Understanding Zero-click Mobile Phone Attacks
While taking a stroll through the barrage of information dished out daily on YouTube, a distinct line caught my attention. It read, ‘The Spy in Your Phone’, an investigative report produced by the popular news channel, Al Jazeera.
Due to the recent global uproar with regards to user privacy and big tech, it felt like another e-alarm, one I’ve heard one too many times. However, regards to previous informative reports gotten from the news channel, I took the plunge into the 47minute-long video.
According to the report, Citizen Lab, a Canadian research group based at the University of Toronto, confirmed that the phones of 36 Al Jazeera’s investigative journalists had been hacked using a special zero-click exploit. The group arrived at this conclusion after analysis of their VPN logs, earlier installed on the phone, revealed that the device portrayed unusual behavior by interacting with suspicious sites linked to Pegasus, a spyware developed by technology firm, NSO group.
After watching the report, I was set on one thing, to gain an in-depth understanding of zero-click attacks. For the sake of clarity, a zero-click attack differs slightly from a 0-day attack.
A zero-day attack is defined as an attack that exploits a previously unknown hardware, firmware or software vulnerability. — National Institute of Standards and Technology (NIST)
Explaining further, Zheng Bu, former VP of Fireeye Labs, in a 2014 report defined a 0-day attack as software or hardware vulnerabilities that have been exploited by an attacker where there is no prior knowledge of the flaw in the general information security community, and therefore, no vendor fix or software patch available for it.
What is a Zero-click Attack?
This is an attack that does not require user interaction to carry out the malicious activity for which it was created, hence, the name ‘zero-click’. This is essentially what makes this attack so dangerous, as it is extremely tough to detect, and ensures that the victim is completely ignorant of the compromise for an indefinite period of time. An example would include the hack of Amazon’s CEO, Jeff Bezos, iPhone in 2018.
The zero-click attack is mostly prized by attackers for this sake, no user interaction required, hence no need for social engineering techniques, with low success rate, to get the victim to naively execute the malicious code on their device or in a worst case scenario, become suspicious of foul play.
The good news however is that the zero-click exploit isn’t just available to anyone due to its sophistication, rather, an attacker has to be well-funded to gain access to such exploit i.e. nation-state ‘workers’. The not-so-good news is that there are lower level zero-click exploits that aren’t highly sophisticated and do not guarantee 100% success but at least will achieve some level of success if the attacker is willing to give it multiple tries. This inadvertently means that once an attacker, without solid funding, takes keen interest in a target, such a person can continuously launch the attack as long as the victim doesn’t suspect. So such ‘power’ isn’t limited to only those backed by the government except in cases where the attacker wants a complete control of the device, which requires further exploits that cost a fortune.
An exploit is a sequence of commands that take advantage of a flaw in a system to illegally gain control or have unrestricted access to that system.
How does the Zero-click Attack work?
Amazingly, zero-click attacks have been around for a while now, notably as far back as 2016, or even more. They rely on a response from the target device, which is usually automatic, such as the device activating the call function when receiving a call, or even showing thumbnails of images. Once a connection is initiated, without the victim’s knowledge, malware is transferred using different wireless communication methods such as Wi-Fi and LTE. The most-vulnerable apps to these attack are those that are required to automatically parse data from untrusted sources, such as iMessage and FaceTime.
Though, these bugs get fixed as they gain publicity, the recent hack on Al Jazeera’s journalists shows how much the threat landscape is evolving as attackers discover more sophisticated techniques and become extremely dangerous by the day, especially with potential flaws yet to be found in newly-released software.
According to the report from Citizen Lab researchers, when the malware gains access to the target device, it can record the microphone, phone calls, take photos using the device camera, access the victim’s passwords, stored credentials and track the phone’s location, all without the victim’s knowledge.
How to keep safe
Despite the evolving threat landscape, the best method to ensure a considerable level of safety is to keep your device up-to-date. As new software is released, patches are constantly rolled out to deal with bugs in the system. To illustrate, Apple claims to have fixed the vulnerability in their latest OS update, iOS 14, which means we are required to immediately update our devices.
Also, ensure to take note of permissions granted to third-party apps, especially those rarely made use of. These permissions could include allowing the app to make calls, send SMS, access to the internet, create Bluetooth connection, take pictures using phone camera, record voice messages, find GPS location, modify or delete storage content, read your personal information such as contact and calendar data or sync with your mail. Permissions in itself are not bad, however, I’ll be suspicious if, for example, a voice recording app requests access to my phone camera, would you?
We should also ensure not to jailbreak our devices, as this notably increases our device’s vulnerability to remote attacks due to installation of applications not offered on the general app store or play store.
Proactivity is important in ensuring a considerable level of safety from ZCAs, however, apart from that, there isn’t much one can do to face off this holy grail of mobile phone attacks, till further research suggests otherwise.
