Institutions and regular web users are always on alert about avoiding errant clicks and downloads online that could lead their devices to be infected with malware. But not all attacks require a user slip-up to open the door. Research published this week by the threat monitoring firm ZecOps shows the types of vulnerabilities hackers can exploit to launch attacks that don’t require any interaction from the victim at all—and the ways such hacking tools may be proliferating undetected.
Vulnerabilities that can be exploited for zero-click attacks are rare and are prized by attackers because they don’t require tricking targets into taking any action—an extra step that adds uncertainty in any hacking scheme. They’re also valuable, because less interaction means fewer traces of any malicious activity. Zero-click exploits are often thought of as highly reliable and sophisticated tools that are only developed and used by the most well-funded hackers, particularly nation state groups.
The ZecOps research suggests a different story, though: Perhaps attackers are willing to settle in some cases for using less reliable, but cheaper and more abundant zero-click tools.
“I think there are more zero-clicks out there. It doesn’t have to be ‘nation state-grade,’” says ZecOps founder and CEO Zuk Avraham. “Most wouldn’t care if it’s not 100 percent successful, or even 20 percent successful. If the user doesn’t notice it, you can retry again.”
Any system that receives data before determining whether that delivery is trustworthy can suffer an interactionless attack. Early versions often involved schemes like sending customized malicious data packets to unsecured servers, but communication platforms for email or messaging are also prime targets for these types of assaults.
The ZecOps research specifically looks at three issues in Apple’s iOS Mail app that could be exploited for zero-click attacks. The vulnerabilities have been in the Mail app since iOS 6, released in September 2012, meaning they have potentially exposed millions of devices over the years. But the bugs don’t allow a full device takeover by themselves. The attack starts with a hacker sending a specially crafted email to their target. In iOS 13, the current version of Apple’s mobile operating system, victims wouldn’t even need to open the email