Turn off your phone once a week, ghosts say.
Updated on 06/01, this article was originally published on 05/30.
While some people may worry that the National Security Agency itself is spying on their phones, the NSA has some sage advice for iPhone and Android users concerned about zero-click exploits and the like: turn it off and back on once a week.
How often do you turn off your iPhone or Android device? Turn it off completely and then restart it instead of just going into standby ie. I suspect the answer for many people is only when a security update or operating system requires it. According to the NSA, this could be a big mistake.
NSA Security and Privacy Best Practices Tips for iPhone and Android Devices
In a document detailing several best practices for mobile devices, the NSA recommends that users turn off and then turn on their devices once every week to protect against zero-click exploits that attackers often use to eavesdrop and collect data from phones.
Users can reduce the threat of phishing, which can lead to the installation of more malware and spyware, by the same simple action. However, the NSA document warns that the power off and power on advice will only sometimes prevent these attacks from being successful.
“Threats to mobile devices are more prevalent and growing in scope and sophistication,” the NSA said, while warning that some smartphone features “provide convenience and capabilities but sacrifice security.” Because of this, doing something is always better than doing nothing when it comes to being proactive about your device and data security.
It should be noted that the tips given are not some silver bullet that will solve all your security problems. In fact, the NSA document includes a chart that shows how effective each tactic is against different threats. While it’s good general advice, turning it off and on again won’t help you against many of the more advanced malware and spyware threats that are programmed to reload on reboot.
A balance between smartphone convenience and security
The NSA also advises phone users to disable Bluetooth when not in use, update the device as soon as possible when operating system and app updates become available, and disable location services when not needed. The small matter of security over convenience comes into play for much of the advice given, as you can already tell. Add in not using public Wi-Fi networks and not using public charging stations, though many security experts believe the risk is low in most real-world use cases, and many smartphone users are likely to roll the dice.
When it comes to public Wi-Fi, there’s a difference between the risks that may exist and a person actually being at risk. While it is possible for a determined criminal to use unsecured networks for criminal purposes, this usually involves tricking an unsuspecting user into connecting to their Wi-Fi hotspot, not one provided by the train company, airport or coffee shop. A recently disclosed vulnerability that could lead to something called an SSID Confusion Attack is a good example of how this can work. Without going into technical details, read the article about it; can disable your VPN under certain circumstances and make it appear that you’re connected to a secure network when you’re not. But, again, most unsecured public WiFi networks are safe to use for general activity. The UK’s National Cyber Security Center suggests that users should connect via their mobile 4G or 5G network instead, as they “will have built-in security and you can also use the tethering feature on most such devices to connect your laptop to the network on your smartphone. This makes sense when doing sensitive activities like online banking, for example. There is an excellent Reddit thread that goes into the facts for more information.
All that said, I wholeheartedly agree with the on and off advice as it only takes a minute or two out of your week and is a good habit to get into. In fact, I’d say get into the habit of doing this every day, perhaps as part of your bedtime routine.
The NSA also says that “strong” lock screen PINs and passwords should be used, recommending a minimum six-digit PIN as long as your smartphone is set to wipe itself after 10 incorrect attempts and automatically lock after 5 minutes without input. More generally, Oliver Page, CEO of cybersecurity company Cybernut, says users should “generate strong, unique passwords for each account using a password manager” and avoid using common phrases, dictionary words and reusing passwords across multiple accounts.
The NSA also warns that opening email attachments and links is a no-no, even when the sender appears legitimate, because they can easily transmit malicious content without realizing it or because their accounts have been compromised. “Learn to recognize phishing attempts by checking email sender addresses, checking website URLs, and scrutinizing email content for signs of manipulation,” says Page.
When it comes to sensitive conversations or messages, the NSA warns against those on personal devices, even if you think the content is public. That’s a bit limiting to say the least, considering that’s what many of us use our smartphones for. However, indulging in social engineering tactics, such as responding to spam emails or messages, is a whole different pot of phish. “Being exposed to social engineering tactics, such as responding to unsolicited emails requesting sensitive information, can lead to account compromise and identity theft. These phishing attempts often impersonate legitimate entities, tricking individuals into divulging confidential details,” says Page, adding, “Trusting phone calls or messages without verification can have serious consequences as fraudsters manipulate victims into revealing sensitive information or taking actions that compromise their security.”
The Federal Communications Commission offers Sage smartphone security tips
The Federal Communications Commission, an independent agency of the US government, also offers some relevant security tips for smartphone users. There is a lot of overlap in the advice offered by various government and law enforcement agencies, some of the FCC’s advice is worth mentioning here. For example, don’t change your smartphone’s security settings. “Factory setting your phone, jailbreaking, or rooting your phone undermines the built-in security features offered by your wireless service and smartphone,” the FCC advises, “while making it more vulnerable to attack.” The mantra not to disable security settings for the sake of convenience is one I agree with, but I recognize that this is likely to be ignored by the average user, for whom convenience is everything, until a security incident affects them personally.
The FCC also warns that understanding app permissions is important because they can be used to bypass certain security features by a malicious app developer. Fortunately, modern mobile operating systems have made granting such permission more transparent than ever, but it’s still worth being aware of the danger. “You should be careful about giving an app access to personal information on your phone or otherwise allowing an app to have access to perform functions on your phone,” the FCC said.
Another option that has become even easier with the evolution of these operating systems is the ability to remotely wipe data from a stolen or lost smartphone. Just make sure you set this up so it can work to your advantage if the worst happens. “In the event you lose your phone,” the FCC’s guidance says, “some apps may activate a loud alarm even if your phone is on silent. These apps can also help you find and recover your phone when you lose it.”
Finally, always wipe your device’s data and factory reset it before selling or otherwise disposing of your phone.
