Apple security flaw: How do ‘zero-click’ attacks work?


Apple users were urged on Sept 14 to update their devices after the tech giant announced a fix for a major software flaw that allows the Pegasus spyware to be installed on phones without so much as a click. — AFP

PARIS: Apple has spent the past week rushing to develop a fix for a major security flaw which allows spyware to be downloaded on an iPhone or iPad without the owner even clicking a button.

But how do such “zero-click” attacks work, and can they be stopped?

What is a ‘zero-click’ hack?

Spying software has traditionally relied on convincing the targeted person to click on a booby-trapped link or file in order to install itself on their phone, tablet or computer.

“Zero-click takes that threat to the next level,” said John Scott-Railton, senior researcher at Citizen Lab, the Toronto University cybersecurity centre which discovered the Apple flaw.

With a zero-click attack, the software can sneak its way onto the device without the person needing to be fooled into clicking on the link.

That grants would-be spies much easier access, not least in an era when people have grown increasingly wary of clicking on suspicious-looking messages.

In this case, the malware exploited a hole in Apple’s iMessage software to stealthily install Pegasus, a hugely invasive piece of software that essentially turns a phone into a pocket listening device.

Allegations that the software has been used by governments worldwide to eavesdrop on human rights activists, business executives and politicians sparked a global scandal in July.

Will I know if my phone is infected?

A simple answer: “No,” said Scott-Railton.

“There’s nothing you can do as a user to protect yourself from infection, and nothing you’re going to see when you’re infected,” he told AFP.

That is partly why Apple has taken the threat so seriously, he said.

Scott-Railton urged Apple users to install the software update released by the tech giant on Sept 13.

Apple announced a fix for the problem just under a week after Citizen Lab reported it on Sept 7.

A fix of this speed is “a rarity, even for a big company”, Scott-Railton said.

Why are messaging apps so vulnerable?

Revelations of Apple’s iMessage flaw come after messaging service WhatsApp discovered in 2019 that it, too, had a zero-click vulnerability that was being used to install Pegasus on phones.

Scott-Railton said the ubiquity of such apps meant it was not surprising that the NSO Group, the scandal-hit Israeli company behind Pegasus, had used them to sneak onto people’s devices.

“If you find a phone, there’s a good chance that there’s a popular messaging app on it,” he explained.

“Finding a way to infect phones through messaging apps is an easy and quick way to accomplishing what you want.”

The fact that messaging apps allow people to be identified with their phone numbers, which are easily locatable, also “means that there are a huge target for both nation-states and commercial mercenary hacking operations like NSO”, he said.

Can such hacks be stopped?

Vivien Raoul, chief technical officer at French cybersecurity firm Pradeo, said the discovery of the iMessage flaw was “a good start for reducing the ports of entry, but it’s unfortunately not enough to stop Pegasus”.

Malware-makers can simply look for other weaknesses in widely used apps, which inevitably include flaws from time to time due to their complexity, say experts.

Google’s mobile operating system Android and Apple’s iOS regularly “correct a large number of vulnerabilities”, Raoul said.

NSO, whose recruits include former elite members of Israeli military intelligence, has formidable resources of its own to invest in the hunt for weak spots, while hackers also sell access to them on the dark web. – AFP

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 46
Cxense type: free
User access status: 3
Join our Telegram channel to get our Evening Alerts and breaking news highlights
   

Next In Tech News

Remittance processor Remitly valued at over $8 billion after strong market debut
Embraer shares soar with electric aircraft orders, analyst upgrade
From e-bikes to flying cars: India's Ola Electric plots mobility future
Vietnam's carmaker VinFast eyes more countries for its European strategy
Exclusive-Google offers to settle EU antitrust probe into digital advertising - source
Britain to front-run capital rules on crypto if need be, says Bank of England
Samsung in talks with Tesla to make next-gen self-driving chips -Korea Economic Daily
India merger of Sony, Zee to create TV powerhouse challenging Disney
Salesforce raises full-year revenue outlook on hybrid work boost
EU plans one mobile charging port for all, in setback for Apple

Stories You'll Enjoy


Vouchers