Cyber SecurityPersonal SecuritySecurity Culture

Demystifying Zero-Click Attacks

Security awareness traditionally revolves around the personal online hygiene mantra with a bunch of dos and don’ts at its core. To thwart hacker attacks and steer clear of malware, users are being told to be proactively prudent and avoid clicking on suspicious links, ignore dubious email attachments, and say No to software bundles that may be riddled with dangerous code.

These techniques are undoubtedly worthwhile and work wonders when it comes to mainstream cyber-incursions. However, vigilance alone is no longer enough to stay on the safe side. The phenomenon called zero-click attack completely eliminates the human factor from the attack equation. Instead, it relies on software or hardware flaws, or both, to gain a foothold on a device and execute a sketchy payload or steal data behind the user’s back. Essentially, this is an interaction-less raid, and there is nothing a would-be victim can do about it as long as they end up in a well-motivated malefactor’s spotlight.

Although zero-click hacks are not a new thing in the cybercrime landscape, they do not hit the headlines nearly as much as classic malware outbreaks, ransomware onslaughts,[1] data breaches, phishing,[2] and other attacks. The fact that this attack vector is eclipsed by more prominent ones does not mean that it is a marginal threat. Although it has been around for years, the issue has escalated with the booming use of smartphones that store a goldmine of personal data cybercrooks may want to obtain.

Let us take a dive into the logic of common zero-click exploitation and the recently discovered mechanisms to execute it surreptitiously.

Zero-click attacks 101

The main prerequisite for pulling off a successful zero-click compromise is a specially crafted chunk of data sent to a target device over a wireless connection such as Wi-Fi, NFC, Bluetooth, GSM, or LTE. The attack chain then triggers an unknown or scarcely documented vulnerability at the hardware or software level.

For instance, the loophole may break open when the incoming information is processed by the system on a chip (SoC) component. In many scenarios, the insidious data goes further and invokes a vulnerability when interpreted by a specific target application such as an email client, messenger, calls service, SMS, or MMS solution so that it assumes a human-readable form.

Finally, the post-exploitation stage kicks in as the payload executes predefined commands. The scariest thing is that this technique does not rely on a single click, tap, or link hit on the user’s end. This hallmark makes the intrusion incredibly hard to thwart and blaming it on the victim’s lack of caution is a misconception. In many cases, the person does not even have to open the booby-trapped message.

What kind of data can fire up such an anomalous response of a receiving device? It can be a series of network packets, authentication requests, text messages, MMS, voicemail, video conferencing sessions, phone calls, or messages sent over Skype, Telegram, WhatsApp, etc. All of these can instigate a vulnerability in a chip’s firmware or in the code of an application tasked with processing the data.

From a malefactor’s perspective, the beauty of a zero-click attack is that they don’t have to boil their efforts down to social engineering or “spray and pray” practices (like recent COVID-19-themed phishing[3]) with a low success rate. The foul play is surreptitious, so the victim may stay clueless about it for an indefinite period of time.

Mind-boggling attack surface

One of the news making zero-click exploits unveiled in the past years was a WhatsApp flaw[4] that allowed an Israeli cyber actor to deposit spyware onto smartphones belonging to human rights activists. The imperfection described as a “buffer overflow vulnerability in Voice over Internet Protocol (VoIP)” would set the contamination process in motion when a target Android or iOS gadget received a WhatsApp voice call poisoned with rogue data packets.

The trick could work out even if the would-be victim did not pick up the phone. Furthermore, the incoming call would be removed from the call log once the malware was inside. As a result, the adversary could piggyback on the unauthorized access to control the device’s camera, microphone, messages, call logs, and to retrieve geolocation data as part of the eavesdropping.

Last year, security analysts discovered another flaw[5] that could fuel zero-click attacks against a wide range of laptops, media streaming devices, and smartphones. It was a combo of remote code execution (RCE) and denial of service bugs in ThreadX firmware deployed on the popular Marvell Avastar Wi-Fi chipset. The backdoor would be stealthily opened when a device equipped with the vulnerable wireless SoC was running a scan for available networks. The attack can be successful even if the device is not connected to any Wi-Fi network. To top it off, it did not require any authentication details such as the network name and login password.

