Zero-Click Security Threat
Earlier this month, the Office of Information Security published an alert about “zero-click” spyware. Typical cyberattacks require the target to interact in some way with malicious content by clicking on a link or downloading an attachment from an unknown sender. Zero-click attacks do not require this sort of engagement. According to the interim executive director of the National Cyber Security Alliance, Lisa Plaggemier, it is “virtually impossible for individuals to know if they have been compromised” by a zero-click exploit (Bidar 2021).
We published the alert in response to a report by the University of Toronto’s Citizen Lab that an Israeli spyware company, the NSO Group, was using the zero-click exploit known as “Forcedentry” to access data on the phone of a Saudi activist. According to Citizen Lab, the NSO Group—considered a cyber arms dealer by the Israeli government—frequently sells products such as their flagship spyware, Pegasus, to governments around the world for the purpose of surveilling activists, journalists, politicians, and critics. The NSO Group claims that their spyware is intended for use in investigations of terrorist activity.
The only way to protect yourself from threats like this is to keep all your devices up to date, installing software updates as soon as they become available. The recent zero-click exploit specifically worked through Apple’s iMessage software, so Apple responded with a software update—iOS 14.8—just days before releasing the new operating system iOS 15, which was built to include protections against threats such as these.
The strategies of cybercriminals and companies like the NSO Group are continuously changing to overcome our best defensive mechanisms, so it is crucially important to regularly check for software updates, which often include important security patches. This is true for all devices, whether they are mobile devices running iOS or Android or are desktop/laptop computers running operating systems like macOS, Windows, or Linux. To stay safe, be sure to update.