What is a zero-day exploit or (for that matter) a zero-click vulnerability?
A zero-day vulnerability is an error, a flaw, a mistake with a piece of software or hardware. There is almost no — zero if you will — opportunity for detection.
Zero-day means you have zero days to run the fix/patch etc.; zero-click means you do not have to do anything or take any action for the hacker to exploit the weakness.
Sound cryptic? It is.
Most hacks that we read about or see involve “you” having to do something, to take a particular action to set the threat in motion. Sometimes, what you do is not so smart, other times, you are just plain tricked and fall victim to a devious cyberthreat.
Some examples on this spectrum of “I can’t believe people fall for these things” to “very devious”:
— You get an email from your “boss” asking you to go buy gift cards and you do so and then the “boss” asks you to scratch the back of the cards and send them the pics, so you do. You have been hacked. That email was not from your boss.
— Or you get an email asking to “verify” your credentials from Google. You enter your password. You have just been hacked.
— You get a phone call from “Microsoft” asking for your personal info and credentials, you share them. You have been hacked.
— You get an email from “UPS” to track your package, you click, you have been hacked and your entire organization now has ransomware.
We put together a free overview of these common threats as a courtesy to all, please be safe out there and watch:
If these 15-minute clips stop one threat, we have helped in the cyberwar.
All of these examples require you to do something. The zero-click vulnerability requires you to do nothing and in the most recent example allows certain parties to watch and see everything you are doing on your Apple device.
Sounds scary? It is as scary as it gets, we scratched the surface on the subject on WCTV News this week in Tallahassee.
Thank you, Mr. Roop, for having me on the show.
There is a lot more here than you can cover in a two-minute TV spot. Where did this software come from? Russian hackers? Not this time.
This is where this story gets fuzzy, frightening, rabbit hole-ish and interesting.
Have you read any Dan Silva books? This is Mossad-level activity.
There is an Israeli technology company named NSO Group Technologies. Named after its founders (Niv, Shalev and Omri), they are well known in tech circles (and espionage circles) for a tool called Pegasus, which can provide zero-click surveillance of smartphones.
The product is now classified as a “weapon” and its sale must be approved by the government.
The company clearly says it only sells to governments and not anyone wishing to misuse it. Once you peel back the onion you can find alleged deployment of this tool in the hunt for drug-dealer El Chapo, the murder of journalist Jamal Khashoggi, and the discovery this year of an alleged massive utilization of the software, spying on over 50,000 journalists, heads of state, human rights activists and others.
Heads of state? Yes, like the French President, Emmanuel Macron was supposedly on this list of targets as well as journalists all over the world.
Unfortunately, we don’t have time for a weeklong journey into this.
But know this, NSO has been around for over 10 years, and this software somehow is getting into the hands of some very shady individuals.
Do you think it was used in the last U.S. presidential election? Spying on all involved by other nations and bad actors using that info? Potentially inflaming both sides; the extreme left and extreme right? Playing us against each other? Russia has been doing this since the Cold War.
Were there targets on the list here in Florida?
The tool has obviously been used for good to hunt bad guys/gals, but it has also been used to allegedly spy on leaders and journalists.
As you can see, this is no ordinary hack; the software and alleged utilizations may seem like the plot of an Orwellian-type movie — but it’s real.
What can you do to make sure “someone” is not watching you?
On an iPhone, go to Settings > General > Run Software Update and put this in the rearview mirror.
While most of us reading this would not be targets of this type of thing, I can guarantee some of you would be (media, lobbyists, elected officials, etc.)
NSO denies any wrongdoing and calls all this “misinformation” (hence my overuse of the word “alleged,” so the Mossad does not come looking for me).
Its statement is here, and you can draw your own conclusions, preferably after you run the security update.
Blake Dowling is CEO of Aegis Business Technologies. He is the author of the book Professionally Distanced, and the host of the Biz & Tech podcast. Dowling writes for several organizations and can be reached at [email protected].