For years, the statistics have told us that human error is the greatest contributor to cyberattacks. We’ve stressed the importance of training, training and more training to prevent the almost inevitable from happening. We’ve been convinced that the key to defending against cyberthreats is to keep the unsuspecting from clicking on phishing emails and infecting devices and systems with malware.

That’s still important, but with a cyberthreat that’s been in the news recently, all that effort would do no good. Zero-click attacks don’t require human error or even human interaction. These attacks depend on specially formed data — like that used for emails, SMS messages, MMS messages, voice messages and calls — with code that can compromise your system. Vulnerable systems are generally communication platforms for email and messaging that receive data before determining whether the delivery is trustworthy.

Cybercriminals prize these attacks, according to Wired: Requiring the target to click is always uncertain, plus less interaction makes identifying the perpetrators of malicious activity even more daunting.

How Zero-Click Attacks Work

A zero-click attack identified by ZecOps shows how the threat can work in the wild. The vulnerability affects the Mail app in Apple iPhones and iPads. ZecOps observed that cyberattackers could trigger the vulnerability by sending a carefully crafted message to a target’s mailbox. The vulnerability has existed since September 2012, when Apple released the iPhone 5 with iOS 6.

When the target opens the message in the iOS MobileMail application on iOS 12 or maild on iOS 13, the vulnerability lets malicious actors infect the device remotely via emails that consume extensive memory. The email itself doesn’t need to be large, according to ZecOps — just large enough to consume sufficient RAM. Even before the entire email is downloaded, the vulnerability can be triggered.

Starting with iOS 13, the vulnerability enables zero-click attacks when the Mail app is opened in the background. Cyberattackers can then read, edit, leak or delete emails within the Mail app. The attackers won’t gain full control of the targeted device, however. For that, ZecOps agrees with Apple that attackers would require an additional infoleak bug and kernel bug.

Apple patched the vulnerability in iOS 13.4.5 beta on April 16, 2020, although the patch is not yet available in the general availability version. If you can’t use the beta version, ZecOps suggests disabling the Mail application and considering Outlook, Edison Mail or Gmail, which are not vulnerable. But until a patch is available, malicious actors may use the time to attack as many devices as possible.

The Insidious Spread of Zero-Click Attacks

The iPhone and iPad zero-click vulnerability is not the only one recently discovered. In January 2020, Samsung thanked security researcher Mateusz Jurczyk with Google’s Project Zero bug-hunting team for finding a vulnerability that allowed attackers to exploit how the Android graphics library handles images, SC Magazine reported. This enabled zero-click attacks on Samsung mobile phones running Android version 4.4.4 or later. Successful attacks would eventually give the hacker access to the same privileges as the owner, including call logs, contacts and SMS.

In May 2019, a WhatsApp breach used the app’s voice call function to ring a target’s phone, The Defence Works reported. The attack installed malware, even if the target didn’t pick up, and then deleted the call. The internet connection between the caller and receiver’s phones hid infected data packets containing software code. The hacker could then take control of data, including call logs, messages and locations, as well as functions, such as the camera and microphone.

Another attack involved vulnerabilities in a Wi-Fi chipset used in gaming, streaming, laptops and some smart home devices, Help Net Security reported.

These attacks thrive on the proliferation of mobile devices. Statista projects that the number of smartphones alone will reach 3.8 billion by 2021. Cyberthreats take advantage of the devices, network coverage and Wi-Fi vulnerabilities and the trove of valuable data. Many of us carry as much personal and confidential information in our purse or pocket as we store on our desktop at home.

How to Prepare for Zero-Click Cyberthreats

The failure to identify large numbers of zero-click attacks is not due to a lack of vulnerabilities, according to Wired. They’re simply hard to detect. Users of infected Apple devices, for instance, might notice only a temporary slowdown or sudden crash of the mobile mail app. The content — an email, message or call — won’t necessarily remain on the device. For example, ZecOps noted that although data confirms the targeted Apple devices received exploit emails, they weren’t present on the mail server.

The features that make software more secure can make zero-click attacks harder to detect. Due to the end-to-end encryption of iMessages, for example, Apple or security monitoring firms can find it challenging to spot customized zero-click messages. Even the least sophisticated attacks leave few clues. Crash logs can be a good starting point to look for abnormalities that might indicate malicious activity.

To protect against zero-click attacks, basic cyber hygiene is a start. Keep the operating system, firmware and apps on all devices up to date as soon as prompted. Download apps only from official stores and uninstall apps you no longer use. Beware of requests for permission to install new apps, download unknown files or click on suspicious links.

Use your device password protection, but turn off automatic Wi-Fi and Bluetooth connections. Don’t jailbreak your mobile phone to download apps for free, because you’ll also remove the protection provided by Apple and Google.

Zero-click attacks are deceptive, dangerous and growing as the mobile attack surface expands. For now, stay aware of the zero-click threat, take precautions to secure your mobile device and stay up to date on novel attacks. Also realize that as the mobile phone has become more and more indistinguishable from a computer, your enterprise needs to take mobile security just as seriously as desktop and laptop security.

More from Application Security

Securing Your SAP Environments: Going Beyond Access Control

Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit…

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…