Beware of zero-click attacks, you may already be infected
The proliferation of mobile networks, Wi-Fi and Near Field Communication (NFC), the growing sophistication of mobile applications, the availability of processing, receiving and storing confidential information expand the attack surface and make our mobile gadgets attractive to hackers.
A mobile device can get compromised by sending SMS or MMS that includes a special set of data, via a Wi-Fi network, an NFC chip, or a messenger application such as iMessage or WhatsApp.
In turn, the user may not be aware that his mobile device has been attacked and the attacker can remotely control some application functions or read data stored in the device’s memory.
The zero-click problem has reached a significant scale in recent years. For example, in May 2020, such a flaw was found to affect most Samsung smartphones released since 2014. Not so long ago, a Zero-Click in the Hikvision firmware was revealed, with more than 100 million IoT devices exposed to it. The worm-like 0-click capable of remotely executing malicious code in Microsoft Teams also caused a lot of concern.
The main problem with protecting against this type of attack is that no action is required from the user for it to be successful. In most scenarios, it is sufficient for the mobile device to be within range of a wireless connection or for the attacker to have the target’s phone number.
Zero-click attack insights
The goal of the zero-click attack is to stealthily gain control over the victim’s mobile device without using social engineering techniques. The human factor is excluded both from the side of the attacker and from the side of the attacked person.
The article published by ZecOps specialists provides insights into a zero-click attack based on the MobileMail iOS application. Security specialists managed to get remote access to the tested device while hiding the traces of infection.
In 2015, Edward Snowden warned that government agencies have the opportunity to develop and create previously unknown spyware that can infect a user’s device through plain text messages.
Well-known examples of the implementation of the attack include the following:
● The alleged hacking of the mobile phone of Jeff Bezos was conducted in 2018 using a tailor-made video file transmitted to him via WhatsApp messenger. After the infection, the phone began to leak data for several months until the breach was discovered, and the phone was submitted for examination.
● In 2019 WhatsApp vulnerability was exploited to install malware by calling the victim using the IP telephony (VoIP).
It is also worth highlighting the Pegasus spyware found on the mobile devices of French journalists. The methods of its distribution include, among other things, zero-click attacks.
Basic principles of zero-click attacks
In most cases, attacks target applications that exchange text and media messages or allow VoIP calls. Usually, such programs do not analyze incoming information. Attackers use specially crafted data, such as special text or media file with embedded hidden code which is executed when processing a message even before the user reads it.
When using vulnerabilities of a specific application, an attacker will only gain access to the attacked program. He cannot immediately gain control over the entire device. Expanding the rights on the victim’s device requires exploiting other vulnerabilities at the level of the operating system or the peripheral or central processor responsible for handling data from a specific application.
This significantly complicates the attack progress and the exploit development process, increasing the demands on the attacker’s experience. However, if successful, the attacker gains complete control of the victim’s device and access to all its data.
How to implement a zero-click attack?
There are few examples of implementing zero-click attacks since it is rarely possible to track the very fact of an attack, as well as to obtain evidence that control over a device or data leakage occurred precisely because of it. For example, the final report of the forensic experts in the case of Jeff Bezos’ mobile phone provides no evidence of using the zero-click attack. It only shows that the device’s outbound traffic increased after receiving a suspicious media file.
The main facts of the real or potential use of exploits transmitted through 0-click attacks are discovered and published in several studies dedicated to vulnerabilities of applications, mobile operating systems, and mobile hardware. In particular, at BlackHat USA 2019, experts provided materials on a possible attack on the FaceTime application and Qualcomm chips. You can also find info about the CVE-2019-2009 vulnerability in the Bluetooth data transmission channel. This vulnerability allowed to elevate privileges on Android devices without involving its end-user.
The main steps of the attack usually can be described in three points:
- An attacker discovers a new vulnerability in a mobile application or a data transmission channel, in a mobile OS, in general, in something that can be used to transfer information to a mobile device. In some cases, a vulnerability that had been discovered earlier but was not considered as a means for zero-click attacks could be exploited.
- Observing the channel properties, a data packet is created to exploit the vulnerability and inject a malicious program (payload) onto the victim’s device.
- Once the spyware gets rooted in the device OS, the original message is deleted, removing any traces of the compromise.
As a result, it is almost impossible to detect the initial malicious program, especially since most mobile devices do not have antivirus software (except for the built-in one) or systems for analyzing and filtering network traffic.
In addition, any antivirus software on a mobile device does not guarantee detection of malicious activity if the vulnerability and exploit are unknown: remote control can be exercised for months without attracting the attention of the device owner.
How to protect against zero-click attacks?
Security experts report that the dominance of iOS over Android in terms of information security is long over. Google pays much more attention to protection than Apple. On average, on the shadow market, the price of a non-interactive exploit for Android is 30% higher than for iOS. The experts also clarify that finding privilege escalation vulnerabilities on Android is more complex and expensive. In particular, Zerodium broker offered $2.5 million for a working non-interactive exploit for Android and $2 million for iOS.
Open-source code has its advantages, one example is the refinement of memory usage by programs to protect against integer overflow. After all, the more effort specialists apply to study the OS code, the faster you can discover vulnerabilities and eliminate them. The closed iOS code gets patched slower due to a limited number of specialists.
However, in general, the choice of OS is not essential as vulnerabilities occur in any software product.
Here are some general tips on how to minimize the likelihood of becoming a victim of this type of attack:
1. Without knowing about you, the attacker will not find you. A small number of individuals, websites, and applications that know your phone number reduces the risk of an attack, and when a device is compromised, it narrows the circle of suspects.
2. As long as there is no communication channel, there is no possibility of malware transmission. If you are not currently using Wi-Fi, NFC, Bluetooth, turn them off. Disable automatic pairing of Bluetooth devices and automatic Wi-Fi connection when hotspots are found.
3. Do not jailbreak or root your device. This significantly increases the risk of not only escalating privileges by third-party software but also working on behalf of the system without exploiting vulnerabilities.
4. Use official app stores only. This will significantly reduce the risk of downloading an application with a backdoor or built-in spyware.
5. Fewer applications imply fewer attack vectors. Every unnecessary program on a device increases the likelihood of a vulnerability that can be exploited.
6. Regular updates. Developers do fix vulnerabilities (albeit not always promptly) in supported products.
7. Separate device functions. It is not recommended to use a personal device for performing work duties and storing confidential information.
8. You are already compromised. Use your mobile device as if you have already been hacked. Discuss important things in person, do not store personal and confidential information on the device.
There is no 100% protection against zero-click attacks. You have to rely on the quality of the OS code and mobile applications, as well as on the fact that an attacker is simply not interested in you, and the costs of compromising your device will not justify the benefits gained.
Conclusion
At present, non-interactive attacks, if successful, are critically dangerous for the attacked person, but the risk of their implementation is low due to the complexity of creating workable exploits. Journalists, politicians, and business leaders who may have important information on their devices are at risk.
About the author
