Zero-Click Hacks: The Holy Grail of Hacking

When, back in 2018, Australian National University (ANU) announced that it was hacked when an employee simply previewed a phishing email in the preview panel, few in the cybersecurity community believed it. They cynically remarked that this was probably a story concocted by an employee who actually clicked on a link or opened an attachment and then tried to cover their tracks. However, it later emerged that ANU was the victim of a highly sophisticated malicious cyber operation that did, indeed, operate through a zero-click hack. A zero-click hack is one in which the victim does not need to click on a link or an attachment for malware to be installed.

According to the official report on the incident, this zero-click vector was used to launch the attack.

“The actor’s campaign started with a spearphishing email sent to the mailbox of a senior member of staff. Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment. This ‘interaction-less’ attack resulted in the senior staff member’s credentials being sent to several external web addresses. It is highly likely that the credentials taken from this account were used to gain access to other systems. The actor also gained access to the senior staff member’s calendar – information which was used to conduct additional spearphishing attacks later in the actor’s campaign.”

Yet, very little information exists on how the attack was actually constructed. The problem was that, as the attackers worked their way through the network, they erased any signs of their operation. This includes any signs of how they constructed the initial zero-click attack. The attack has been attributed to China and, since none of the stolen data has surfaced, it must be assumed that it is being stored for use in future attacks.

If this was the last we ever heard of zero-click attacks, we could conclude that this was an isolated incident. However, shortly after the ANU hack, Facebook-owned WhatsApp announced that it had been the victim of a zero-click attack. This attack was a little different from the ANU attack. In the WhatsApp attack, the attackers only had to ring a victim’s phone. During the time the phone rang, malware could be installed. The attackers clearly used the fact that they had a connection with the targeted device to craft an attack which took control of the phone’s camera and microphone and exfiltrated data such as call logs, messages, and location information. Somewhat surprisingly, the attack was thought to be the construction of a nation-state. This is because the malware installed was similar to spyware and the victims tended to be human rights lawyers and other political activists.

Then, just this May, Samsung announced that they had discovered a zero-click bug that was compromising their Android phones. The attack used Samsung’s Qmage (.qmg) imaging format and their Skia library which processes every image the phone receives. Samsung has always realized that this processing could be the target of exploitation, so they randomize the location of the library for every image it receives. In order to actually hack into the phone, a hacker would have to send multiple messages with images and basically hope they’ve correctly guessed the library’s location.

Now, you might think that the victim would hear the message notification signal repeatedly going off as the test messages came in; however, the attackers found a way to turn that off. Samsung has since fixed this bug but the concept behind it still remains.

The latest zero-click attacks are using the link preview feature that is so common in messaging apps. Some apps will generate a preview by connecting directly to the linked page. This gives an opening to hackers who control the page to send malware back to the viewing device and, possibly, take control of it. Other apps mediate a link through their own servers. Among these are Facebook Messenger and Instagram. Apparently, they store copies of any shared file or link. This is likely done for advertising purposes.

Talal Haj Bakry and Tommy Mysk, two security researchers, noted this problem in a blog post. In some scenarios, not only will the app have the link connect its receiver to the web page and generate a link preview, but it will also download any Javascript code found on the linked page; Javascript code which could potentially support malware.

Facebook Messenger and Instagram apparently have no limit on what size file they will attempt to download. The researchers tested this by linking a 2.6 GB file which the Facebook-owned apps dutifully downloaded to their servers. Google Hangouts does much the same except that they limit their downloads to 20 MB. LinkedIn had an additional problem. Not only would they allow a link preview download of up to 50 MB, but they would also allow Javascript code to run freely on their servers. Other social media apps that were vulnerable to such attacks were Slack, Twitter Direct Message, and Zoom. The researchers offer this chart for making quick app comparisons.

The zero-click hack has yet to be perfected, but you can be quite sure that hacking groups and nation-state hackers are vigorously working on them. But here’s the problem. If zero-click hacks were perfected, we may not even know about it, especially if these hackers were good at hiding their tracks. Networks could be breached, information could be stolen, data could be altered and no one would be the wiser. Now, that’s a very scary scenario.

One thought on “Zero-Click Hacks: The Holy Grail of Hacking

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s