According to the findings[6] of Google’s Project Zero analysts published in August 2019, the iMessage client built into iOS devices was susceptible to a “fully remote” attack. All it took was sending a specially composed message to a victim’s iPhone. This piece of information would invoke an iMessage bug that became a launchpad for several post-exploitation scenarios no matter if the victim opened the app or not. The server would respond to this fraudulent message by automatically submitting the content of the user’s SMS and images back to the threat actor. Furtive injection of malicious code into the device was another potential outcome.

If weaponized, some of these imperfections could affect millions of unsuspecting users. Although these bugs were fixed shortly after they gained publicity, the fact that weaknesses of that sort are regularly emerging on the threat map is a serious problem in itself.

The bar is getting lower

Hardware and software bugs that make these incursions pan out are exceptional and highly valued in the cybercrime circles. Their price can reach millions of dollars. This explains why such exploits are usually deemed as the prerogative of exploit vendors and high-profile malicious actors with unlimited budgets, such as government-funded hacker groups.

However, a zero-click scheme recently unearthed by security researchers proves this theory wrong. Sometimes the attack does not have to be highly sophisticated and 100% successful. Even if it is less effective, criminals can try it again as long as the target does not notice it.

In late April 2020, researchers at cybersecurity firm ZecOps found three flaws[7] in iOS Mail app that expose Apple’s mobile devices to furtive data theft. These bugs have been around since the release of iOS 6 back in 2012, and even the latest version, iOS 13, continues to be vulnerable. The trigger for this exploitation is a peculiar email sent to a device. It can be a very large message or one that congests the RAM with Rich Text Format (RTF) elements. The idea is to cause a buffer overflow in the Mail client.

By cramming up the memory with arbitrary digital junk, the malefactor overwrites legitimate code with offensive data and manipulates the app to execute it automatically. It means the flaw is trivial to exploit and it does not take a nation state-level offender to orchestrate the attack. The recipient does not need to open the email and is not likely to identify the shady activity.

Fortunately, the impact of this attack is isolated to the Mail app only. It allows the crook to steal, modify, and delete your messages. To gain a foothold in the entire device, though, the adversary would need to lace the onslaught with an extra bug, which takes a fortune to acquire and use.

How to stay safe?

Most of these onslaughts zero in on specific victims such as government officials, corporate executives, and journalists. However, if you are not a VIP or an activist, it does not mean you are on the safe side. The above-mentioned iOS Mail bug demonstrates that exploitation techniques are not necessarily top-notch and costly.

Whereas zero-click attacks cannot be spotted with the naked eye, users should defend themselves proactively. The most effective method is to keep the operating system and third-party software on your devices up to date. As vendors learn about new loopholes in their applications, they roll out patches addressing them.

When installing a new app, be sure to read the fine print and examine the permissions it asks for. Also, do not jailbreak your devices – this reduces the efficiency of controls and restrictions built into the firmware. One more important tip is to back up your valuable data so that you can recover it in the worst-case scenario. Enabling native encryption features for sensitive information will further enhance your security practices.


  1. ttps://brilliancesecuritymagazine.com/guest-contributor/ransomware-families-that-publish-stolen-data/ 04/14/2020
  2. https://www.cyberdb.co/apple-phishing-is-on-the-rise/ 04/06/2020
  3. https://macsecurity.net/view/351-covid-19-scam-emails-to-beware-of 03/28/2020
  4. https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab 05/14/2019
  5. https://nvd.nist.gov/vuln/detail/CVE-2019-6496 02/28/2019
  6. https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html 07/07/2019
  7. https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/ 04/20/2020
Latest posts by David Balaban (see all)
Show More
Back to top button
X

We use cookies on our website

We use cookies to give you the best user experience. Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.