Institutions and regular web users are always on alert about avoiding errant clicks and downloads online that could lead their devices to be infected with malware. But not all attacks require a user slip-up to open the door. Research published this week by the threat monitoring firm ZecOps shows the types of vulnerabilities hackers can exploit to launch attacks that don’t require any interaction from the victim at all—and the ways such hacking tools may be proliferating undetected.
Vulnerabilities that can be exploited for zero-click attacks are rare and are prized by attackers because they don’t require tricking targets into taking any action—an extra step that adds uncertainty in any hacking scheme. They’re also valuable, because less interaction means fewer traces of any malicious activity. Zero-click exploits are often thought of as highly reliable and sophisticated tools that are only developed and used by the most well-funded hackers, particularly nation state groups.
The ZecOps research suggests a different story, though: Perhaps attackers are willing to settle in some cases for using less reliable, but cheaper and more abundant zero-click tools.
“I think there are more zero-clicks out there. It doesn’t have to be ‘nation state-grade,’” says ZecOps founder and CEO Zuk Avraham. “Most wouldn’t care if it’s not 100 percent successful, or even 20 percent successful. If the user doesn’t notice it, you can retry again.”
Any system that receives data before determining whether that delivery is trustworthy can suffer an interactionless attack. Early versions often involved schemes like sending customized malicious data packets to unsecured servers, but communication platforms for email or messaging are also prime targets for these types of assaults.
The ZecOps research specifically looks at three issues in Apple’s iOS Mail app that could be exploited for zero-click attacks. The vulnerabilities have been in the Mail app since iOS 6, released in September 2012, meaning they have potentially exposed millions of devices over the years. But the bugs don’t allow a full device takeover by themselves. The attack starts with a hacker sending a specially crafted email to their target. In iOS 13, the current version of Apple’s mobile operating system, victims wouldn’t even need to open the email for the attacker to gain a foothold in their device. From there, attackers could potentially exploit other flaws to gain deeper access to the target.
Apple said in a statement that after reviewing the ZecOps research it has concluded that the findings don’t pose “an immediate risk” to iOS users. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers,” Apple said.
The ZecOps report agrees. “These bugs alone cannot cause harm to iOS users – since the attackers would require an additional infoleak bug & a kernel bug afterwards for full control over the targeted device,” it says. But the researchers also note they found indications that the bugs were actually exploited in devices of their clients. ZecOps says the victims included members of a Fortune 500 company in North America, a Japanese telecom executive, a journalist in Europe, and what the researchers call a “VIP” in Germany, among other victims. The firm couldn’t directly analyze the special emails that would have been used to mount the attacks, the researchers say, because the hackers used the access they gained to delete them from victims’ phones.
Apple released test patches for the vulnerabilities in the iOS 13.4.5 beta, and the fix should enter wide release soon.
Even though the vulnerabilities ZecOps disclosed couldn’t be exploited for fundamental control on a target device, an attacker could still build a so-called “exploit chain” using the Mail bugs as just the first link to mount an invasive attack. And iOS security researcher and Guardian Firewall creator Will Strafach points out that while Apple and ZecOps are correct about the limited utility of the Mail bugs alone, it’s still important to take these types of bugs seriously.
“A zero-click like this is especially interesting because it is not a full exploit chain, yet due to the nature of how it works, it could enable something like a smash-and-grab for mailbox data. Even the prospect of copying emails then self-deleting the crafted ‘attack email’ is quite scary.”
The vulnerabilities ZecOps discovered would be difficult to exploit reliably, and the firm found indications of the attacks in crash logs and other digital remnants on some of its clients’ iPhones. But the attackers left other clues behind, indicating that they didn’t feel the need to be maximally cautious and that they were satisfied with using a somewhat down and dirty zero-click.
The fact that Apple has been unable to independently verify that the bugs were exploited in the wild is not surprising, says Patrick Wardle, a former National Security Agency analyst and Apple security researcher at the firm Jamf.
“It is unlikely that if this vulnerability was used in highly targeted attacks that Apple would find evidence of such attack,” Wardle says. “Either way, it would be helpful for Apple to articulate how they came to this conclusion.”
Even the crudest zero-click attacks leave little trace, which makes tracking them an issue. Security analysts say that in many cases, the very features that make software more secure often make zero-click attacks harder to detect.
For example, researchers from Google’s Project Zero published findings in August that Apple’s iMessage had vulnerabilities that could potentially be exploited by simply sending someone a text. The messaging platform’s end-to-end encryption, which protects data as it moves across the internet so it is only readable on the sender and receiver’s devices, would make it difficult for Apple or security monitoring firms to detect if attackers were sending customized zero-click messages on the platform.
This doesn’t undermine the necessity of defenses like end-to-end encryption, Wardle says. But he notes that these challenges underscore the importance of raising awareness about interactionless attacks and working to develop detection capabilities. As ZecOps is trying to demonstrate, crash logs can be fertile ground for incident responders looking for abnormalities that could indicate malicious activity. The NSA has at times taken a specific interest in collecting and retaining crash logs, according to information leaked in 2013 by Edward Snowden. Given that the agency develops hacking tools for its digital espionage work, this initiative could have been related to novel vulnerability discovery, attack detection, or perhaps both.
The need to improve detection capabilities for zero-click attacks has only grown in importance as institutions and individuals rely more and more on mobile devices.
“If you know my phone number or my email address, you could remotely compromise my smartphone and possibly pull everything off of it. These types of attacks have always been around, but with smartphones you’re never off the grid so you’re always exploitable,” Wardle says. “We don’t see a lot of these zero click vulnerabilities exploited in the wild and that is because they’re so difficult to detect—it’s not because they’re not out there.”
Since the whole point of zero-click attacks is no interaction from the victim, there isn’t much you can do to protect yourself. But don’t let that keep you up at night too much: In general, these attacks are still targeted at specific victims for espionage or perhaps monetary gain. At the same time, though, it’s a good idea to keep all of your software up to date to plug as many holes as possible. The most powerful zero-clicks are tough to stop, but you can make it tougher for hackers to have an opportunity