fbpx
Qatar v. Ecuador to kick off FIFA World Cup 2022™ on 20 NovemberRead more Webb Fontaine Announces Launch of Niger National Single Window (NNSW) to Bolster TradeRead more Ethiopia: Loan from United Nations Fund Allows Food and Agriculture Organization (FAO) to Scale Up Fertilizers for Farmers in TigrayRead more How Choosing the Right Printer Helps Small Businesses and Content Creators to Save Time, Maximise Productivity and Achieve GrowthRead more The United States Contributes USD $223 Million to Help World Food Programme (WFP) Save Lives and Stave Off Severe Hunger in South SudanRead more Eritrea: World Breastfeeding WeekRead more Eritrean community festival in Scandinavian countriesRead more IOM: Uptick in Migrants Heading Home as World Rebounds from COVID-19Read more Network International & Infobip to offer WhatsApp for Business Banking Services to Financial Institution Clients across AfricaRead more Ambassador Jacobson Visits Gondar in the Amhara Region to Show Continued U.S. Support for the Humanitarian and Development Needs of EthiopiansRead more

Apple security flaw: How do ‘zero-click’ attacks work?

show caption
You don't even need to click on anything for 'zero-click' malware to infect your phone./AFP
Print Friendly and PDF

Sep 15, 2021 - 08:12 AM

PARIS, FRANCE — Apple has spent the past week rushing to develop a fix for a major security flaw which allows spyware to be downloaded on an iPhone or iPad without the owner even clicking a button.

But how do such “zero-click” attacks work, and can they be stopped?

What is a ‘zero-click’ hack?

Spying software has traditionally relied on convincing the targeted person to click on a booby-trapped link or file in order to install itself on their phone, tablet or computer.

“Zero-click takes that threat to the next level,” said John Scott-Railton, senior researcher at Citizen Lab, the Toronto University cybersecurity centre which discovered the Apple flaw.

With a zero-click attack, the software can sneak its way onto the device without the person needing to be fooled into clicking on the link.

That grants would-be spies much easier access, not least in an era when people have grown increasingly wary of clicking on suspicious-looking messages.

In this case, the malware exploited a hole in Apple’s iMessage software to stealthily install Pegasus, a hugely invasive piece of software that essentially turns a phone into a pocket listening device.

Allegations that the software has been used by governments worldwide to eavesdrop on human rights activists, business executives and politicians sparked a global scandal in July.

Will I know if my phone is infected? 

A simple answer: “No,” said Scott-Railton.

“There’s nothing you can do as a user to protect yourself from infection, and nothing you’re going to see when you’re infected,” he told AFP.

That is partly why Apple has taken the threat so seriously, he said.

Scott-Railton urged Apple users to install the software update released by the tech giant on Monday.

Apple announced a fix for the problem just under a week after Citizen Lab reported it on September 7.

A fix of this speed is “a rarity, even for a big company”, Scott-Railton said.

Why are messaging apps so vulnerable? 

Revelations of Apple’s iMessage flaw come after messaging service WhatsApp discovered in 2019 that it, too, had a zero-click vulnerability that was being used to install Pegasus on phones.

Scott-Railton said the ubiquity of such apps meant it was not surprising that the NSO Group, the scandal-hit Israeli company behind Pegasus, had used them to sneak onto people’s devices.

“If you find a phone, there’s a good chance that there’s a popular messaging app on it,” he explained.

“Finding a way to infect phones through messaging apps is an easy and quick way to accomplishing what you want.”

The fact that messaging apps allow people to be identified with their phone numbers, which are easily locatable, also “means that there are a huge target for both nation-states and commercial mercenary hacking operations like NSO,” he said.

Can such hacks be stopped? 

Vivien Raoul, chief technical officer at French cybersecurity firm Pradeo, said the discovery of the iMessage flaw was “a good start for reducing the ports of entry, but it’s unfortunately not enough to stop Pegasus”.

Malware-makers can simply look for other weaknesses in widely used apps, which inevitably include flaws from time to time due to their complexity, say experts.

Google’s mobile operating system Android and Apple’s iOS regularly “correct a large number of vulnerabilities”, Raoul said.

NSO, whose recruits include former elite members of Israeli military intelligence, has formidable resources of its own to invest in the hunt for weak spots, while hackers also sell access to them on the dark web.

ZONNTECH.COM uses both Facebook and Disqus comment systems to make it easier for you to contribute. We encourage all readers to share their views on our articles and blog posts. All comments should be relevant to the topic. By posting, you agree to our Privacy Policy. We are committed to maintaining a lively but civil forum for discussion, so we ask you to avoid personal attacks, name-calling, foul language or other inappropriate behavior. Please keep your comments relevant and respectful. By leaving the ‘Post to Facebook’ box selected – when using Facebook comment system – your comment will be published to your Facebook profile in addition to the space below. If you encounter a comment that is abusive, click the “X” in the upper right corner of the Facebook comment box to report spam or abuse. You can also email us.