iPhone Zero-Click Exploits: How They Work and How to Protect Yourself

April 03, 2025

Zero-click exploits on the iPhone are among the most dangerous forms of digital attacks. All it takes is for attackers to send a prepared message or file to your device—no clicking or active opening required. “Zero-click” means that no user interaction is necessary. These attacks are extremely complex and primarily target high-profile individuals such as journalists, activists, or government officials. Apple itself describes these attacks as “extremely rare but highly sophisticated” and has introduced the Lockdown Mode (also known as the “Extreme Protection Mode”) to counter them.

In this article, we’ll look at how zero-click attacks work on a technical level, what security measures Apple has implemented (and how attackers circumvent them), who is behind this type of spyware—particularly the NSO Group—and finally, what you can do to protect your iPhone as effectively as possible.

Technical Background: How Do Zero-Click Exploits Arise?

For a zero-click attack to work, the operating system—or a service like iMessage—must automatically process data without user intervention. This happens, for example, when your iPhone receives a new message and immediately tries to analyze the attachment or text to display a preview (e.g., an image preview or link preview).

• Parsers and Memory Corruption

iMessage, HomeKit, WhatsApp, and other services use “parsers” to prepare data (images, videos, documents) for display. During this process, complex memory operations take place, which can contain vulnerabilities. If attackers manage to overflow the parser (e.g., via buffer overflow, integer overflow) or trigger other memory errors (use-after-free) by sending specially crafted data, malicious code can enter the system. With this initial access, attackers will typically attempt to break out of the sandbox and ultimately gain full control over the device.

• Automatic Processing

iPhones are designed to automatically process content such as images or links to provide users with a seamless experience. However, this “preview rendering” can be exploited if the incoming data is manipulated. Because no confirmation is required, this type of attack is called a zero-click attack.

• Logic Errors Instead of Classic Exploits

Some attacks rely less on memory errors and instead take advantage of so-called “logic errors.” Here, legitimate but poorly designed functions or processes in iOS are misused to bypass security mechanisms. One example is HomeKit invitations or special iMessage messages that the system processes in a way never intended, ultimately allowing unauthorized code execution.

In short, zero-click vulnerabilities exist because iOS automatically and deeply integrates diverse content into the system. Wherever complex processes exist, errors can occur—and these can potentially allow attackers to execute malicious code without any user interaction.

Technical Analysis of Known Zero-Click Attacks on iOS

Pegasus, Kismet, and FORCEDENTRY: iMessage as the Entry Point

The Israeli NSO Group gained international notoriety with its spyware “Pegasus.” Pegasus is used by government entities to spy on smartphones—often without the knowledge of the individuals affected.

Kismet (2020)
Targeted iPhones running iOS 13.x by exploiting a vulnerability in iMessage. Simply sending a specially crafted iMessage was enough to compromise a device. Apple only closed this loophole with iOS 14, when new security mechanisms were introduced.
FORCEDENTRY (2021)
Circumvented the new security features in iOS 14. Attackers sent what appeared to be a harmless GIF file, which was actually a manipulated PDF. A vulnerability in Apple’s image processing library (CoreGraphics) was exploited to escape the iMessage sandbox and execute arbitrary code. Notably, FORCEDENTRY bypassed the “BlastDoor” security module by attacking a process (IMTranscoderAgent) that was not initially protected by BlastDoor.

Attacks Beyond iMessage: HomeKit, Find My, and More

WhatsApp
In 2019, a vulnerability was discovered in WhatsApp’s video call feature that allowed Pegasus to be installed even if the victim did not answer the call. This shows that not only Apple services can be affected.
HomeKit and Find My
In 2022, Citizen Lab uncovered several zero-click chains targeting iPhones running iOS 15/16. One called “PWNYOURHOME” involved sending HomeKit-sharing invitations to the victim and exploiting a flaw in the HomeKit daemon to compromise the system. This was followed by a second exploit stage via iMessage. Apple patched these vulnerabilities in iOS 16.3.1.
FaceTime Bug (2019)
Although this was not spyware, it was a serious logic error: Callers could activate the microphone of the person being called without the call being accepted. This example illustrates that any unexpected input can become a point of entry for attackers.
Wireless Interfaces
In 2020, a Google researcher demonstrated how the Apple wireless protocol AWDL (used by AirDrop) could be exploited to take over iPhones within range, without user interaction. The underlying vulnerability was later patched.

File Formats and Techniques

Malicious files often disguise themselves as common formats (e.g., PDF, GIF, or PassKit packages) to trick parsers. Many zero-click exploits rely on memory corruption bugs (buffer overflow, use-after-free, integer overflow) to initially execute code, then chain additional vulnerabilities to escape the sandbox (privilege escalation). Newer attacks increasingly use logic errors that can bypass common memory protection mechanisms.

