Are we entering a 0-click era?

Question

Just finished reading Project Zero's sobering blog post on the NSO 0-click iOS exploit (see googleprojectzero.blogspot.com). If an integer overflow vulnerability in iMessage's GIF codec can be turned into a pretty much full-fledged 64-bit VM, then there's simply no trusting anything more sophisticated than a tin can phone. And even if you only use a basic feature phone, you can still be targeted by 0-click (e)SIM attacks (e.g. the ones targeting S@T browser or WIB and probably many more yet-to-be-discovered flaws). Plus all the (pseudo?)-lawfully backdoored layers (pretty sure it doesn't take less-than-democratic states more than a few threatening emails to the compliance department of most banks to be get access to their banking app).Assuming that the number of 0-click exploits will increase with the complexity of our phones, do you think we're entering a great-equalizer-era where the tech-savvy political dissident has the same chance to avoid malware/interception as the novice? Or are there best practices to manage risk (compartmentalization, makeshift hardware switches, frequently changing/resetting devices, etc.)?

jmercouris · Accepted Answer

Security is more than just the software and hardware you are running. It also the strategies you employ, which you've hinted at. You can minimize your risk exposure by taking certain key steps:
1. hardware switches for microphones, cameras
2. restrict when and what you connect to on your devices
3. using air gapped devices when necessary
4. use different devices for different activities
the list of course goes on and on. it depends on what your security needs are. Security does not end with software and hardware mitigation, it only begins there.

taubek · Answer

This really sounds scary, but I guess that security will follow with its own advancements. I like to say, "If there is a lock, there is a way to open it". I just hope that "locks" will be one step ahead....

ryanlol · Answer

Of course not, the situation is already far better than it was 5 or 10 years ago. If anything, we&rsquo;re slowly exiting the 0-click era, not entering it.

notMyne · Answer

One company who is notorious for cutting corners and having poor security shouldn't be the norm.
Would this get caught in an open source project? Significantly more likely.
Would this get caught by a company that relies on quality over marketing? Who knows.
People are shocked a company who has been selling low to medium quality products has a security issue. I'm not shocked.