Zero-click hacks are no longer a thing for secret agents and sci-fi movies with unrealistic plots. Based on developments in the cyber security world, zero-click hacks have been growing at a steady pace — especially so at the most serious end of things. Such attacks are typically very highly targeted in nature, and deploy far more sophisticated tactics than mass cyber attacks that we see and know of on a daily basis. These attacks can have massive consequences, leading all the way up to you losing all control over your life without even knowing that something’s wrong in the background.
Exactly what are zero-click hacks?
They are what the name suggests — hacks that can be executed without a single bit of voluntary action on behalf of the victim. In typical cyber attacks, breaches and exploits on personal users, hackers typically lay out traps such as a phishing network, where a user is tricked into clicking on a vulnerable URL, or downloading an attachment that contain macros with embedded malware. In other words, if you become the victim of a “standard" cyber attack, chances are high that at least at some point, you must have clicked on a malicious link, or done some action that would have triggered the breach. A zero-click hack, in this regard, potentially bypasses all of that.
Therefore, a zero-click hack can be any cyber attack which exploits a flaw in the device that you are using — be it iOS or Android, and Windows or macOS, that makes use of a data verification loophole to work its way into your system. In simpler terms, most software in the world employ various forms and processes of data verification, in order to keep all known cyber breaches outside the door. However, there still are persistent zero-day hacks that are not patched yet, which are invaluable resources for cyber criminals. These hacks give way to hackers in order to execute highly sophisticated cyber attacks that can today be implemented with zero actions on your end.
How do zero-click hacks work?
Take, for instance, the infamous WhatsApp breach in 2019 that was triggered by a missed call — the attack in question essentially rendered any and every user defenseless for all practical reasons, for one cannot realistically stop themselves from receiving any missed call. The missed call trick exploited a flaw in the source code framework of WhatsApp, the most popular messaging app in the world. This zero-day exploit (cyber vulnerabilities that are not known of or patched before) allowed the attacker to load the spyware in the data exchange caused between two devices due to the missed call. Once loaded, the spyware would automatically enable itself as a background resource, embedded deep inside your device’s software framework.
The one key trait of a zero-click hack is its ability to not leave behind any traces, which cyber security agencies use in order to track sophisticated attacks. A post on zero-click exploits by Bill Marczak, security researcher at The Citizen Lab, says, “The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance. Although this is a predictable technological evolution, it increases the technological challenges facing both network administrators and investigators."
Is there any defense against such hacks?
Marczak and his team further note in the Citizen Lab report that even if there are potential identifiers, these hacks are far, far more complex than any seen before. “While it is still possible to identify zero-click attacks, the technical effort required to identify cases markedly increases, as does the logistical complexity of investigations. As techniques grow more sophisticated, spyware developers are better able to obfuscate their activities, operate unimpeded in the global surveillance marketplace, and thus facilitate the continued abuse of human rights while evading public accountability."
It is this that raises the biggest challenge to defending zero-click exploits. Ian Beer, a cyber security expert with Google Project Zero, found this marathon zero-click exploit of iPhones back in 2020, and notably underlined, “The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine. Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with."
Beer suggests that one way to build defenses against zero-click hacks would be for the biggest consumer companies to stitch their resources together on this front. As he notes, “Sharing information with the security community helps enormously in understanding those tradeoffs. To quantify the true impact requires an estimate of the impact it has on the entire space of vulnerabilities, and it’s in this estimate where the defensive and offensive communities differ. As things currently stand, there are probably just too many good vulnerabilities for any of these mitigations to pose much of a challenge to a motivated attacker. And, of course, mitigations only present in future hardware don’t benefit the billions of devices already shipped and currently in use."
As things stand, Marczak believes that the biggest problem lies in how difficult zero-click hacks are to even identify, before being acted upon. As he says, “The targets may not notice anything suspicious on their phone. Even if they do observe something like ‘weird’ call behavior, the event may be transient and not leave any traces on the device. The shift towards zero-click attacks by an industry and customers already steeped in secrecy increases the likelihood of abuse going undetected."