Previously, we’ve warned of caution to be taken over opening email attachments, clicking links and URLs within emails, “macro enable” requests from documents with unknown sources. The thing they all have in common? A user has always had to interact and action something to instigate the attack. Things are changing, and it’s not looking great for the uninformed. What makes this worse is these attacks are far more common than we realise and are difficult to detect. Recently published research from ZecOps finds a collection of vulnerabilities hackers exploit to launch attacks with no victim interaction.
Considerations for Zero Click Attacks
There’s another concerning consideration here too. If you’re not aware of the barrage of attacks underway targeting your device(s), the number of retries is endless for the attacker. There are no warnings, no emails asking if you meant to reset your password, no telltale signs of being exploited. You just don’t know.
Apple is aware of the potential security threat this imposes on their iOS devices and are taking action, developing patches to prevent potential misuse of these threats and exposed communications between ZecOps and Apple conclude that this type of attack is conceptual currently, that additional attack stages would be required to effectively “hack” Apple’s devices as their initial security protocols can defend against the attacks. The more harrowing take away from this though, is that a zero-click attack could provide a hacker with a foothold, the first link to an exploit chain.
The saving grace it would seem from this concerning finding is that the attack is targeted, and only high profile espionage targets are likely to fall victim to this type of attack. Knowing however that these types of attacks exist only illustrate how important it is to continually apply security patches and updates to your devices, its often only a matter of time between complex hacking being required and some clever individual creating a program that simplifies the process and auctions it off on the dark web.