Demystifying zero-click attacks

This is a guest article written by David Balaban. The author’s views are entirely his own and may not reflect the views of IT Governance USA.

Security awareness traditionally revolves around the personal online hygiene mantra, with a bunch of dos and don’ts at its core. To thwart cyber attacks and steer clear of malware, users are told to be proactively prudent and avoid clicking suspicious links, ignore dubious email attachments, and say no to software bundles that may be riddled with dangerous code.

These techniques are undoubtedly worthwhile and work wonders when it comes to mainstream cyber incursions. However, vigilance alone is no longer enough to stay safe. A zero-click attack completely eliminates the human factor from the equation, instead relying on software and/or hardware flaws to gain a foothold on a device and execute a sketchy payload or steal data behind the user’s back. Essentially, it is an interactionless raid, and there is nothing a victim can do once they are in a motivated malefactor’s spotlight.

  • To view our selection of cyber security solutions, click here.

Although zero-click attacks are not new, they do not hit the headlines nearly as much as classic malware outbreaks, ransomware onslaughts, data breaches, phishing, and other attacks. However, the fact that this attack vector is eclipsed by more prominent ones does not mean it is a marginal threat. In fact, the issue has escalated with the booming use of smartphones that store a goldmine of personal data that cyber crooks may want to obtain.

Let’s dive into the logic of zero-click exploitation and execution mechanisms.

Zero-click attacks 101

The main prerequisite for pulling off a successful zero-click compromise is a specially crafted chunk of data sent to a target device over a wireless connection such as Wi-Fi, NFC, Bluetooth, GSM, or LTE. This then triggers an unknown or scarcely documented vulnerability at the hardware or software level.

For instance, the vulnerability may be exploited when the incoming information is processed by the SoC (system on a chip) component. In many scenarios, the insidious data goes further and invokes a vulnerability when interpreted by a specific target application such as an email client, messenger, calls service, SMS, or MMS solution so that it assumes a human-readable form.

The post-exploitation stage kicks in as the payload executes predefined commands. The scariest thing is that this technique does not rely on a single click, tap, or link hit on the user’s end. This makes the intrusion incredibly hard to thwart, and blaming the victim’s lack of caution is a mistake. In many cases, the recipient does not even have to open the booby-trapped message.

What kind of data can fire up such an anomalous response from a receiving device? It can be a series of network packets, authentication requests, text messages, MMS, voicemail, video conferencing sessions, phone calls, or messages sent over Skype, Telegram, WhatsApp, etc. All of these can exploit a vulnerability in a chip’s firmware or in the code of an application tasked with processing the data.

From a malefactor’s perspective, the beauty of a zero-click attack is that they don’t have to boil their efforts down to social engineering or ‘spray and pray’ practices (like recent COVID-19-themed phishing) with a low success rate. The foul play is surreptitious, so the victim may be unaware of it indefinitely.

Mind-boggling attack surface

One of the most prominent zero-click exploits unveiled in recent years was a WhatsApp flaw that allowed an Israeli cyber actor to deposit spyware onto smartphones belonging to human rights activists. Described as a “buffer overflow vulnerability in Voice over Internet Protocol (VoIP)”, it would activate when a target Android or iOS gadget received a WhatsApp voice call poisoned with rogue data packets.

The trick could work even if the victim did not pick up the phone. Furthermore, the incoming call would be removed from the call log once the malware was inside. As a result, the adversary could piggyback on the unauthorized access to control the device’s camera, microphone, messages, and call logs, and to retrieve geolocation data.

Last year, security analysts discovered another flaw that could fuel zero-click attacks against a wide range of laptops, media streaming devices, and smartphones. This was a combination of RCE (remote code execution) and denial-of-service bugs in ThreadX firmware deployed on the popular Marvell Avastar Wi-Fi chipset. The backdoor would be stealthily opened when a device equipped with the vulnerable wireless SoC was running a scan for available networks. The attack could be successful even if the device was not connected to any Wi-Fi network and, to top it off, did not require any authentication details such as the network name and login password.

According to findings published by Google’s Project Zero analysts in August 2019, the iMessage client built into iOS devices was susceptible to a “fully remote” attack. All it took was sending a specially composed message to a victim’s iPhone. This would invoke an iMessage bug that became a launchpad for several post-exploitation scenarios – whether the victim opened the app or not. The server would respond to this fraudulent message by automatically submitting the content of the user’s SMS and images back to the threat actor. Furtive injection of malicious code into the device was another potential outcome.

If weaponized, some of these imperfections could affect millions of unsuspecting users. Although these bugs were fixed shortly after they gained publicity, the fact that similar weaknesses are constantly emerging is a serious problem.

The bar is getting lower

On the whole, the hardware and software bugs used in these incursions are exceptional, and highly valued among cyber criminals. Their price can reach millions of dollars. This explains why such exploits are usually the prerogative of exploit vendors and high-profile malicious actors with unlimited budgets, such as government-funded hacker groups.

However, this is not always the case. Sometimes the attack does not have to be highly sophisticated or 100% successful. Even if it is less effective, criminals can try it again as long as the target does not notice it.

In late April 2020, researchers at cybersecurity firm ZecOps found three flaws in the iOS Mail app that expose Apple’s mobile devices to furtive data theft. These bugs have been around since the release of iOS 6 back in 2012, and even the latest version, iOS 13, continues to be vulnerable. The trigger is a peculiar email sent to a device. It can be a very large message or one that congests the RAM with RTF (Rich Text Format) elements. The aim is to cause a buffer overflow in the Mail client.

By cramming the memory with arbitrary digital junk, the malefactor overwrites legitimate code with offensive data and manipulates the app to execute it automatically. The flaw is trivial to exploit and it does not take a state-level offender to orchestrate the attack. The recipient does not need to open the email and is not likely to notice the shady activity.

Fortunately, the impact of this attack is isolated to the Mail app only. It allows the crook to steal, modify, and delete your messages. However, to gain a foothold on the entire device, they would need to lace the onslaught with an extra bug, which is expensive to acquire and use.

How to stay safe?

Most of these onslaughts zero in on specific victims such as government officials, corporate executives, and journalists. However, anyone is a target. As the iOS Mail bug demonstrates, exploitation techniques are not necessarily top-notch and costly.

Zero-click attacks cannot be spotted with the naked eye, so users should protect themselves proactively. The most effective method is to keep the operating system and third-party software on your devices up to date. As vendors learn about new weaknesses in their applications, they roll out patches to address them.

When installing a new app, be sure to read the fine print and examine the permissions it asks for. Also, do not jailbreak your devices – this reduces the efficiency of controls and restrictions built into the firmware. Enabling native encryption features for sensitive information will further enhance your security practices, though it is also essential to back up your valuable data so that you can recover it in the worst-case scenario.

Avoid attack with Cyber Security for Remote Workers E-learning Course
Cyber Security for Remote Workers