While “zero-day attacks” are bad enough—they’re named that because developers have had zero days to deal with the vulnerability before it’s out in the open—zero-click attacks are concerning in a different way.
What does Zero-Click Attacks Mean?
Lots of common cyberattacks like phishing require the user to take some kind of action. In these schemes opening an email, downloading an attachment, or clicking a link allows malicious software access to your device. But zero-click attacks require, well, zero user interaction to work.
These attacks don’t need to use “social engineering,” the psychological tactics bad actors use to get you to click on their malware. Instead, they just waltz right into your machine. That makes cyberattackers much harder to track, and if they fail, they can just keep trying until they get it, because you don’t know you’re being attacked.
Zero click vulnerabilities are highly prized all the way up to the nation-state level. Firms like Zerodium that buy and sell vulnerabilities on the black market are offering millions to anyone who can find them.
Any system that parses data it receives to determine whether that data can be trusted is vulnerable to a zero-click attack. That’s what makes email and messaging apps such appealing targets. Plus, the end-to-end encryption present in apps like Apple’s iMessage makes it difficult to know whether a zero-click attack is being sent because the contents of the data packet can’t be seen by anyone but the sender and receiver.
These attacks also don’t often leave much of a trace behind. A zero-click email attack, for example, could copy the entire contents of your email inbox before deleting itself. And the more complex the app is, the more room exists for zero-click exploits.
Zero-Click Attacks In The Wild
In September, The Citizen Lab discovered a zero-click exploit that allowed attackers to install Pegasus malware on a target’s phone using a PDF engineered to automatically execute code. The malware effectively turns anyone’s smartphone infected with it into a listening device. Apple has since developed a patch for the vulnerability.
In April, cybersecurity company ZecOps published a writeup on several zero-click attacks they found in Apple’s Mail app. Cyber attackers sent specially crafted emails to Mail users that allowed them to gain access to the device with zero user action. And while the ZecOps report says that they do not believe these particular security risks pose a threat to Apple users, exploits like this could be used to create a chain of vulnerabilities that ultimately allow a cyberattacker to take control.
In 2019, an exploit in WhatsApp was used by attackers to install spyware on people’s phones just by calling them. Facebook has since sued the spyware vendor deemed responsible, claiming it was using that spyware to target political dissidents and activists.
How to Protect Yourself
Unfortunately, since these attacks are difficult to detect and require no user action to execute, they’re tough to guard against. But good digital hygiene can still make you less of a target.
Update your devices and apps often, including the browser you use. These updates often contain patches for exploits bad actors can use against you if you don’t install them. Many victims of the WannaCry ransomware attacks, for example, could’ve avoided them with a simple update.