Institutions and regular web users are always on alert about avoiding errant clicks and downloads online that could lead their devices to be infected with malware. But not all attacks require a user slip-up to open the door. Research published this week by the threat monitoring firm ZecOps shows the types of vulnerabilities hackers can exploit to launch attacks that don’t require any interaction from the victim at all—and the ways such hacking tools may be proliferating undetected.
Vulnerabilities that can be exploited for zero-click attacks are rare and are prized by attackers because they don’t require tricking targets into taking any action—an extra step that adds uncertainty in any hacking scheme. They’re also valuable, because less interaction means fewer traces of any malicious activity. Zero-click exploits are often thought of as highly reliable and sophisticated tools that are only developed and used by the most well-funded hackers, particularly nation state groups.
The ZecOps research suggests a different story, though: Perhaps attackers are willing to settle in some cases for using less reliable, but cheaper and more abundant zero-click tools.
“I think there are more zero-clicks out there. It doesn’t have to be ‘nation state-grade,’” says ZecOps founder and CEO Zuk Avraham. “Most wouldn’t care if it’s not 100 percent successful, or even 20 percent successful. If the user doesn’t notice it, you can retry again.”
Any system that receives data before determining whether that delivery is trustworthy can suffer an interactionless attack. Early versions often involved schemes like sending customized malicious data packets to unsecured servers, but communication platforms for email or messaging are also prime targets for these types of assaults.
The ZecOps research specifically looks at three issues in Apple’s iOS Mail app that could be exploited for zero-click attacks. The vulnerabilities have been in the Mail app since iOS 6, released in September 2012, meaning they have potentially exposed millions of devices over the years. But the bugs don’t allow a full device takeover by themselves. The attack starts with a hacker sending a specially crafted email to their target. In iOS 13, the current version of Apple’s mobile operating system, victims wouldn’t even need to open the email for the attacker to gain a foothold in their device. From there, attackers could potentially exploit other flaws to gain deeper access to the target.
Apple said in a statement that after reviewing the ZecOps research it has concluded that the findings don’t pose “an immediate risk” to iOS users. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers,” Apple said.
The ZecOps report agrees. “These bugs alone cannot cause harm to iOS users – since the attackers would require an additional infoleak bug & a kernel bug afterwards for full control over the targeted device,” it says. But the researchers also note they found indications that the bugs were actually exploited in devices of their clients. ZecOps says the victims included members of a Fortune 500 company in North America, a Japanese telecom executive, a journalist in Europe, and what the researchers call a “VIP” in Germany, among other victims. The firm couldn’t directly analyze the special emails that would have been used to mount the attacks, the researchers say, because the hackers used the access they gained to delete them from victims’ phones.
Apple released test patches for the vulnerabilities in the iOS 13.4.5 beta, and the fix should enter wide release soon.
Even though the vulnerabilities ZecOps disclosed couldn’t be exploited for fundamental control on a target device, an attacker could still build a so-called “exploit chain” using the Mail bugs as just the first link to mount an invasive attack. And iOS security researcher and Guardian Firewall creator Will Strafach points out that while Apple and ZecOps are correct about the limited utility of the Mail bugs alone, it’s still important to take these types of bugs seriously.