Zero-click attacks: When your security is not up to you
Zero-click or zero-touch is a remote attack on a device that does not require any additional actions from the user. It can be carried out by air (OTA, over-the-air): it is enough that the victim is within the range of the desired wireless communication channel. We will talk about such attacks in this article.
Instead of introducing
0-click attacks do not require any action from the user. 1-click attacks require some kind of action. By and large, almost all attacks on server applications can be attributed to 0-click, but our article is not about server software. The appearance of 1-click and 0-click attacks is associated with the massive spread of mobile devices, the growth of network coverage and the number of Wi-Fi points. Due to the active Internet surfing, mobile devices store a lot of personal and confidential information. The ultimate goal of the attacker is precisely this user data, which is now stored not in the server or home computer, but right in his pocket.
Over the past 10 years, all of our information and communication has moved from desktops to powerful mobile phones with lots of smart hardware. Thus, the attack surface (attack surface) has greatly increased.
It used to be that a firewall provides relative security for the user. But now it’s clear that everyone is under threat of hacking, and most importantly – the attack can be invisible.
How is this possible?
- When transmitting specially formed data to a victim’s device via a wireless data transmission channel (GSM, LTE, Wi-Fi, Bluetooth, NFC, etc. – underline the necessary).
- The vulnerability could work when processing this data directly on the chip (baseband, Wi-Fi SoC, Bluetooth SoC, NFC SoC, etc.).
- Or the data can go a little further, and the vulnerability will work when preprocessing the data on the target program (calls, SMS, MMS, instant messengers, email clients, etc.), which is responsible for preparing this data for the user.
- Next, the payload in the exploit performs certain actions for Post-Exploitation.
In this case, the victim must make exactly 0 clicks, touches, or transitions! Such an attack is difficult to prevent, and it is impossible to blame the victim for following a phishing link from a message or opening some kind of document. In some sources, the same attack is called “fully remote” or “interaction-less” – there is no single term.
The “convenience” of such an attack is that the attacker does not need to conduct social engineering sessions to convince the user to click on the link or open the document. Everything happens unnoticed, and the user may not understand at all that an attack has occurred. If you go along the classical path through an attack on a user application, then almost everything is already plastered with various security mitigations. And if you go from the side of different SoCs, then there is a high probability of encountering a system without security mitigations, which, of course, simplifies the attacker's work.
What kind of specially formed data?
It can be anything:
- Service data when communicating with a cell tower (OTA commands)
- Link Level Packages
- Authentication Responses
- SMS messages
- MMS messages
- Voice messages
- Video conferencing
- Messages to your favorite messenger (Skype, WhatsApp, Viber, FaceTime, Telegram, etc.)
All of the above can cause a vulnerability to be triggered either in the firmware of the chip or in the code of the program that is responsible for its processing. Unfortunately, even the code responsible for the early stage of data processing contains vulnerabilities.
As a bonus, we recommend an article by Natalie Silvanovich from Google Project Zero "The Fully Remote Attack Surface of the iPhone".
Are there any real examples?
Interest in such attacks in research circles has appeared quite recently, and now they are gaining great popularity. Of the works in this area, the following can be distinguished (the list does not claim to be complete):
In the area of Wi-Fi:
- "Over The Air: Exploiting Broadcom’s Wi-Fi Stack", Gal Beniamini (2017)
- "BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WIFI CHIPSETS", Nitay Artenstein (2017)
- "Researching Marvell Avastar Wi-Fi: from zero knowledge to over the-air zero-touch RCE", Denis Selyanin (2018)
- "Reverse-engineering Broadcom wireless chipsets", Hugues Anguelkov (2019)
- "Exploiting Qualcomm WLAN and Modem Over The Air", Xiling Gong, Peter Pi (2019)
In the Baseband area:
- "Fuzzing the Phone in your Phone", CHARLIE MILLER, COLLIN MULLINER (2009)
- "All your baseband are belong to us", Ralf-Philipp Weinmann (2010)
- "The Baseband Apocalypse", Ralf-Philipp Weinmann (2011)
- "Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks", Ralf-Philipp Weinmann (2012)
- "Breaking Band: reverse engineering and exploiting the shannon baseband", Nico Golde, Daniel Komaromy (2016)
- "Path of Least Resistance: Cellular Baseband to Application Processor Escalation on Mediatek Devices", György Miru (2017)
- "A walk with Shannon Walkthrough of a pwn2own baseband exploit", Amat Cama (2018)
- "Exploitation of a Modern Smartphone Baseband", Marco Grassi, Muqing Liu, Tianyi Xie (2018)
Baseband processor operation note:
To exploit baseband’s using a malicious base station, it is worth noting that, starting with 3G, most packets must be authenticated with a special key. Quote from "Exploitation of a Modern Smartphone Baseband": “This is because originally 2G (second generation) networks considered the BTS (base station) as a trusted component, out of reach from attackers. So the phone will blindly trust anyone posing as a BTS. This makes it possible to build a fake BTS and launch attacks over the air. Only the base station is authenticating the mobile phone, but not vice versa. After the advent of SDR, it becomes clear that now the BTS cannot be trusted anymore. Nowadays it’s very cheap to build a fake base station and attack mobile phones. For this reason in 3G networks and newer the approach changed. Now the mobile phone, leveraging keys in the SIM card, will authenticate the 3G or newer base station usually. This removes lot of attack surfaces in 3G and newer networks, which require to bypass authentication. ”
Due to the fact that most modern baseband support 3G and 4G and networks use new standards (they are more priority), the attacker needs additional techniques that allow downgrade the default connection method (up to 2G) in the client modem.
Possible nuances, and everything from the specific implementation of a chip.
In the field of Bluetooth:
- “BlueBorn”, (2017)
- "BLEEDINGBIT", (2018)
- “CVE-2018-9555 and CVE-2019-2009 in the Android Bluetooth stack”, (2018, 2019)
In the field of instant messengers:
- "Adventures in Video Conferencing Part 2: Fun with FaceTime", Natalie Silvanovich (2018)
- "Adventures in Video Conferencing Part 3: The Even Wilder World of WhatsApp", Natalie Silvanovich (2018)
- "Android Messaging: A Few Bugs Short of a Chain", Natalie Silvanovich (2019)
- "Towards Discovering Remote Code Execution Vulnerabilities in Apple FaceTime", Tao Huang, Tielei Wang (2019)
After analyzing the above work, you can understand that in addition to the direct vulnerabilities of remote code execution, for the success of a serious attack, as a rule, additional vulnerabilities are needed that increase privileges in the system (in the case of instant messengers) or lead to the transfer of code execution from a peripheral chip (Wi-Fi , baseband, etc.) on the main processor (Application Processor). Only by collecting a chain of vulnerabilities can a complete compromise of a device be achieved.
Real zero-click incidents are hard to fix. However, if you turn to 1-click, you immediately recall the attack using the malicious Pegasus code, the investigation of "A very deep dive into iOS Exploit chains found in the wild" and the recent CVE-2019-11932 in WhatsАpp, leading to RCE.