Zero-Click Attacks: The Interactionless Cybersecurity Nightmare That Conquered Apple

IT and security professionals have to be constantly on the alert for new attacks and threats that may bypass traditional defences. Hackers are always developing new ways of getting around protections, and vulnerabilities that haven't yet been publicly identified - known as zero-day exploits - are among the trickiest issues to defend against.

One of the most dangerous types of attack vector to emerge in recent years is zero-click attacks. These techniques, which are usually aimed at mobile devices, have proven especially hard to stop, in large part because they're so hard to spot in the first place.

Some of the dangers of zero-click attacks were illustrated recently, when it was revealed that millions of Apple devices were at risk from spyware known as Pegasus. While the firm scrambled to update its systems and contain any potential fallout, the incident highlighted the danger of these attacks, and should serve as a reminder to businesses around the world that even if you think you've got the best possible defenses in place, this doesn't mean you won't be vulnerable to as-yet unknown security holes.

What are zero-click attacks?

Zero-click attacks get their name because victims don't have to directly interact with them in order to become infected. These attacks exploit weakness in a device itself, rather than a user, making them tough for even the most careful and knowledgeable targets to stop.

One high-profile case from 2019 involved WhatsApp. In this example, it was found that attackers could install malware on a device simply by calling the victim, who didn’t even have to answer the phone to become infected. As there was no record of the call, users didn’t even know they'd been targeted.

A typical piece of malware depends on the end-user actively allowing it onto their device - usually by being tricked into clicking a bogus link or downloading an infected file. Therefore, good security sense and education can minimize the risk, meaning hackers have to rely on people becoming careless.

However, because zero-click attacks don't require any action from the user, even the most vigilant and well-prepared users can fall victim, thereby taking some of the most common protections out of the equation. What's more, because there's no direct interaction from the user's end, there's nothing for antimalware software to analyze. As a result, victims are likely to be completely unaware their device has been compromised.

Messaging apps may be especially vulnerable to this type of attack. This is because, by design, they exchange data with untrusted external devices. This gives hackers an opportunity to disguise their activity and infiltrate smartphones unnoticed.

As a result, zero-click has been sometimes described as the 'holy grail' of smartphone malware - attacks that can infect any user without a trace, regardless of the defenses they have in place, and can continue sending back valuable data to the hackers for months or even years.

How even Apple fell victim

Apple's issues related to a spyware system developed by an Israeli firm called NSO Group. This company supposedly sold the technology to a number of regimes around the world, who in turn used it to track politicians, journalists and activists. Although the existence of some form of the spyware has been known since 2016, a series of media revelations in 2021 thrust the public spotlight onto what it’s capable of.

Among the revelations were how the Pegasus spyware infected Apple and Android devices via messaging services, from where it can theoretically harvest any data on the devices and send it back to the attacker.

The particular exploit that affected Apple's inbuilt iMessage app was found by Canadian research group The Citizen Lab, and led Apple to implement an emergency patch to its iOS 14.8 update to close the loopholes it exploited.

In a statement, the firm said the attacks such as this are "highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals".

What can you do to defend yourself?

While tools like Pegasus may be highly expensive and targeted at specific individuals, they are just one example of what zero-click attacks are capable of. And, as they rely entirely on stealth to get under the radar, they’re highly difficult for any organization to counter.

However, this doesn’t mean users are defenseless. The most important thing they can do to protect themselves is to ensure they have an effective patch management strategy in place that ensures all security updates are installed across your devices as soon as possible.

This may be a challenging task for large organizations where hardware is spread all over the world, but it's essential, as unpatched smartphones are one of the biggest weaknesses in any security environment.

You may also be able to spot certain attacks by keeping a close eye out for any unusual behavior on messaging apps, such as missed calls. However, there's no guarantee you'll be able to spot this, as the most sophisticated attacks are capable of scrubbing any records immediately.

Ultimately, fighting zero-click attacks is something that has to be led by developers themselves. The likes of Apple and Google, along with security researchers around the world, will need to share information and work quickly to close vulnerabilities as soon as they're discovered to ensure users can have faith in their devices and not fall victim to these security nightmares.