‘Zero-click’ exploit vulnerability prompts Apple to issue update

Users asked to download security update to patch exploit - now
A vulnerability found in some Apple devices prompted the company to issue a patch Monday, but these types of hacks have been around for the last half-decade.
Published: Sep. 14, 2021 at 6:31 PM EDT
Email This Link
Share on Pinterest
Share on LinkedIn

TALLAHASSEE, Fla. (WCTV) - A relatively new type of threat is here for mobile device users that’s hard to stop, and it prompted Apple to release a security update Monday to close a vulnerability that allows hackers to sneak into a user’s device.

It’s called a zero-click hack, where it requires no action on a users part according to Blake Dowling, the CEO of Aegis Business Technologies in Tallahassee.

A hacker can send a text message with an invisible image, but it does have a code in it.

“From that point forward, your phone is being monitored by a hacker,” Dowling said. “Everything you do, everything you see, the hacker can see.”

These kind of zero-click vulnerability attacks have been happening for the last five years, according to Dowling. This includes a new one that was discovered by The Citizen Lab at the University of Toronto in Canada. They found a zero-click exploit in the phone of a Saudi dissident along with Pegasus spyware which, they say, was created by a Israeli company. The exploit used a vulnerability in Apple’s iOS mobile operating system’s image rendering library, according to The Citizen Lab.

Apple released an update Monday for Apple’s iOS, iPadOS, macOS and watchOS operating systems since, according to The Citizen lab, the vulnerability impacts not the the iPhone’s operating system.

But this isn’t the first zero-click exploit, and those with deep pockets have been creating the code.

“This is high-level technology,” Dowling said. “We’re not talking a ransomware toolkit you buy on the dark web for $50. You’re talking about millions of dollars to develop this code in order to spy on people.”

Because of the high-investment required to create this kind of malicious code, the targets - as of now - are usually bigger players.

“This type of hack is for other spies, heads of state, lawyers, and very controversial cases,” Dowling said.

Journalists have also been subject to these hacks. For instance, it was discovered that 36 personal phones belonging to journalists and supporting staff from Al Jazeera were hacked with the same Pegasus spyware.

Not much can be done, Dowling said, to prevent these types of attacks.

“It’s so devious that there aren’t traditional protective measures that you can just roll out,” Dowling said.

There are ways to not only minimize damage from a zero-click hack, but also minimize the ones a user can click on to execute.

“Don’t click on anything. Trust, but verify. Don’t share your credentials. Have backups of everything. And, if you don’t need to keep sensitive information on your phone, don’t,” Dowling said.

He also stressed that software vulnerabilities are how these exploits can happen. That’s also the case with devices from Apple, which have a reputation of being impenetrable. Dowling said that running security updates when released, including the one sent Monday, can help.

iOS and iPadOS users can go to Settings app on the device, then tap on General and Software Update to update the device. Those on macOS can go to Settings, and click on Software Update. WatchOS users can go into the watch’s settings, then tap General and then Software Update to run the update when the watch is at least 50% charged and on a charger.

Copyright 2021 WCTV. All rights reserved.