Turn off your phone once a week, say the ghosts.
Updated 01/06, this article was originally published on 30/05.
While some people may worry that the National Security Agency itself is spying on their phones, the NSA has some sage advice for iPhone and Android users concerned about zero-click exploits and the like: Turn off and turn it back on once a week.
How often do you turn off your iPhone or Android device? Turn it off completely and then restart it, rather than just going into sleep mode. I suspect that for many people the answer is only when a security or operating system update requires it. According to the NSA, this could be a serious mistake.
NSA iPhone and Android device security and privacy best practice guidance
In a document detailing several mobile device best practices, the NSA recommends that users turn their devices off and on once a week to protect against zero-click exploits, which attackers often use to listen and collect data on phones.
Users can mitigate the threat of spear phishing, which can lead to the installation of even more malware and spyware, with the same simple action. However, the NSA document warns that the advice to turn it off and on will only sometimes prevent these attacks from being successful.
“Threats to mobile devices are becoming more widespread and increasingly extensive and complex,” the NSA said, while warning that some smartphone features “provide convenience and functionality but sacrifice security.” As such, doing something is always better than doing nothing when it comes to being proactive about the security of your device and data.
The advice given is not a miracle solution that will solve all your security problems, it should be noted. Indeed, the NSA document includes a chart that shows the effectiveness of each tactic against different threats. While this is good general advice, turning it off and then back on won’t help you against many of the more advanced malware and spyware threats that are programmed to reload upon reboot.
Balancing Smartphone Convenience and Security
The NSA also advises phone users to turn off Bluetooth when not using it, update the device as soon as possible when operating system and application updates are available, and disable services location when not needed. The small matter of safety rather than convenience comes into play for most of the advice given, as you can already see. Add to that not using public Wi-Fi networks and public charging stations, although many security experts consider the risk to be low in most real-world use cases, and many users of Smartphones are likely to roll the dice.
When it comes to public Wi-Fi, there is a difference between the risks that may be present and the actual risk to an individual. While it is possible for a determined criminal to use unsecured networks for nefarious purposes, this usually involves tricking an unsuspecting user into connecting to their Wi-Fi hotspot rather than the one provided by the train company, the airport or the café. A recently revealed vulnerability that can lead to what’s called an SSID confusion attack is a good example of how this can work. Without going into technical details, read the article about it; it can disable your VPN in certain circumstances and make it appear like you’re connected to a secure network when you’re not. But, again, most unsecured public WiFi networks are safe to use for general activities. The UK’s National Cyber Security Center suggests users connect via their 4G or 5G mobile network, as these “will have built-in security and you will also be able to use the tethering feature on most of these devices to connect your laptop to your smartphone’s network. This makes sense when performing sensitive activities like online banking for example. There’s a great thread on Reddit that digs deeper into the facts for more information.
That said, I totally agree with the on and off advice because it only takes a minute or two out of your week and it’s a good habit to get into. In fact, I’d say make a habit of doing it every day, perhaps as part of your bedtime routine.
The NSA also says that “strong” lock screen PINs and passwords should be used, advising a minimum of a six-digit PIN as long as your smartphone is set to wipe after 10 incorrect attempts and to automatically lock after 5 minutes of use. no entry. More broadly, Oliver Page, CEO of cybersecurity company Cybernut, says users should “generate strong, unique passwords for each account using a password manager” and avoid using Common phrases, dictionary words, and reuse of passwords across multiple accounts.
The NSA further warns that opening email attachments and links is prohibited, even when the sender appears legitimate, because they can easily transmit malicious content without realizing it or because their accounts are compromised. “Learn to recognize phishing attempts by checking email sender addresses, website URLs, and examining email content for signs of manipulation,” says Page.
When it comes to sensitive conversations or messages, the NSA warns against these on personal devices, even if you think the content is generic. It’s a bit restrictive to say the least, given that many of us use our smartphone for this. However, falling for social engineering tactics, like responding to unsolicited emails or messages, is a whole different matter from phishing. “Following social engineering tactics, such as responding to unsolicited emails requesting sensitive information, can lead to account compromise and identity theft. These phishing attempts often impersonate legitimate entities, tricking individuals into disclosing confidential information,” explains Page, adding: “Trusting phone calls or messages without verification can lead to serious consequences, as scammers manipulate victims into They disclose sensitive information or take actions that compromise their security. .”
Federal Communications Commission Offers Sage Smartphone Security Tips
The Federal Communications Commission, an independent agency of the U.S. government, also offers relevant security tips for smartphone users. There is much overlap in the advice offered by different governments and law enforcement agencies. Some advice from the FCC is worth mentioning here. Do not modify the security settings of your smartphone, for example. “Tampering your phone’s factory settings, jailbreaking, or rooting your phone compromises the built-in security features offered by your wireless service and your smartphone,” the FCC advises, “while making it more vulnerable to attacks “. I agree with the mantra of not disabling security settings for convenience, but I recognize that this is likely to be overlooked by the general user, for whom convenience is paramount until a security incident affects them personally.
The FCC also warns that it is important to understand app permissions because these can be used to bypass certain security features by a malicious app developer. Fortunately, modern mobile operating systems have made granting such permissions more transparent than ever, but it still pays to be alert to the danger. “You should be careful when granting apps access to personal information on your phone or allowing the app to access features on your phone,” the FCC said.
Another option that has become even simpler with the evolution of these operating systems is the possibility of remotely erasing data from a stolen or lost smartphone. Just make sure you set this up so it can work to your advantage if the worst happens. “In the event that you misplace your phone,” the FCC guide states, “some apps can activate an audible alarm, even if your phone is in silent mode. These apps can also help you locate and recover your phone by case of loss.
And finally, always erase the data on your device and reset it to factory settings before selling or disposing of your phone.