Mobile Vulnerability and the Zero Click Menace

Mobile Vulnerability and the Zero Click Menace

As more corporations build smarter digital systems, the threat of more sophisticated cyber-attacks grows. In 2021 alone, the record of zero-day hacks has grown at an alarming rate. These instances of zero-days place organization data in a critical position, because cyber defenders are given “zero-days” to patch and implement security efforts to address these destructive attacks.

According to the MIT Technology Review, cybersecurity organizations has documented over 66 zero-days this year, which doubled last year’s record of 37 cases.

One of the most prolific zero-day hacks in 2021 are the zero-click attacks. As the name suggests, these attacks require zero actions from victims and usually targets mobile devices. Zero-click attacks can start with just receiving a blank message, seeing a missed call from an unknown number, or being in close proximity to a Wi-Fi SSID. In most cases, users will just delete the message and ignore the missed call or SSID, then move on from the innocuous situation that has been dealt with. But the truth is, the threat has already infiltrated the target’s mobile device—in the split second that the user received, saw, or was in close proximity to the source of the attack.

The vulnerable devices and their targeted users

In September 2021, the growing concern around zero-click attacks was highlighted once more. Researchers from the Citizen Lab at the University of Toronto discovered a zero-day, zero-click exploit in Apple iOS, MacOS, and WatchOS devices, particularly in the iMessage apps. The exploit (called FORCEDENTRY) was discovered after the researchers analyzed the infected phone of an anonymous Saudi activist.

The incident came as a shock to general users and high-level cybersecurity organizations, given how iOS devices are more secure than Android devices. According to cybersecurity enterprise Norton, Android gadgets are usually more susceptible to hackers because Android is the generally-used operating system and relies on open-source codes. iOS devices are different: they utilize closed-source codes and iOS is an exclusive system for Apple gadgets. Still, these security measures didn’t assure that iOS devices are completely formidable from cyber threats.  

Regardless if the user owns an Android or iOS mobile device, hackers can still infiltrate these personal gadgets. The ownership of the gadget also plays a huge part in zero-click attacks. Based on studies by cyber analysts, the usual targets of these exploits are human rights activists, politicians, journalists, corporate executives, and other individuals who hold crucial positions in large public or private enterprises. These attacks are also not limited to their devices’ operating systems; zero-click attacks can extend to applications, browsers, hardware and firmware, and IoT.

Dangerous zero-click capabilities

Without any interventions, targeted users can go for days, months, or even years without noticing any signs that their most private mobile information are already being viewed, listened, or downloaded by cybercriminals. As reported by US news website The Guardian, zero-click attackers have administrative access to browse and download any data from the following mobile elements:

  • Photos and videos
  • SMS
  • Emails
  • Chats
  • Calendars
  • Contacts
  • GPS Data

In addition, Citizen Lab researchers reported zero-click hackers have root privileges to accomplish the following actions:

  • Record ambient audio
  • Track the device’s location
  • Record encrypted phone calls
  • Take pictures using the gadget’s camera
  • Access passwords and all stored credentials on the device

Unfortunately, users can’t directly stop these attacks, compared to spear phishing where human error is the key to a successful infiltration. To save one’s self from this kind of phishing, the user can simply delete or avoid clicking on suspicious links. But for zero-click victims, they can only rely on software and device manufacturers to determine a zero-click attack and save the rest of their already-compromised data. 

Defenses against zero-click attacks

Targeted individuals of an enterprise can only wait for software patches to stop zero-click exploits. But even so, the entire organization can still make additional efforts that can strengthen their measures against zero-day, zero-click cases and continue normal business operations.

Use hybrid detection techniques and strategies.

While the researchers at Citizen Lab have chosen to publish limited information regarding how the iOS zero-click attack was detected, organizations can still detect other suspicious systems activities that can signal a zero-day, zero-click incident. Cyber solutions corporation Kaspersky suggested that organizations should adopt a hybrid of different detection systems for securing enterprise data.

Among these techniques that enterprises can use focuses on existing malware databases and current software. While zero-day, zero-click attacks are entirely unknown, malware databases can be useful references for suspicious or unexpected system behaviors. On the other hand, current types of software are also core areas to investigate, compared to incoming new files and software. Given the stealthy nature of the zero-click attacks, interactions within existing software may also give clues on other possible zero-day cases.

Establish internal and external policies and protocols.

Cybersecurity experts strongly advised highly-targeted executives and even non-targeted personnel to assume that their devices are already compromised. Simple security measures such as implementing “no phone usage” policies during organizational meetings can help avoid cyber attackers from recording or listening to confidential information. As stated by technology enterprise Toolbox, meetings are one of the key targets for zero-click attacks so even the phones of the executive board or VIPs should be kept out of conference rooms.

Organizations should also establish clear cybersecurity procedures among the entire workforce. Only one compromised device from the company’s most loyal employee can trigger a destructive security breach; thus, enterprises should also encourage all employees to follow even basic cybersecurity measures.

Basic cybersecurity workforce protocols

Here are simple and personal cyber protection procedures for the entire organization.

  1. Check and update all device operating systems and applications.
  2. Use premium, secure, and essential company-approved work applications.
  3. Turn off automatic Wi-Fi and Bluetooth connections for work devices.
  4. Enable multiple-factor authentication for all workplace devices.

Corporations will not see the last of zero-day, zero-click exploits. Each new device feature means new ways to discover vulnerabilities. Cybercriminals can also resort to even stronger security breaches, such as building multiple exploit chains to increase opportunities to intrude personal devices of targeted users. But even with looming threats, the best thing that organizations can do is to continue their efforts to equip their entire workforce with smarter cyber solutions and better recovery operations.  


Reference Links

Patricia Mae M. Estenoso, Creative Copywriter, CXO Connect ME