KimbakiS Portfolio

This is a collection of some of the projects I've worked on during my ventures into the Cybersecurity world.

View on GitHub

Some thoughts on Zero-Click Exploits

Although a majority of cyber threats can be avoided by simply not doing 𝘢𝘯𝘺𝘵𝘩𝘪𝘯𝘨 (if in doubt, don’t click that link or respond to that strange text message), there are a few looming threats that I can only see becoming more concerning as time goes by…because they don’t require any human interaction to be carried out. One such threat is in the form of 𝐙𝐞𝐫𝐨-𝐂𝐥𝐢𝐜𝐤 𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐬.

I was pretty surprised when I first read a post about this attack’s existence a few weeks ago. I had often considered the “what-ifs” of similar situations, but I hadn’t expected to see news about something like this so soon. Although this kind of attack has apparently been around for quite some time, it’s gaining more traction because of the widespread use of smartphones, which is a common targeted device, along with even IoT devices, both of which have rather limited protections compared to your usual PC.

Without going into technical detail, what’s dangerous about an attack like this is that, like a zero-day exploit (which it often relies on), it can infect a device and run on its own without the user having done anything beyond simply opening an email. In fact, there have been cases where it activates itself simply by triggering a missed phone call to a targeted smartphone. That being said, it is quiet and goes largely undetected. And you can’t patch it unless you know about it, which means the usually sound advice of patching your system or software won’t likely prevent it.

Is this a common attack? Not yet, but it is becoming more and more common from what I’ve seen and read. It is a more targeted attack, which means the average computer user or smartphone user isn’t likely going to need to worry about it anytime soon. But is it high-risk? Very much so, as it can bypass otherwise strong security measures and get to highly sensitive information in your device. So, this is definitely something companies and high-value targets should consider worth their time looking into.

The main point that I’d like to mention here is this: often times, we put too much faith in our security measures and detection systems that we often sleep on protection WITHIN a system. It’s not an exaggeration that once an attacker compromises a system, it’s often downhill from there, as they have more freedom and access than they should. Although zero-click attacks are not quite widespread yet, they certainly serve as a reminder to protect the inside as well, not just the public-facing outside. After all, even if the attacker gains access to the inside, if all important data is strongly encrypted and requires a second form of verification to access it, it’s going to be useless anyway, right?

The challenge here is balancing security and accessibility.