How Do ‘Zero-click’ Attacks Work on Apple?
Apple has been working feverishly over the last week to produce a cure for a serious security weakness that allows spyware to be downloaded onto an iPhone or iPad without the user even pressing a button.
But how do these “zero-click” attacks operate, and how can they be prevented?
Spying software has typically relied on persuading the target individual to click on a malicious link or file in order to install itself on their phone, tablet, or computer.
“Zero-click ups the ante,” said John Scott-Railton, a senior researcher at Citizen Lab, the Toronto University cybersecurity center that uncovered the Apple issue.
A zero-click attack allows malware to infiltrate a device without the user having to be tricked into clicking on a link.
This gives would-be spies a lot more access, especially at an age when people are weary of clicking on suspicious-looking messages.
In this case, the malware took advantage of a flaw in Apple’s iMessage program to install Pegasus, a very intrusive piece of software that effectively transforms a phone into a pocket listening device.
In July, allegations that the software was being used by governments around the world to spy on human rights activists, business leaders, and politicians provoked a global outcry.
Scott-Railton gave a straightforward answer: “No.”
He told AFP, “There’s nothing you can do as a user to prevent oneself against infection, and nothing you’ll see when you’re infected.”
He believes this is one of the reasons Apple is taking the danger so seriously.
Apple consumers should install the software update published by the company on Monday, according to Scott-Railton.
Just over a week after Citizen Lab identified the issue on September 7, Apple announced a remedy.
A remedy this quick is “rare, especially for a huge corporation,” according to Scott-Railton.
The discovery of Apple’s iMessage bug comes after WhatsApp revealed in 2019 that it, too, had a zero-click vulnerability that was being exploited to install Pegasus on phones.
Because of the widespread availability of such apps, Scott-Railton believes it is unsurprising that the NSO Group, the scandal-plagued Israeli firm behind Pegasus, exploited them to gain access to people’s devices.
He continued, “If you locate a phone, there’s a strong possibility it has a popular messaging program on it.”
“Finding a means to infect phones via chat apps is a simple and quick approach to achieve your goals.”
The fact that persons can be identified by their phone numbers, which are easily found, is also a plus. Brief News from Washington Newsday.