While “zero-day attacks” are bad enough—they’re named that because developers have had zero days to deal with the vulnerability before it’s out in the open—zero-click attacks are concerning in a different way.
Zero-Click Attacks Defined
Lots of common cyberattacks like phishing require the user to take some kind of action. In these schemes opening an email, downloading an attachment, or clicking a link allows malicious software access to your device. But zero-click attacks require, well, zero user interaction to work.
These attacks don’t need to use “social engineering,” the psychological tactics bad actors use to get you to click on their malware. Instead, they just waltz right into your machine. That makes cyberattackers much harder to track, and if they fail, they can just keep trying until they get it, because you don’t know you’re being attacked.
Zero click vulnerabilities are highly prized all the way up to the nation-state level. Firms like Zerodium that buy and sell vulnerabilities on the black market are offering millions to anyone who can find them.
Any system that parses data it receives to determine whether that data can be trusted is vulnerable to a zero-click attack. That’s what makes email and messaging apps such appealing targets. Plus, the end-to-end encryption present in apps like Apple’s iMessage makes it difficult to know whether a zero-click attack is being sent because the contents of the data packet can’t be seen by anyone but the sender and receiver.
These attacks also don’t often leave much of a trace behind. A zero-click email attack, for example, could copy the entire contents of your email inbox before deleting itself. And the more complex the app is, the more room exists for zero-click exploits.
RELATED: What Should You Do If You Receive a Phishing Email?
Zero-Click Attacks In The Wild
In September, The Citizen Lab discovered a zero-click exploit that allowed attackers to install Pegasus malware on a target’s phone using a PDF engineered to automatically execute code. The malware effectively turns anyone’s smartphone infected with it into a listening device. Apple has since developed a patch for the vulnerability.
In April, cybersecurity company ZecOps published a writeup on several zero-click attacks they found in Apple’s Mail app. Cyber attackers sent specially crafted emails to Mail users that allowed them to gain access to the device with zero user action. And while the ZecOps report says that they do not believe these particular security risks pose a threat to Apple users, exploits like this could be used to create a chain of vulnerabilities that ultimately allow a cyberattacker to take control.
In 2019, an exploit in WhatsApp was used by attackers to install spyware on people’s phones just by calling them. Facebook has since sued the spyware vendor deemed responsible, claiming it was using that spyware to target political dissidents and activists.
How to Protect Yourself
Unfortunately, since these attacks are difficult to detect and require no user action to execute, they’re tough to guard against. But good digital hygiene can still make you less of a target.
Update your devices and apps often, including the browser you use. These updates often contain patches for exploits bad actors can use against you if you don’t install them. Many victims of the WannaCry ransomware attacks, for example, could’ve avoided them with a simple update. We have guides to updating iPhones and iPad apps, updating your Mac and its installed apps, and keeping your Android device updated.
Get a good anti-spyware and anti-malware program, and use them regularly. Use a VPN in public places if you can, and don’t enter sensitive information like bank data on an untrusted public connection.
App developers can help on their end by rigorously testing their products for exploits before releasing them to the public. Bringing in professional cybersecurity experts and offering bounties for bug fixes can go a long way toward making things more secure.
So should you lose any sleep over this? Probably not. Zero-click attacks are mostly used against high-profile espionage and financial targets. As long as you take every possible measure to protect yourself, you should do alright.
RELATED: Basic Computer Security: How to Protect Yourself from Viruses, Hackers, and Thieves