Although the » zero day attacks »Are bad enough, they are called that because developers have not had days to deal with the vulnerability before it comes to light, zero-click attacks are concerning in a different way.
Definition of zero click attacks
A lots of common cyberattacks, As the phishing, require the user to perform some kind of action. In these schemes, open an email , downloading an attachment, or clicking a link allows malicious software to access your device. But zero-click attacks require, well, zero user interaction to work.
These attacks do not need to use ” social engineering ” , the psychological tactics bad actors use to get you to click on their malware. Instead, they simply waltz directly on their machine. That makes cyber attacks much more difficult to track and if they fail they can keep trying until they get it, because you don’t know that you are being attacked.
Zero-click vulnerabilities are highly prized down to the nation-state level. Companies like Zerodium that buy and sell vulnerabilities on the black market they are offering millions to anyone who can find them.
Any system that analyzes the data it receives to determine if that data is trustworthy is vulnerable to a zero-click attack. That’s what makes email and messaging apps such attractive targets. Additionally, end-to-end encryption present in applications such as Apple iMessage It makes it difficult to tell if a zero click attack is being sent because the contents of the data packet cannot be seen by anyone other than the sender and receiver.
These attacks don’t usually leave much of a trace either. A no-click email attack, for example, could copy the entire contents of your email inbox before being deleted. And the more complex the application, the more room there is for exploits without clicking.
Clickless attacks in nature
In September, The Citizen Lab discovered a zero click exploit that allowed attackers to install Pegasus malware on a target’s phone using a PDF designed to automatically execute code. The malware effectively turns the smartphone of anyone infected with it into a listening device. Since then, Apple has developed a patch for the vulnerability .
In April, the cybersecurity company ZecOps published an article about various no-click attacks they found in Apple’s Mail app. The cyber attackers sent specially crafted emails to Mail users that allowed them to gain access to the device without any action on the part of the user. And while the ZecOps report says they don’t believe these particular security risks pose a threat to Apple users, exploits like this could be used to create a chain of vulnerabilities that ultimately allow a cyber attack to take over. .
In 2019, attackers used a WhatsApp exploit to install spyware on people’s phones just by calling them. Since then, Facebook has sued spyware vendor held responsible, claiming he was using the spyware to target political dissidents and activists.
How to protect yourself
Unfortunately, since these attacks are difficult to detect and require no user action, it is difficult to protect against them. But good digital hygiene can still make you one less target.
Update your devices and apps with frequency, including the browser you use. These updates often contain exploit patches that bad actors can use against you if you don’t install them. Many victims of WannaCry ransomware attacks, for example, could have prevented them with a simple update. We have guides for update iPhone and iPad apps , update your Mac and installed applications and keep your Android device up to date .
Get a good anti-spyware and anti-malware program , and use it regularly. Use a VPN in public places if you can, and do not enter confidential information such as bank details in a untrusted public connection .
Application developers can help themselves by rigorously testing their products for exploits before releasing them to the public. Bring professional cybersecurity experts and offer rewards for bug fixes it can be of great help in making things safer.
So should you lose sleep over this? Probably not. Zero-click attacks are primarily used against high-profile financial and espionage targets. As long as take all possible steps to protect yourself , you must get it right.