What is Zero Click Hacking & How to Prevent It

Zero click attacks are the real boogeymen of the information security industry because a zero click attack requires no user interaction. Go to the wrong website, download the wrong application, or in extreme cases simply get the wrong SMS text message, and all of a sudden your device is compromised. Serious bad news, and these are real threats that exist in the real world, today.

Zero click attacks are exceedingly dangerous because they do not require any interaction on behalf of the user in order to take place. Nobody has to click a link, open a file, or do any of the other things we’re all trained to pay attention to. This means they can (and regularly do) go undetected, even for long periods of time.

What are Zero Click Hacks?

Zero click hacks are growing in popularity, and a zero click vulnerability is a highly sought after commodity. Threat actors of every description, from the proverbial long hacker in their basement to the most powerful nation states all actively seek out zero click exploits.

To give an idea of how rare and valuable zero click vulnerabilities are, understand that these are the sort of vulnerabilities exploited by governments to install zero click spyware on the devices of people they don’t like. Human rights journalists, for example. You’ve probably read about these sorts of attacks in the news. In part because zero-click hacks are growing in popularity, but also because the NSO group recently made the news for providing software to governments that does these things.

Smartphones are the most popular target for zero click attacks in large part because they are the center of our human interaction with our digital devices. As humans we use our technology to access information from third-party sources, and this is the primary route of attack for zero click hacks.

Zero click attacks sound be distinguished from “zero day” attacks. Zero day attacks are attacks against vulnerabilities which aren’t public disclosed. Zero click attacks are attacks that don’t require user interaction. Most zero day attacks are not zero click attacks. Because of the extreme severity of zero click attacks, however, many zero click attack occur against zero day vulnerabilities, but they don’t have to.

When discovered, zero click attacks tend to become a priority for vendors to patch, and most modern software and devices automatically update themselves. This leads to a narrow window of time in which they are actually useful to attackers…depending on the platform.

Most Android phones get at best 2 years of vendor OS support. This means the most android phones in actual use are not using the latest version of the Android operating system, and a seriously significant percentage of those phones won’t even have a recent security patch. This makes the installed base of Android phones far more vulnerable to all sorts of attacks (including zero click attacks) than iPhones, even if the most up-to-date versions of each were roughly equally secure.

How Does a Zero click Attack Work?

Zero click attacks typically rely on some sort of software vulnerability. It is possible for zero click attacks to execute based on a hardware vulnerability – vulnerable Wi-Fi or cellular radios are an example – but those sorts of attacks are exceedingly rare. By exploiting this vulnerability, attackers can cause compromised devices to something unexpected, with installing malware being the most common outcome.

Most zero click attacks are performed against applications that accept and process some sort of third-party data. When most people think about which kinds of technologies fit this description, top of the list are typically communications technologies. SMS, e-mail, instant messaging, social media, voice call, video conferencing, web browsing, and similar applications all accept data from some third-party and then process it in some fashion.

Technically, however, anything that processes unfiltered third-party data can be vulnerable. There is, for example, a cursed colour that can crash certain Android devices. Simply having this colour present in a background or image is enough to do the job.

If there is a bug anywhere in the data processing software that handles third-party data, then there is always the possibility of something utterly bizarre like a cursed colour causing a vulnerability. If you go back to the early days of the internet, for example, there was the Ping of Death. The Ping of Death took advantage of the fact that several TCP/IP implementations of the time couldn’t handle malformed ICMP packets, so you could remotely crash a computer just by sending it a bogus ping.

Conceptually, the cursed colour and the ping of death are very similar to a zero click vulnerability, except that instead of crashing the target device it makes the target device vulnerable to the installation of malware, and/or the running of malicious code.

Zero click SMS attacks are particularly noteworthy, as they can take place not only without user interaction, but without the user even picking up the device. Modern smartphones scan incoming SMS messages to determine if they’re spam, as well as to decide whether or not do display the SMS in the device’s notification area, meaning that there are potentially multiple different applications that process that SMS message well before a human ever sees it. A well-crafted zero click SMS message can install malware, delete itself, and delete any related notifications before the victim ever knows what happened.

How to Prevent Zero Click Hacking

If you want to protect yourself against zero click attacks, update everything, and do so regularly. Update all your devices. Update all your software. At the end of the day, the whole point of zero click attacks is that they don’t require any user intervention, so patching the devices and applications that might interact silently with third-party data, and reducing the number of applications you have that interact with third-party data, are your only real opportunities to prevent compromise.

The lack of meaningful prevention options makes detection the real defense against zero clicks. You may not be able to defend against the dreaded zero click remote exploit or a maliciously-crafted zero click vulnerability email, but you can but effort into detecting the existence of the compromise after the fact.

Anti-malware solutions are a good starting point. Today’s anti-malware solutions rely not only upon signatures but upon behavioural analysis of running applications. Both are opportunities to catch the bad guys.

While zero click vulnerabilities may be one of the scariest things in all of information security, at the end of the day the attacker has to actually do something with that vulnerability. Execute a command on your device, download some malware…something. It is that “something” which is the opportunity to catch them.

Whatever it is that is done to your device will leave at trail. Malware that’s installed will often leave files on the device’s storage. Commands executed against the device will usually create network traffic that probably connects to some known-bad server somewhere.

In addition to anti-malware solutions you might consider investing in a firewall. There are firewalls that can run on your devices, but there are also firewalls that are installed at the network level. Both should, hypothetically, be able to detect malicious traffic coming from your device, however, not all firewalls will have the ability to provide this level of monitoring or analysis.

Another possible counter to zero clicks is regularly wiping your device. Unless your device has been so thoroughly compromised that there is malware hiding out in some obscure firmware somewhere within the device, then wiping your device and reinstalling everything will get rid of anything that’s been installed by an attacker.

IT departments do this all the time to desktops, laptops, and servers. There is usually some form of “golden image” kept around to restore devices to a “known good” state, and it’s honestly not a bad practice for both organizations and individuals to get into regarding our phones. Yes, you could still be reinfected by a zero click attack after restoring your device to a “known-good” state, but only if that vulnerability remains unpatched. Usually a combination of wiping and restoring your device along with properly updating will clean up any malware that’s been installed.

Conclusion

Emsisoft can help you detect if your endpoint has been compromised, including by zero click attacks. Click here to download!