You need to protect yourself from zero-click attacks – Popular Science

Share on facebook
Share on twitter
Share on linkedin

The latest Apple vulnerability was an example of both a zero-click attack and a zero-day exploit. Here’s what to know.
|
After Citizen Lab, a cybersecurity watchdog group that’s spent years tracking digital threats, examined the contents of a Saudi activist’s phone, researchers quickly discovered that it was infected. But the phone wasn’t infected with just any virus. It was infected with NSO Group’s zero-click Pegasus spyware—software that does not even require people to click on a link in order to get the infection. 
With Pegasus, before the fix is installed, “there’s absolutely nothing you can do to protect your phone,” says self-described data breach hunter Chris Vickery. “It’s nightmare-level terrible.” Keeping your software updated is the easiest way to defend yourself, as companies release fixes that way after they discover new vulnerabilities.
Here’s what you need to know about what zero-click software, and Pegasus, is.
Pegasus is the name of a software exploit product created and sold by an Israeli outfit called the NSO group, and “FORCEDENTRY” is the more specific name of the vulnerability. Unlike the type of viruses you might have seen in movies, this one doesn’t spread. It is targeted at a single phone number or device, because it is sold by a for-profit company with no incentive to make the virus easily spreadable. Less sophisticated versions of Pegasus may have required users to do something to compromise their devices, like click on a link sent to them from an unknown number. 
In the past, texts have been sent telling people their children were in a car accident or that someone has just used their credit card—these are phishing attempts. As soon as the link is clicked, the phone is injected with Pegasus software, which gives complete control over the phone to the people targeting it.
[Related: Why you need to update your Apple products’ software ASAP]
But you probably won’t even know you’ve been targeted. “For the purposes of doing an investigation, you want to be as quiet as possible,” says Vickery, “so hackers are probably not going to use the phone to do obvious things that will show their presence.”
The most advanced version of Pegasus involves a zero-click exploit. It requires no human interaction to infect the phone. “It’s like a bullet hitting your head from afar,” says Vickery. “You have no defense whatsoever.” The hackers can send an exploit payload to your phone. In the case Citizen Lab discovered, Pegasus was sent via a corrupted gif file.
The vulnerability lurked in the iPhone software that parses images. That was why Apple issued an emergency fix and urged everyone to update their devices.
A zero-day attack, a zero-day vulnerability, and a zero-day exploit are all terms talking about the same fundamental thing: There’s a vulnerability in software that the manufacturer has not released a fix, or patch, for yet. “Because there has not been time for defenses to catch up with the attackers, it’s a zero-day exploit,” says Vickery. “As soon as somebody releases a patch for it, the next day, it could be thought of as a one-day exploit, meaning that there’s been one day of potential patching for it.” 
If you’re a hacker, you want that zero day to last as many days as possible, if you want to take advantage of it in the future. There are many zero-day exploits that are sold and passed around underground that specifically avoid letting the victim know about it so that it will be a zero day for a longer period of time. Some hackers might discover these zero days and report them in order to get rewards from the company they report it to, but places like military intelligence agencies stockpile zero-day vulnerability knowledge, says Vickery, because it can be used to very efficiently penetrate a target network. In 2013, the NSA spent $25 million to purchase software vulnerabilities, and in 2020, the NSA published a list of 25 vulnerabilities they discovered Chinese-sponsored cyber actors were exploiting.
But the process becomes like a cat and mouse game, because as soon as you use it you run the risk of the adversary learning what you used to take advantage of them. “There is a gray area of what the value is to our nation in knowing how to do this, versus the value of telling the manufacturer so that they can protect everyone,” says Vickery.
NSO is a group of Israeli hackers for hire that have been operating for many years. They provide software like Pegasus to places like the United Arab Emirates and Saudi Arabia. The group has claimed their software assisted in the capture of El Chapo and one lawsuit has connected the murder of slain journalist Jamal Khashoggi with Saudi use of the software. One report notes that NSO tried to pitch their software to local U.S. police.
The NSO group have stated that they provide the services of this software for governments around the world to help fight terrorism and crime. “NSO Group says that their spyware is only for targeting criminals and terrorists,” John Scott-Railton, a senior researcher at Citizen Lab, wrote on Twitter. “But here we are…again: their exploits got discovered by us because they were used against an activist.”
4/ NSO Group says that their spyware is only for targeting criminals & terrorists.

But here we are… again: their exploits got discovered by us because they were used against an activist.

Thesis: discovery is inevitable byproduct of selling spyware to reckless despots. pic.twitter.com/fsnmSZF6ny
WhatsApp, which is owned by Facebook, is currently suing NSO Group, accusing the company of providing software that allowed people to spy on journalists and political dissidents.
“The company claims that all they do is provide the software to do the exploitation,” says Vickery. “It’s kind of like a gun maker saying they sell the guns, but they’re not the ones aiming it at somebody’s head and pulling the trigger.”
It can often be very difficult to find out if your phone is infected. Exploits like this happen quietly, limited by how much risk the people deploying it want to put out there. And because the hackers have control of all the processes in the phone, they can delete the text or link that originally infected the devices, preventing the notification from ever being shown. (However, as one security expert told PopSci earlier this week, “these attacks are not a threat to most Apple users.”)
If your phone logs have contact to a certain domain or IP address, it’s an indicator that your phone was compromised—that’s Pegasus at work, because it was reaching out to the command and control server, but only a place such as Citizen Lab would have the resources to discover that.
Once your device has been infected, there’s no way to protect yourself. Experts say that one way to mitigate the damage that could come from a compromised device is that if an occupation involves sensitive info, to maintain two separate phones, one for work and one for private use. 
The most important thing that a regular person can do is to keep their software up to date, as software updates can often come with patches for security vulnerabilities. And scrutinize the phone numbers and emails in messages you receive to ensure they are from someone you trust.
This article has been updated.
Shira Feder covers tech, science, and health. She holds a master’s degree from the Craig Newmark Graduate School of Journalism and has written for the Washington Post, Vox, The Daily Beast, Business Insider, and other publications. She has received two awards from the Society of Professional Journalists for her reporting.

RELATED
The company is sunsetting 3G service nationwide, blacking out millions of connected vehicles in the process.
READ NOW
RELATED
Lockheed Martin will build the vehicle, which should only be about 10 feet tall. Eventually, NASA wants to literally throw it into the Martian atmosphere.
RELATED
Jelly Belly has mastered making flavors so real they can confound the senses.
Like science, tech, and DIY projects?
Sign up to receive Popular Science’s emails and get the highlights.
We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.
Registration on or use of this site constitutes acceptance of our Terms of Service.
© 2022 Recurrent. All rights reserved.

source

Bellscord

Bellscord

Leave a Replay

About Us

Bellscord is a Gaming Community which hosts its own Minecraft Server and Discord Community. Bellscord Communities can be found across multiple platforms. Our aim is to build a big and active community.

Recent Posts