NSA Warns iPhone And Android Users To Turn It Off And On Again

source: Forbes.com (contributed by FAN, Steve Page)  |  image: pixabay.com

 

Updated Saturday, June 1: This article has been updated to include clarifcation around the safety of using public Wi-Fi networks and additional advice from the NCSC and FCC.

Although some people might worry about the National Security Agency itself spying on their phones, the NSA has some sage advice for iPhone and android users concerned about zero-click exploits and the like: turn it off and on again once per week.

How often do you turn off your iPhone or android device? Completely turn it off and then reboot it, rather than just going into standby mode, that is. I suspect that the answer for many people is only when a security or operating system update requires it. That, according to the NSA, could be a big mistake.

Users can mitigate the threat of spear-phishing, which can lead to the installation of yet more malware and spyware, by the same simple action. However, the NSA document does warn that the turn it off and on again advice will only sometimes prevent these attacks from being successful.

“Threats to mobile devices are more prevalent and increasing in scope and complexity,” the NSA said while warning that some smartphone features “provide convenience and capability but sacrifice security.” As such, doing something is always better than doing nothing when it comes to being proactive about your device and data security.

The advice given is not some silver bullet that will solve all your security ills, it must be noted. Indeed, the NSA document includes a chart that shows how effective each tactic is against different threats. While good general advice, turning it off and on again will not help you against many of the more advanced malware and spyware threats that are programmed to reload on reboot.

Balancing Smartphone Convenience And Security

The NSA also advises Phone users to disable Bluetooth when not using it, update the device as soon as possible when operating system and application updates become available and disable location services when not needed. The small matter of security over convenience comes into play for much of the advice given, as you can tell already. Throw in not using public Wi-Fi networks and not using public charging stations, despite plenty of security experts considering the risk to be low in most real-world use cases, and many smartphone users are likely to roll the dice.

When it comes to public Wi-Fi there’s a difference between the risks that can be present and an individual actually being at risk. While it is possible for a determined criminal to use unsecured networks for nefarious purposes, this usually involves tricking an unsuspecting user into connecting to their Wi-Fi hotspot rather than one being provided by the railway company, airport, or coffee shop. A recently disclosed vulnerability that can lead to something called an SSID Confusion Attack is a good example of how this can work. Without going into the technical details, read the article for that; it can disable your VPN in certain circumstances and make it appear that you have connected to a secure network when you haven’t. But, again, most unsecured public WiFi networks are safe to use for general activity. The U.K. National Cyber Security Centre suggests that users instead connect by way of their mobile 4G or 5G network as these “will have built-in security and you can also use the tethering feature of most such devices to connect your laptop to your smartphone’s network. This makes sense when performing sensitive activities such as online banking, for example. There’s an excellent thread on Reddit that delves into the facts for further information.

All that said, I heartily agree with the on and off again advice as this only takes a minute or two of your week and is a good habit to get into. In fact, I’d say get into the habit of doing so every day, maybe as part of your bedtime routine.

The NSA also says that ‘strong’ lock-screen PINs and passwords should be used, advising a minimum of a six-digit PIN as long as your smartphone is set up to wipe itself after 10 incorrect attempts and to lock automatically after 5 minutes of no input. More broadly, Oliver Page, the CEO of cybersecurity company Cybernut, says that users should “generate strong, unique passwords for each account using a password manager” and avoid using common phrases, dictionary words and password reuse across multiple accounts.

The NSA further warns that opening email attachments and links is a no-no, even when the sender appears legitimate, as they can easily pass on malicious content without realizing it or because their accounts are compromised. “Learn to recognize phishing attempts by checking email sender addresses, verifying website URLs, and scrutinizing email content for signs of manipulation,” Page says.

When it comes to sensitive conversations or messaging, the NSA warns against these on personal devices, even if you think the content is generic. This is a little restrictive, to say the least, given that many of us use our smartphones for that. However, falling for social engineering tactics such as responding to unsolicited emails or messages is a completely different kettle of phish. “Falling for social engineering tactics, like responding to unsolicited emails requesting sensitive information, can result in account compromise and identity theft. These phishing attempts often mimic legitimate entities, deceiving individuals into divulging confidential details,” Page says, adding, “Trusting phone calls or messages without verification can lead to serious consequences, as scammers manipulate victims into disclosing sensitive information or taking actions that compromise their security.”

Federal Communications Commission Offers Sage Smartphone Security Advice

The Federal Communications Commission, an independent agency of the U.S. government, also offers some pertinent security advice for smartphone users. There is a lot of overlap in the advice offered by differing government and law enforcement agencies, some of the FCC advice is worth mentioning here. Not modifying the security settings of your smartphone, for example. “Tampering with your phone’s factory settings, jailbreaking, or rooting your phone undermines the built-in security features offered by your wireless service and smartphone,” the FCC advises, “while making it more susceptible to an attack.” The mantra of not disabling security settings for the sake of convenience is one I agree with, but I acknowledge this is likely to go ignored by the general user, for whom convenience is everything until a security incident impacts them personally.

The FCC also warns that understanding app permissions is important as these can be used to bypass certain security functionality by a malicious app developer. Luckily, modern mobile operating systems have made such permission granting more transparent than ever, but it still pays to be alert to the danger. “You should be cautious about granting applications access to personal information on your phone or otherwise letting the application have access to perform functions on your phone,” the FCC said.

Another option that has become even easier with the evolution of these operating systems is the ability to remotely erase data from a stolen or lost smartphone. Just ensure you get this set up so it can work to your advantage if the worst happens. “In the case that you misplace your phone,” the FCC guidance says, “some applications can activate a loud alarm, even if your phone is on silent. These apps can also help you locate and recover your phone when lost.”

And finally, always wipe data from your device and reset it to factory settings before selling or otherwise disposing of your phone.