“Sneaky Zero-Click Attacks Are a Hidden Menace”
WIRED, April 24, 2020
By Lily Hay Newman
“Hacks that can play out without any user interaction may be more common than we realize, in part because they’re so difficult to detect.”
Institutions and regular web users are always on alert about avoiding errant clicks and downloads online that could lead their devices to be infected with malware. But not all attacks require a user slip-up to open the door. Research published this week by the threat monitoring firm ZecOps shows the types of vulnerabilities hackers can exploit to launch attacks that don’t require any interaction from the victim at all—and the ways such hacking tools may be proliferating undetected.
Vulnerabilities that can be exploited for zero-click attacks are rare and are prized by attackers because they don’t require tricking targets into taking any action—an extra step that adds uncertainty in any hacking scheme. They’re also valuable, because less interaction means fewer traces of any malicious activity. Zero-click exploits are often thought of as highly reliable and sophisticated tools that are only developed and used by the most well-funded hackers, particularly nation state groups.
The ZecOps research suggests a different story, though: Perhaps attackers are willing to settle in some cases for using less reliable, but cheaper and more abundant zero-click tools.
“I think there are more zero-clicks out there. It doesn’t have to be ‘nation state-grade,’” says ZecOps founder and CEO Zuk Avraham. “Most wouldn’t care if it’s not 100 percent successful, or even 20 percent successful. If the user doesn’t notice it, you can retry again.”
Any system that receives data before determining whether that delivery is trustworthy can suffer an interactionless attack. Early versions often involved schemes like sending customized malicious data packets to unsecured servers, but communication platforms for email or messaging are also prime targets for these types of assaults.
Since the whole point of zero-click attacks is no interaction from the victim, there isn’t much you can do to protect yourself. But don’t let that keep you up at night too much: In general, these attacks are still targeted at specific victims for espionage or perhaps monetary gain. At the same time, though, it’s a good idea to keep all of your software up to date to plug as many holes as possible. The most powerful zero-clicks are tough to stop, but you can make it tougher for hackers to have an opportunity.
About the Author:
Lily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She previously worked as a technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America Foundation, and Arizona State University. Additionally her work has appeared in Gizmodo, Fast Company, IEEE Spectrum, and Popular Mechanics. She lives in New York City.
- “NSA Collects MS Windows Error Information” – Schneier on Security, August 1, 2017 [“The NSA has at times taken a specific interest in collecting and retaining crash logs, according to information leaked in 2013 by Edward Snowden.”]