The “Zero-Day” Era: No More Secure Smartphones — Only the Illusion of Safety
The device meant to protect us has become the main threat.
The FBI recently held a closed briefing for U.S. Congressional staff to reinforce mobile security protocols after a personal smartphone belonging to White House Chief of Staff Susie Wiles was compromised. Her contact list was allegedly used to send messages and make calls impersonating Wiles in attempts to reach U.S. lawmakers.
According to The Wall Street Journal, the attackers not only sent messages and made calls but likely used artificial intelligence to mimic Wiles’ voice. She informed her inner circle that her phone had been hacked and her contact list stolen, giving the attackers access to phone numbers of influential politicians.
Although the attack appeared to be an extortion attempt rather than a sophisticated intelligence operation, the consequences were serious. Lawmakers became suspicious when the impersonator asked odd questions about Donald Trump — questions Wiles would already know the answers to — and even requested money transfers. Recipients noted the unusually formal language and grammatical errors, and the messages came from a number that wasn't Wiles’.
The situation escalated after the murder of former Minnesota House Speaker Melissa Hortman and her husband, and an attack on State Senator John Hoffman and his wife. These events prompted the FBI to meet with U.S. Senate staff — more than 140 attended, a rare turnout for such briefings, especially without the usual free food.
However, Senator Ron Wyden, one of the Senate’s most tech-savvy members, criticized the FBI’s recommendations as superficial. In a letter to FBI Director Kash Patel, he denounced the agency for offering only basic advice like avoiding suspicious links, updating software, disabling Bluetooth, and rebooting devices regularly.
According to Wyden, these steps are far from sufficient to protect Congress members and other high-profile targets from cyber espionage using modern surveillance tools. Today’s market offers widely accessible “zero-click” exploits — tools that can infect a device without any user interaction, often sold to governments by private firms.
Wyden urged the FBI to recommend built-in advanced protection features available in mobile operating systems. These include “Lockdown Mode” on iPhones, designed specifically for users at risk of targeted attacks. This mode disables unnecessary system features, significantly reducing potential vulnerabilities. A similar feature on Android is “Advanced Protection Mode.”
He also proposed updating security training to include broader privacy measures — such as disabling ad IDs, blocking ad network tracking, using ad blockers, and avoiding services that collect personal data. Investigations revealed such services helped a suspect locate the victims in the Minnesota attacks.
Wyden emphasized that although the FBI has issued similar advice in past bulletins, in light of ongoing attacks, this is no longer enough. Recommendations must now be clear, comprehensive, and mandatory.
Nicholas Weaver of the International Computer Science Institute at Berkeley supported Wyden’s initiative. He believes all Congressional members and staff should have Lockdown Mode or equivalent protections enabled by default. He recalled that in September 2023, Citizen Lab successfully thwarted a zero-day attack using Lockdown Mode — the attack targeted iOS devices and attempted to install spyware without user interaction.
More recently, Citizen Lab uncovered another such attack — devices were infected via a malicious media file sent through iMessage. The vulnerability, CVE-2025-43200, was patched by Apple in February 2025 with iOS 18.3.1.
Although Apple hasn’t confirmed whether this vulnerability could bypass Lockdown Mode, the same month, the company also fixed another critical flaw — CVE-2025-24200. That exploit allowed USB protection to be bypassed on a locked device, but only with physical access.
Experts stress that if a device falls into the wrong hands, no digital protection will help. That’s why current focus is on preventing remote infections — primarily using defenses already built into mobile operating systems.
