Experience Report on the Challenges and Opportunities in Securing Smartphones Against Zero-Click Attacks
Zero-click attacks require no user interaction and typically exploit zero-day (i.e., unpatched) vulnerabilities in instant chat applications (such as WhatsApp and iMessage) to gain root access to the victim's smartphone and exfiltrate sensitive data. In this paper, we report our experiences in...
Saved in:
Main Authors | , , , |
---|---|
Format | Journal Article |
Language | English |
Published |
05.11.2022
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | Zero-click attacks require no user interaction and typically exploit zero-day
(i.e., unpatched) vulnerabilities in instant chat applications (such as
WhatsApp and iMessage) to gain root access to the victim's smartphone and
exfiltrate sensitive data. In this paper, we report our experiences in
attempting to secure smartphones against zero-click attacks. We approached the
problem by first enumerating several properties we believed were necessary to
prevent zero-click attacks against smartphones. Then, we created a security
design that satisfies all the identified properties, and attempted to build it
using off-the-shelf components. Our key idea was to shift the attack surface
from the user's smartphone to a sandboxed virtual smartphone ecosystem where
each chat application runs in isolation. Our performance and usability
evaluations of the system we built highlighted several shortcomings and the
fundamental challenges in securing modern smartphones against zero-click
attacks. In this experience report, we discuss the lessons we learned, and
share insights on the missing components necessary to achieve foolproof
security against zero-click attacks for modern mobile devices. |
---|---|
DOI: | 10.48550/arxiv.2211.03015 |