Simmons encourages users to take security updates seriously to fight zero-click access to devices
Kim Chaudoin |
Hackers are continually working to find new and better ways to access devices without the knowledge of users to compromise the security of their data. Just last week Apple released a software upgrade for its phones, computer and watches that contained an emergency security patch following a report of zero-click access to its devices.
Cybersecurity expert Chris Simmons, associate professor in the College of Computing & Technology, explains that the latest threat to make headlines causing Apple to release its emergency security patch was discovered by researchers at the University of Toronto's Citizen Lab. This organization discovered that the NSO Group, an Israeli spyware company, used what is known as a "zero-click exploit" to access the phone of an unnamed Saudi activist. They also revealed that the NSO Group's flagship Pegasus spyware program was used to infect the activist's device.
“This is a significant issue and different from the cyberattacks we have seen in the past,” says Simmons. “The typical cyberattack involved a user engaging with a malicious link or other piece of content. But zero-click exploits don’t require any sort of interactions with the actual user. These attacks are happening without the user having any idea that their device has been compromised.”
The NSO Group is well known in the cyber world. Hackers have been able to install the Pegasus spyware on the target's device using zero-click exploit by sending a message to the victim’s phone. Once on a user’s phone, Simmons says the hacker can siphon data, activate processes, such as the camera or microphone, and access location data to determine where you have been and who you have encountered among other activity.
Apple and Android devices may be targets. Experts estimate that there are more 1.6 billion Apple devices and over 3 billion Android devices in active use overall. While the recent vulnerability is unlikely to impact the majority of these customers because of the highly targeted nature of these attacks, Simmons says the breach is nonetheless concerning.
“We have gotten so accustomed to having so many conveniences at our fingertips with our phones and other devices,” he says. “On our phones we have easy access to our bank accounts, contacts, credit cards, email, messaging, retail apps, personal photos, social media and so much more. It is easy to let our guard down and not take necessary precautions to protect our information. These are definitely conveniences for us and may save time and effort … but convenience can sometimes come with a price.”
With zero-click exploits, it can be very difficult to tell that you have been attacked.
“It can often be very difficult to find out if your phone is infected, and once it is there isn’t much you can do about it,” says Simmons. “because the hackers have control of all the processes in the phone, they have the ability to cover their tracks, preventing any potential detection from ever being shown to the victim. So, proactively taking steps to protect yourself is critical.”
Simmons recommends several steps to securing information on your phone and other devices.
Stay current with software updates. Keeping your software updated is the easiest way to defend yourself, as companies release fixes that way after they discover new vulnerabilities. Simmons advises that when you receive a message about updating software on your computer or phone, make sure to do that quickly even if you don’t want to take the time to close down your open windows and shut down your device. Most updates take only a few minutes to complete.
Use multi-factor authentication. Especially when using mobile payment services such as Venmo or an electronic banking app, Simmons recommends setting up multi-factor authentication. “This adds an extra layer of security to your account to prevent someone from logging in, even if they have your password,” he explains. Most apps, even social media apps, have options for adding this additional security feature.
Interact only with contacts you trust. Scrutinize the phone numbers and emails in messages you receive to ensure they are from someone you trust.
Consider two phones. If you have a profession that involves sensitive information that might make you a prime target for a zero-click attack, consider maintaining two separate phones — one for work and one for private use.
Lipscomb’s College of Computing & Technology also offers a variety of undergraduate and graduate degrees. Learn more at www.lipscomb.edu/technology.