Silent, Zero-Click Cybersecurity Threats Will Persist

Apple scrambled frantically for almost three weeks after researchers at the University of Toronto’s Citizen Lab identified a zero-click vulnerability affecting all its devices via the iMessage application. As of last Monday, the issue has been reportedly fixed but cybersecurity analysists say this is only the beginning of these types of attacks.

By now, most cybersecurity trainers instruct employees to not click or download links coming from random numbers or email addresses. This standard is now obsolete in the face of zero-click exploits which allow hackers to access devices without the users ever knowing. Researchers at Citizen Lab have called this development "Forcedentry", tracking the use of this software as far back as February 2021.

"Whereas typical cyberattacks require a user to engage with a malicious piece of content–such as clicking on a rogue link–zero click exploits do not require any sort of interaction with devices' owners themselves," Lisa Plaggemier, Interim Executive Director of the National Cyber Security Alliance, told CBS News. "This means it is virtually impossible for individuals to know if they have been compromised or not," she added.

The software was developed by NSO Group, an Israeli spyware company well known in the cybersecurity community for the development of Pegasus spyware that had been previously weaponized to track journalists in Mexico reporting on drug cartels—among other serious infractions. This latest adaptation, once silently installed via iMessage, grants hackers “a variety of controls that can siphon data or activate processes, such as the camera or microphone, on iOS or Android devices," Jerry Ray, COO of the cyber firm SecureAge, told CBS News.

"Considering all of the apps that could potentially pose a weakness that could be exploited by actors like NSO Group, this could be just another decimal point update among the countless ones to come," Ray said.

Although the NSO Group says that its spyware is solely available for the use of licensed law enforcement groups and meant to target only terrorist and criminals, the consistent use of the software to track private citizens should draw serious scrutiny from device manufactures and related value chain members as a whole. Moreover, they should anticipate the need for continuous innovation given that “[z]ero click threats are here and are here to stay," Plaggemier said.