging apps inside something that appears innocuous to the system, such as a PDF, hidden image, or text message.
A real-world example of this could be a vulnerability in the email messaging app on your phone. If a malicious hacker discovers a vulnerability, all they have to do is send you an email message containing their bad code. Once the email is received, that code is activated and infects the target phone, giving the hacker access to all the email on your device. Even if the original email is deleted, the infection persists. And since we all delete emails that we haven’t read or recognized, chances are your phone won’t be left with any trace of the attack for a very long time.
Security measures designed to protect users can actually aid in zero-click attacks. End-to-end encrypted messaging apps like Apple’s iMessage make it difficult to determine whether an attack is taking place, because no one except the sender and receiver can see the contents of the data packet.
Malicious hacking groups often develop tools to take advantage of zero-click vulnerabilities and sell them for millions on the black market. Because of their almost untraceable nature, zero-clicks are often used at the nation-state level by government agencies in spying operations.
Sometimes the targets of those operations include journalists. According to The Indian Express, her phone was tampered with despite the London-based journalist Rania Dridi taking due precautions. The hack forced her to remove apps that were critical of her work reporting on women’s rights in the Arab world. in his documentary spy on your phoneIn The Spy in Your Phone, Al Jazeera details how one of their journalists was compromised by Pegasus malware.
How to Prevent Zero-Click Attacks
If you are a target, the covert nature of zero-click attacks makes it difficult to avoid. But there are cyber security measures you can take to protect yourself in general.
Firstly, keep your apps and system updated regularly. Software makers will patch vulnerabilities as soon as they know bugs are present. Regular updates often contain these improvements and take only a few minutes to install.
In the meantime, pay close attention to the developers of the apps you install. If there’s no info about the manufacturer listed, no reviews for the app, or the developer hasn’t been verified by the App Store, it’s likely a glitch and you should be in the clear.
It’s also a good idea to regularly delete apps that you no longer use from your phone, or at least remove any permissions you’ve given to them so that they automatically run on other parts of your phone, such as the camera. Or can’t access the media library. ,
Whenever possible, use multi-factor authentication to access important sites, email and social media. And we’ve all heard it by now, but it bears repeating: Don’t use the same password you used for every account in high school. Password managers can help you choose a strong master passcode, and store the rest so you don’t have to remember 50 passwords.
Use extensions to block pop-ups and spam, or configure your browser settings to keep them away, as attackers often use them to spread malware. Good anti-malware and antivirus protection can’t hurt either, so get your best and run regular scans.
If your job involves handling sensitive information, you may want to have two phones: one for work and another for personal use. That way, if someone is compromised, you won’t lose all your data. No matter your profession, it’s a good idea to back up all your data and files regularly and store them separately from your main hard drive. In the event of a ransomware attack, you will be able to recover your data even if you have to scrap your PC.
Should you be worried?
Zero-click attacks are undeniably scary. That said, you probably don’t need to lose sleep over them. Most zero-click vulnerabilities are used by state actors to pursue high-profile targets. Still, it’s a good idea to keep an eye on suspicious activity on your devices. For more, see How to Know if Your Phone Has Malware and 7 Signs You Have Malware and How to Get Rid of It.