Although some people might worry about the National Security Agency (NSA) itself spying on their phones, the NSA has some sage advice for iPhone and Android users concerned about zero-click exploits and the like: turn it off and on again once per week.
How often do you turn off your device?
How often do you turn off your iPhone or Android device? Completely turn it off and then reboot it, rather than just going into standby mode, that is. The answer for many people is likely only when a security or operating system update requires it. According to the NSA, this could be a big mistake.
NSA’s best practice advice
In a document detailing several mobile device best practices, the NSA recommends users turn their devices off and then back on once every week to protect against zero-click exploits. These exploits are often used by attackers to eavesdrop on and collect data from phones.
Mitigating threats
Users can mitigate the threat of spear-phishing, which can lead to the installation of even more malware and spyware, by the same simple action. However, the NSA document warns that the turn it off and on again advice will only sometimes prevent these attacks from being successful.
“Threats to mobile devices are more prevalent and increasing in scope and complexity,” the NSA said while warning that some smartphone features “provide convenience and capability but sacrifice security.” As such, doing something is always better than doing nothing when it comes to being proactive about your device and data security.
More than just reboots
The advice given is not some silver bullet that will solve all your security issues. Indeed, the NSA document includes a chart that shows how effective each tactic is against different threats. While turning it off and on again is good general advice, it will not help against many of the more advanced malware and spyware threats that are programmed to reload on reboot.
Balancing smartphone convenience and security
The NSA also advises phone users to disable Bluetooth when not using it, update the device as soon as possible when operating system and application updates become available, and disable location services when not needed. The security over convenience debate is evident in much of the advice given. Avoiding public Wi-Fi networks and public charging stations is recommended, although many experts consider the risk low in most real-world use cases.
Understanding public Wi-Fi risks
While it is possible for a determined criminal to use unsecured networks for nefarious purposes, this usually involves tricking an unsuspecting user into connecting to their Wi-Fi hotspot rather than one provided by a legitimate source. A recently disclosed vulnerability that can lead to an SSID Confusion Attack is an example of how this can work. Without getting too technical, this can disable your VPN in certain circumstances and make it appear that you have connected to a secure network when you haven’t. However, most unsecured public Wi-Fi networks are safe for general activity. The U.K. National Cyber Security Centre suggests using your mobile 4G or 5G network for sensitive activities, such as online banking.
Additional security measures
The NSA also recommends using strong lock-screen PINs and passwords, advising a minimum of a six-digit PIN with the phone set to wipe itself after 10 incorrect attempts and to lock automatically after 5 minutes of no input.
Federal Communications Commission (FCC) advice
The FCC, an independent agency of the U.S. government, also offers pertinent security advice for smartphone users. They recommend not modifying the security settings of your smartphone, such as jailbreaking or rooting, as this undermines built-in security features. The FCC also advises being cautious about granting app permissions and ensuring you can remotely erase data from a stolen or lost smartphone.
Conclusion
Following the NSA’s advice to turn off and restart your iPhone or Android device once per week can help mitigate the risks of zero-click exploits and other threats. Implementing strong PINs and passwords, disabling unnecessary features, and being cautious with public Wi-Fi are additional steps that can enhance your device and data security. Remember, being proactive about security is always better than reacting to an incident.
