Paris (AFP)

This week, Apple fixed a major security vulnerability that allowed spyware to enter iPhones and iPads, using "zero-click" attacks.

These are deployed in devices without even the owner having to click on a link.

How do they work and what can be done to stop them?

- What is a "zero-click" attack?


"Zero-click attacks are a threat of a higher level" than traditional attacks, explains John Scott-Railton, researcher at Citizen Lab, the center for cybersecurity at the University of Toronto which discovered the flaw at Apple.

Classic spyware requires that the person targeted by the attack click on a link or a trapped file to install the program on their phone, tablet or computer.

On the contrary, during a zero-click attack, the software sneaks into the device without the target having to click on any link.

A crucial technique for potential spies, at a time when users are increasingly suspicious of the messages they receive.

The zero-click attacks exploited a loophole in Apple's iMessage messaging service to quietly install Pegasus, invasive software capable of turning a phone into a mini cookie.

In July, some governments were accused of using the software to spy on human rights defenders, businessmen and politicians, sparking a global scandal.

- Can I know if my phone is infected?


The answer is simple: "No", asserts Scott-Railton.

"There is nothing there is anything that users can do to protect themselves against these attacks and there will be nothing to tell you that you are infected."

It is for this reason that Apple took the threat very seriously, explains the researcher.

The group also announced the resolution of the problem just a week after the Citizen Lab revelations on September 7.

Reactivity "very rare, even for a large company," says Scott-Railton, who urges Apple users to install the software update released by the tech giant on Monday.

- Why are messaging applications so vulnerable?


Already in 2019, Pegasus used loopholes in WhatsApp messaging to carry out zero-click attacks.

For Scott-Railton, the ubiquity of these applications makes them tempting targets for the Israeli company NSO, the origin of Pegasus.

“In any phone there is a good chance that a messaging app is installed,” he explains.

"Infecting phones via messaging is therefore a simple and effective way to achieve your ends."

Messaging applications are "a very important target for hacking operations, whether carried out by states or by private actors like NSO", adds Scott-Railton.

- Can these attacks be stopped?


For Vivien Raoul, CTO of cybersecurity company Pradeo, the discovery of the iMessage flaw is "a good start to shrinking Pegasus' front doors, but it won't be enough to stop it."

Malware designers will look for potential weaknesses in other popular apps, inevitably involving the discovery of flaws from time to time, related to their high complexity, experts warn.

However, Google's Android and Apple's iOS operating systems "regularly correct a large number of vulnerabilities," said Vivien Raoul.

NSO, which has former senior Israeli military intelligence officers in its ranks, has considerable resources to investigate these weaknesses, while hackers also sell it dark web access.

© 2021 AFP