Light-headed and sleep-deprived, sitting in Hong Kong (China) en-route to Osaka with three hours to kill, I found myself people-watching rather than sleeping. Around me was a familiar modern tableau, executives clutching the latest smartphones, a few stubborn laptops still in evidence, all of us quietly tethered to our digital lives. A question surfaced that refused to go away, what would an attacker gain if they owned just one of these executives’ phones for thirty days? I suspect most organisations would be deeply uncomfortable with the answer.
Most enterprises are far more exposed than they realise because they still treat phones as endpoints with a limited blast radius. That mental model belongs to another era. Today’s corporate phone is not peripheral; it is a portable identity hub, a veritable miniature data centre, sitting permanently inside the organisation’s trust boundary. Laptops are locked down, monitored and instrumented for detection. Phones, by contrast are often managed only to baseline compliance, viewed as communication tools rather than gateways into systems, data and decisions.
Modern phones hold persistent single sign-on sessions, approve multi-factor authentication, access email and collaboration platforms and synchronise sensitive documents and thousands of contacts continuously. Compromise a laptop and the impact is often noisy and localised. Compromise a phone and the impact is quiet and systemic. The attacker does not need to escalate privileges or move laterally; they inherit a legitimate identity and observe normal workflows from the inside. From a SOC perspective, everything looks legitimate, because it is.
This risk is routinely missed because mobile platforms expose little telemetry and SOC tooling is built for servers, networks and desktops. There may be no malware alert, no anomalous login, and no suspicious traffic. The organisation has not been breached in the traditional sense; it has been silently observed. Zero-click attacks make this starkly clear, compromise occurs without interaction, inside trusted system components, while the phone is doing exactly what it was designed to do. The exploit executes inside trusted system components.
Zero-click exploits do not mean the SOC is failing. They mean the threat model has changed and the quietest device in the room may now be the loudest risk.
A few people may wonder how I am logging in securely from an airport in China to write this, when writting about the very risk of the act. In short, no public Wi-Fi, layered connectivity and multiple tunnels. My laptop is tethered to my iPad private hot-spot , itself on a private 5G connection, with IP Privacy Relay and a UK-based VPN in place and the laptop itself runs its own VPN over that link. It is not magic or eliminating risk entirely but it meaningfully reduces exposure at the network edge.
Posted on January 28, 2026
0