Application Security July 2, 2020
By Diana Kightlinger 4 min read

For years, the statistics have told us that human error is the greatest contributor to cyberattacks. We’ve stressed the importance of training, training and more training to prevent the almost inevitable from happening. We’ve been convinced that the key to defending against cyberthreats is to keep the unsuspecting from clicking on phishing emails and infecting devices and systems with malware.

That’s still important, but with a cyberthreat that’s been in the news recently, all that effort would do no good. Zero-click attacks don’t require human error or even human interaction. These attacks depend on specially formed data — like that used for emails, SMS messages, MMS messages, voice messages and calls — with code that can compromise your system. Vulnerable systems are generally communication platforms for email and messaging that receive data before determining whether the delivery is trustworthy.

Cybercriminals prize these attacks, according to Wired: Requiring the target to click is always uncertain, plus less interaction makes identifying the perpetrators of malicious activity even more daunting.

How Zero-Click Attacks Work

A zero-click attack identified by ZecOps shows how the threat can work in the wild. The vulnerability affects the Mail app in Apple iPhones and iPads. ZecOps observed that cyberattackers could trigger the vulnerability by sending a carefully crafted message to a target’s mailbox. The vulnerability has existed since September 2012, when Apple released the iPhone 5 with iOS 6.

When the target opens the message in the iOS MobileMail application on iOS 12 or maild on iOS 13, the vulnerability lets malicious actors infect the device remotely via emails that consume extensive memory. The email itself doesn’t need to be large, according to ZecOps — just large enough to consume sufficient RAM. Even before the entire email is downloaded, the vulnerability can be triggered.

Starting with iOS 13, the vulnerability enables zero-click attacks when the Mail app is opened in the background. Cyberattackers can then read, edit, leak or delete emails within the Mail app. The attackers won’t gain full control of the targeted device, however. For that, ZecOps agrees with Apple that attackers would require an additional infoleak bug and kernel bug.

Apple patched the vulnerability in iOS 13.4.5 beta on April 16, 2020, although the patch is not yet available in the general availability version. If you can’t use the beta version, ZecOps suggests disabling the Mail application and considering Outlook, Edison Mail or Gmail, which are not vulnerable. But until a patch is available, malicious actors may use the time to attack as many devices as possible.

The Insidious Spread of Zero-Click Attacks

The iPhone and iPad zero-click vulnerability is not the only one recently discovered. In January 2020, Samsung thanked security researcher Mateusz Jurczyk with Google’s Project Zero bug-hunting team for finding a vulnerability that allowed attackers to exploit how the Android graphics library handles images, SC Magazine reported. This enabled zero-click attacks on Samsung mobile phones running Android version 4.4.4 or later. Successful attacks would eventually give the hacker access to the same privileges as the owner, including call logs, contacts and SMS.

In May 2019, a WhatsApp breach used the app’s voice call function to ring a target’s phone, The Defence Works reported. The attack installed malware, even if the target didn’t pick up, and then deleted the call. The internet connection between the caller and receiver’s phones hid infected data packets containing software code. The hacker could then take control of data, including call logs, messages and locations, as well as functions, such as the camera and microphone.

Another attack involved vulnerabilities in a Wi-Fi chipset used in gaming, streaming, laptops and some smart home devices, Help Net Security reported.

These attacks thrive on the proliferation of mobile devices. Statista projects that the number of smartphones alone will reach 3.8 billion by 2021. Cyberthreats take advantage of the devices, network coverage and Wi-Fi vulnerabilities and the trove of valuable data. Many of us carry as much personal and confidential information in our purse or pocket as we store on our desktop at home.

How to Prepare for Zero-Click Cyberthreats

The failure to identify large numbers of zero-click attacks is not due to a lack of vulnerabilities, according to Wired. They’re simply hard to detect. Users of infected Apple devices, for instance, might notice only a temporary slowdown or sudden crash of the mobile mail app. The content — an email, message or call — won’t necessarily remain on the device. For example, ZecOps noted that although data confirms the targeted Apple devices received exploit emails, they weren’t present on the mail server.

The features that make software more secure can make zero-click attacks harder to detect. Due to the end-to-end encryption of iMessages, for example, Apple or security monitoring firms can find it challenging to spot customized zero-click messages. Even the least sophisticated attacks leave few clues. Crash logs can be a good starting point to look for abnormalities that might indicate malicious activity.

To protect against zero-click attacks, basic cyber hygiene is a start. Keep the operating system, firmware and apps on all devices up to date as soon as prompted. Download apps only from official stores and uninstall apps you no longer use. Beware of requests for permission to install new apps, download unknown files or click on suspicious links.

Use your device password protection, but turn off automatic Wi-Fi and Bluetooth connections. Don’t jailbreak your mobile phone to download apps for free, because you’ll also remove the protection provided by Apple and Google.

Zero-click attacks are deceptive, dangerous and growing as the mobile attack surface expands. For now, stay aware of the zero-click threat, take precautions to secure your mobile device and stay up to date on novel attacks. Also realize that as the mobile phone has become more and more indistinguishable from a computer, your enterprise needs to take mobile security just as seriously as desktop and laptop security.

 |  |  |  |  |  |  |  |  |  |  |  | 
Diana Kightlinger

More from Application Security
August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

August 10, 2023

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

August 8, 2023

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature