A zero click attack occurs when a device is compromised without any action taken on the part of the device owner. In contrast, traditional cyber attack methods, such as phishing, rely on social engineering to get people to click on malicious content. Zero click attacks start without any specific prompting, accidental clicking, or downloading of software. They can emerge out-of-nowhere, seemingly without reason.
Zero click vs. zero day
For the uninitiated, the two types of attacks sound similar. However, zero click attacks and zero-day attacks are quite different in nature. A zero click attack does not rely on a specific mechanism in order to take hold within a system. In contrast, a zero-day attack relies on existing software bugs in order to disrupt activities.
Famous zero click attacks
Among the most recent and notorious zero click attacks is the one associated with the Pegasus software maker; NSO Software. The University of Toronto’s Citizen Lab highlighted Pegasus-related zero click attacks on Android and IOS devices in 2018 and again in 2021.
Shortly thereafter, Google’s Project Zero group published a technical analysis of the NSO Group’s exploit, known as “FORCEDENTRY,” which was used to infect targeted devices with Pegasus spyware via iMessage.
Why zero click can hurt
Zero click attacks are invisible. Attackers simply need to target a victim and launch the attack. Victims are usually unaware of any unsanctioned activity on their devices, enabling hackers to read messages, cull through photos or deposit spyware.
As cyber security researcher David Balaban stated, “From a malefactor’s perspective, the beauty of a zero click attack is that they don’t have to boil their efforts down to social engineering or ‘spray and pray’ practices (like recent COVID-19 themed phishing) with a low success rate.”
How zero click attacks work
Zero click attacks leverage gaps in the data-verification function of apps and operating systems. Systems that inspect and parse data in order to determine the data’s trustworthiness can become vulnerable to zero click attacks. Scripts for zero click attacks are often hidden inside of PDFs, images, or other innocuous-looking messages.
In some cases, security measures intended to protect users from malicious cyber activity can aid zero click attacks. End-to-end encryption, for example, can render it difficult to determine whether or not a zero click attack is taking place, as no one can see the contents of the data packets sent over the device, save for the sender and the receiver.
Zero click threats, dark web
Cyber criminal groups commonly create tools that take advantage of zero click vulnerabilities. These tools can command millions of dollars on the black market. Due to the nearly untraceable nature of zero clicks, they’re often used by nation-state actors or by government agencies that wish to conduct cyber stings.
Attack targets have previously focused on journalists. Despite taking precautions, journalists have previously experienced zero click compromises that forced them to delete apps, to redo extensive volumes of work, and to worry about personal safety.
Preventing zero click threats
The invisible nature of zero click attacks makes them difficult to a avoid. Nonetheless, these five specific cyber security measures can prove beneficial.
- Keep your systems up-to-date with the latest software versions and patches. While we’ve all heard it before, maintaining systems is a key means of preventing a wide variety of cyber snares.
- Set up systems so that they block pop-ups and spam. If needed, encourage individuals to configure browser settings accordingly.
- Encourage employees to use strong authentication codes for business accounts, especially those that connect to critical networks.
- Remind employees to only download apps from official app stores. As with many malicious modalities, zero click attack scripts can be found in unsecured, under-secured, or non-vetted software applications.
- Ensure that your organization maintains a robust data backup system, which will help hasten recovery in the event of an invasive zero click incident.
For more information about zero click threats, see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.