For years, the statistics have told us that human error is the greatest contributor to cyberattacks. We’ve stressed the importance of training, training and more training to prevent the almost inevitable from happening. We’ve been convinced that the key to defending against cyberthreats is to keep the unsuspecting from clicking on phishing emails and infecting devices and systems with malware.

That’s still important, but with a cyberthreat that’s been in the news recently, all that effort would do no good. Zero-click attacks don’t require human error or even human interaction. These attacks depend on specially formed data — like that used for emails, SMS messages, MMS messages, voice messages and calls — with code that can compromise your system. Vulnerable systems are generally communication platforms for email and messaging that receive data before determining whether the delivery is trustworthy.

Cybercriminals prize these attacks, according to Wired: Requiring the target to click is always uncertain, plus less interaction makes identifying the perpetrators of malicious activity even more daunting.

How Zero-Click Attacks Work

A zero-click attack identified by ZecOps shows how the threat can work in the wild. The vulnerability affects the Mail app in Apple iPhones and iPads. ZecOps observed that cyberattackers could trigger the vulnerability by sending a carefully crafted message to a target’s mailbox. The vulnerability has existed since September 2012, when Apple released the iPhone 5 with iOS 6.

When the target opens the message in the iOS MobileMail application on iOS 12 or maild on iOS 13, the vulnerability lets malicious actors infect the device remotely via emails that consume extensive memory. The email itself doesn’t need to be large, according to ZecOps — just large enough to consume sufficient RAM. Even before the entire email is downloaded, the vulnerability can be triggered.

Starting with iOS 13, the vulnerability enables zero-click attacks when the Mail app is opened in the background. Cyberattackers can then read, edit, leak or delete emails within the Mail app. The attackers won’t gain full control of the targeted device, however. For that, ZecOps agrees with Apple that attackers would require an additional infoleak bug and kernel bug.

Apple patched the vulnerability in iOS 13.4.5 beta on April 16, 2020, although the patch is not yet available in the general availability version. If you can’t use the beta version, ZecOps suggests disabling the Mail application and considering Outlook, Edison Mail or Gmail, which are not vulnerable. But until a patch is available, malicious actors may use the time to attack as many devices as possible.

The Insidious Spread of Zero-Click Attacks

The iPhone and iPad zero-click vulnerability is not the only one recently discovered. In January 2020, Samsung thanked security researcher Mateusz Jurczyk with Google’s Project Zero bug-hunting team for finding a vulnerability that allowed attackers to exploit how the Android graphics library handles images, SC Magazine reported. This enabled zero-click attacks on Samsung mobile phones running Android version 4.4.4 or later. Successful attacks would eventually give the hacker access to the same privileges as the owner, including call logs, contacts and SMS.

In May 2019, a WhatsApp breach used the app’s voice call function to ring a target’s phone, The Defence Works reported. The attack installed malware, even if the target didn’t pick up, and then deleted the call. The internet connection between the caller and receiver’s phones hid infected data packets containing software code. The hacker could then take control of data, including call logs, messages and locations, as well as functions, such as the camera and microphone.

Another attack involved vulnerabilities in a Wi-Fi chipset used in gaming, streaming, laptops and some smart home devices, Help Net Security reported.

These attacks thrive on the proliferation of mobile devices. Statista projects that the number of smartphones alone will reach 3.8 billion by 2021. Cyberthreats take advantage of the devices, network coverage and Wi-Fi vulnerabilities and the trove of valuable data. Many of us carry as much personal and confidential information in our purse or pocket as we store on our desktop at home.

How to Prepare for Zero-Click Cyberthreats

The failure to identify large numbers of zero-click attacks is not due to a lack of vulnerabilities, according to Wired. They’re simply hard to detect. Users of infected Apple devices, for instance, might notice only a temporary slowdown or sudden crash of the mobile mail app. The content — an email, message or call — won’t necessarily remain on the device. For example, ZecOps noted that although data confirms the targeted Apple devices received exploit emails, they weren’t present on the mail server.

The features that make software more secure can make zero-click attacks harder to detect. Due to the end-to-end encryption of iMessages, for example, Apple or security monitoring firms can find it challenging to spot customized zero-click messages. Even the least sophisticated attacks leave few clues. Crash logs can be a good starting point to look for abnormalities that might indicate malicious activity.

To protect against zero-click attacks, basic cyber hygiene is a start. Keep the operating system, firmware and apps on all devices up to date as soon as prompted. Download apps only from official stores and uninstall apps you no longer use. Beware of requests for permission to install new apps, download unknown files or click on suspicious links.

Use your device password protection, but turn off automatic Wi-Fi and Bluetooth connections. Don’t jailbreak your mobile phone to download apps for free, because you’ll also remove the protection provided by Apple and Google.

Zero-click attacks are deceptive, dangerous and growing as the mobile attack surface expands. For now, stay aware of the zero-click threat, take precautions to secure your mobile device and stay up to date on novel attacks. Also realize that as the mobile phone has become more and more indistinguishable from a computer, your enterprise needs to take mobile security just as seriously as desktop and laptop security.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…