Hackers use various tools to gain access to computers and other devices and wreak havoc. However, one of the most dangerous, zero-click attacks, can be especially troublesome because they’re often difficult to recognize until it’s too late. In addition, as its name suggests, a zero-click attack does not require any action from its owners, such as a mouse click, keypress, or any other user interaction, unlike other attack methods like smishing and phishing. Instead, all an attacker needs to do is send the dangerous file to a device and let the exploit get to work.
Most zero-click attacks come through messaging or voice-calling apps like WhatsApp, Facebook Messager, Apple iMessage, and Telegram because they receive and interpret data from untrusted sources. Zero-click attacks work because they exploit flaws in how data get validated or processed on the device, then use data verification loopholes to enter. The attacks come through hidden text messages, email, voicemail, or an image file delivered via Wi-Fi, NFC, or Bluetooth. Once installed, the zero-click attack activates an unknown vulnerability that quickly goes after hardware or software — without the owner’s knowledge.
As Bill Marczak, a senior research fellow at Citizen Lab explained to Bloomberg: “With zero clicks, it’s possible for a phone to be hacked and no traces left behind whatsoever,” Marczak said. “You can break into phones belonging to people who have good security awareness. The target is out of the loop. You don’t have to convince them to do anything. It means even the most skeptical, scrupulous targets can be spied on.”
Because of how they are designed, zero-click attacks are nearly invisible to unsuspecting victims, making them much easier to execute than traditional hacking methods.
Other reasons they can be dangerous, include:
Once a zero-click attack is executed on a device, hackers can start collecting information about the user, including their browsing history, camera roll, location, contacts, and whatever else they want. They might also add surveillance software to listen to conversations and use what they find for nefarious purposes. Sometimes infected devices are used for cyberespionage campaigns.
Some hackers take it further and decide to encrypt user files and hold them for ransom. In this case, the attack is ransomware. When this happens, it’s best to contact the authorities before handing over your hard-earned cash.
Often, zero-click attacks rely on zero-day attacks to work. And yet, they aren’t the same. The former is a type of vulnerability that requires no user input. The latter are vulnerabilities that aren’t yet known to a software provider, which makes it less likely a patch is already available to provide a fix.
You can take steps to better protect yourself from various types of cyberattacks, including zero-click attacks. But unfortunately, as these things go, there is no sure way to protect yourself.
The Better Business Bureau and National Cybersecurity Alliance say the first thing you can do is make sure the software on your device is up-to-date, including operating systems and apps. In particular, pay special attention to critical software updates and get them installed immediately. You should also avoid clicking on links from unfamiliar sources that might arrive through email or messages. When in doubt, delete the message and never give away personal information.