Ask HN: Are we entering a 0-click era?

14 points by apienx ↗ HN
Just finished reading Project Zero's sobering blog post on the NSO 0-click iOS exploit (see googleprojectzero.blogspot.com). If an integer overflow vulnerability in iMessage's GIF codec can be turned into a pretty much full-fledged 64-bit VM, then there's simply no trusting anything more sophisticated than a tin can phone. And even if you only use a basic feature phone, you can still be targeted by 0-click (e)SIM attacks (e.g. the ones targeting S@T browser or WIB and probably many more yet-to-be-discovered flaws). Plus all the (pseudo?)-lawfully backdoored layers (pretty sure it doesn't take less-than-democratic states more than a few threatening emails to the compliance department of most banks to be get access to their banking app).

Assuming that the number of 0-click exploits will increase with the complexity of our phones, do you think we're entering a great-equalizer-era where the tech-savvy political dissident has the same chance to avoid malware/interception as the novice? Or are there best practices to manage risk (compartmentalization, makeshift hardware switches, frequently changing/resetting devices, etc.)?

10 comments

[ 3.0 ms ] story [ 36.5 ms ] thread
Security is more than just the software and hardware you are running. It also the strategies you employ, which you've hinted at. You can minimize your risk exposure by taking certain key steps:

1. hardware switches for microphones, cameras

2. restrict when and what you connect to on your devices

3. using air gapped devices when necessary

4. use different devices for different activities

the list of course goes on and on. it depends on what your security needs are. Security does not end with software and hardware mitigation, it only begins there.

that sounds complicated. I'll just put a sticker on my laptop camera
Of course not, the situation is already far better than it was 5 or 10 years ago. If anything, we’re slowly exiting the 0-click era, not entering it.
I can't remember any recent good news about 0click mitigation
Nobody reports this stuff, but exploit kits like blackhole have completely disappeared. (Sure, maybe technically not “0click” even if delivered via an ad on nytimes.com)

The situation has dramatically improved during the past 30 years, but so has reporting. It’s the improved reporting that makes it sound like as if the world is on fire.

It's not obvious to me. As phones get new features, it stands to reason that the attack surface would also increase.

Note that I'm specifically referring to the mobile phone industry (people in at-risk countries rarely have computers).

One company who is notorious for cutting corners and having poor security shouldn't be the norm.

Would this get caught in an open source project? Significantly more likely.

Would this get caught by a company that relies on quality over marketing? Who knows.

People are shocked a company who has been selling low to medium quality products has a security issue. I'm not shocked.

This really sounds scary, but I guess that security will follow with its own advancements. I like to say, "If there is a lock, there is a way to open it". I just hope that "locks" will be one step ahead....