Although “zero day attacks” they are bad enough, they're called that because developers haven't had days to deal with the vulnerability before it comes to light., zero-click attacks are worrisome in a different way.
Defining Zero-Click Attacks
Many common cyberattacks such as identity fraud require the user to perform some kind of action. In these schemes, open an email, downloading an attachment or clicking on a link enables malicious software to access your device. But zero-click attacks require, well, zero user interaction to function.
These attacks do not need to use "social engineering", the psychological tactics that bad actors use to get you to click on their malware. Instead, they just dance the waltz directly on their machine. That makes cyberattacks much harder to track., and if they fail, they can keep trying until they understand it, because you don't know you're being attacked.
Zero-click vulnerabilities are highly appreciated down to the nation-state level. Companies like Zerodium that buy and sell vulnerabilities on the black market are offering millions to anyone who can find them.
Any system that analyzes the data it receives to establish whether that data can be trusted is vulnerable to an attack without a click.. That's what makes messaging and email apps so attractive targets.. At the same time, The end-to-end encryption present in apps like Apple's iMessage makes it difficult to tell if a zero-click attack is being sent due to the contents of the data packet not being seen by anyone but the sender and receiver..
These attacks also don't usually leave much of a trace.. An email attack without a click, as an example, could copy the entire contents of your email inbox before being deleted. And the more complex the application, more space exists for exploits without a click.
RELATED: What should you do if you receive a phishing email?
Clickless attacks in nature
In September, The Citizen Lab discovered a zero-click exploit that allowed attackers to install the Pegasus malware on a target's phone using a PDF designed to execute code automatically. Malware effectively turns anyone infected with it's smartphone into a listening device. Since then, Apple has developed a patch for the vulnerability.
In April, cybersecurity company ZecOps published an article in several zero-click attacks they found in Apple's Mail app. Cyber attackers sent specially crafted emails to Mail users that allowed them to gain access to the device without any action on the part of the user. And even though the ZecOps report says they don't believe these particular security risks pose a threat to Apple users., exploits like this could be used to create a chain of vulnerabilities that, as a last resort, allow a cyberattack to take over.
On 2019, attackers used an exploit on WhatsApp to install spyware on people's phones just by calling them. Facebook has since then sued the spyware vendor considered responsible, claiming he was using that spyware to target activists and political dissidents.
How to protect yourself
Unfortunately, since these attacks are difficult to detect and do not require any action on the part of the user, it is difficult to protect against them. But good digital hygiene can still make you a less target..
Update your devices and apps often, including the browser you use. These updates often contain patches for exploits that bad actors can use against you if you don't install them.. Many victims of WannaCry ransomware attacks, as an example, could have prevented them with a simple update. We have guides to update iPhone and iPad apps, update your Mac and installed apps and keep your Android device up to date.
Get a good anti-spyware and anti-malware program, and use it regularly. Use a VPN in public places if you can, and do not enter sensitive information such as bank details on an untrusted public connection.
App developers can contribute by rigorously testing their products for exploits before releasing them to the public.. Incorporation of professional experts in cybersecurity and offering rewards for bug fixes can go a long way toward making things safer.
Then, Should you lose sleep over this?? Probably not. Zero-click attacks are primarily used against high-profile financial and espionage targets. As long as you take all possible measures to protect yourself, must get it right.
RELATED: Basic computer security: how to protect yourself from viruses, hackers and thieves