Apple’s Security Measures Against Zero-Click Attacks

Sandboxing and Privilege Restrictions
Every app, including system apps like iMessage, runs in an isolated environment. If a service is compromised, attackers must exploit an additional vulnerability to gain access to the entire system. FORCEDENTRY, for example, combined multiple exploit steps.
ASLR (Address Space Layout Randomization)
Memory addresses are randomly distributed, making traditional exploit techniques more difficult. Skilled attackers often circumvent ASLR with information leaks or “heap grooming.”
Pointer Authentication (PAC)
Starting with the A12 chip, the hardware signs critical pointers with a secret key. Manipulated pointers usually cause crashes instead of code execution. However, logic-error attacks are largely immune to PAC.
BlastDoor
Introduced in iOS 14, BlastDoor runs as a specially hardened sandbox process that isolates incoming iMessage content (images, links, attachments). The idea is that an exploit will only compromise BlastDoor and not the rest of the system. Still, FORCEDENTRY showed that an unprotected side process (IMTranscoderAgent) could be used to bypass BlastDoor. Apple continues to improve BlastDoor over time.
Lockdown Mode (Extreme Protection Mode)
Available from iOS 16 onward, intended for users at extremely high risk. Lockdown Mode (also called Blockiermodus) disables many potential attack vectors, such as complex message types, link previews, HomeKit invitations, or FaceTime calls from unknown sources. Citizen Lab confirmed that some NSO attacks failed when Lockdown Mode was enabled. For most users, however, this mode imposes too many limitations and remains optional.

Despite these measures, attackers continually discover new vulnerabilities in services or protocols that are not yet fully covered by BlastDoor and similar defenses. It remains a constant arms race between Apple and professional exploit developers.

NSO Group and Others: Who Is Behind These Attacks?

The development of expensive zero-click exploits is usually carried out by specialized companies that sell these attacks as “hacking-as-a-service” to government customers. Examples include:

NSO Group (Israel)
Known for its Pegasus spyware, officially used to fight terrorism but proven to have been used against journalists, opposition figures, and human rights lawyers.

Candiru (Israel)
Developer of the “DevilsTongue” spyware, exposed by Microsoft in 2021 and sanctioned in the United States along with NSO.

Cytrox/Intellexa (Europe/Israel)
Maker of the Predator spyware. Following reports of misuse in Greece, the US government imposed sanctions on them as well.

QuaDream (Israel)
A smaller company founded by former NSO employees; exposed by Microsoft and Citizen Lab in 2023 (codename “Reign”).

FinFisher (Germany/UK) and Hacking Team (Italy)
Former major players, severely weakened or dissolved due to scandals and raids.

As more cases come to light in which state-sponsored spyware is used for human rights abuses, global pressure on the “mercenary spyware” industry is growing. The United States has blacklisted several of these companies and imposed sanctions. Apple sued NSO in 2021 but withdrew the lawsuit in 2024. In the European Union, the “PEGA” committee investigated the Pegasus scandal. A complete ban on such technologies, however, has not yet been implemented.

How to Protect Yourself

While zero-click attacks are extremely dangerous, they affect only a small number of specifically targeted individuals. Those working in politics, journalism, activism, or similar high-risk areas should be especially cautious:

Keep iOS Up to Date
Install updates as soon as possible, as many zero-click attacks exploit known but unpatched vulnerabilities.
Enable Lockdown Mode (Blockiermodus) If at High Risk
If you are at high risk, you can enable Lockdown Mode in iOS 16 and later. It blocks many attack vectors but also restricts certain features.
Be Cautious With Messages From Unknown Senders
Even though zero-click attacks don’t require any action, it’s still advisable to be wary of unexpected attachments, invitations, or messages.
Disable Unused Services
If you don’t use HomeKit, you can turn it off. The same goes for FaceTime or iMessage if you truly don’t need them. A smaller attack surface makes attacks more difficult.
Consider Alternative Messengers and Configurations
While iMessage is generally seen as secure, it has been a primary target for many attacks. Other messengers (e.g., Signal, Threema, Session) have been less frequently targeted. Also, where possible, disable link previews and automatic media downloads.
Avoid Installing Unknown Profiles or Certificates
Stick to the official App Store. Suspicious configuration profiles or enterprise certificates can circumvent security mechanisms.
Monitor Your Device’s Behavior
Watch for frequent crashes, extremely short battery life, or alert messages from Apple. If you suspect serious compromise, consider a forensic check, for example with the Mobile Verification Toolkit (MVT).
Physical Security and Social Engineering
Protect your device with a strong passcode, don’t leave it unattended, and be vigilant about phishing attempts. Not all attacks are purely technical—social engineering or direct physical access can also be dangerous.

Conclusion

Zero-click exploits sound like something out of a spy thriller—and their technical sophistication is indeed remarkable. At the same time, they pose a severe threat to victims because they require no user action. Apple has already introduced numerous security mechanisms—sandboxing, pointer authentication, BlastDoor, and Lockdown Mode—but well-funded companies like NSO Group continue to discover new vulnerabilities.

Security is a process, not a state: Keep your iPhone updated, adjust your settings, and enable Lockdown Mode if you fall into a particularly high-risk group. Most users will never directly encounter zero-click attacks, but they benefit indirectly from Apple’s ongoing security updates. Nevertheless, a healthy degree of vigilance is the best defense in a world where highly professional attacks have, unfortunately, become a reality.