TL;DR: The NSA and FCC advise iPhone and Android users to turn devices off and on weekly, avoid modifying security settings, understand app permissions, and wipe data before disposing of phones. While not a perfect solution, these simple steps can help protect against various mobile threats like zero-click exploits, spear-phishing, and malware. Experts say convenience should not come at the cost of security.
The NSA has some wise words for iPhone and Android users who want to keep their devices safe from zero-click exploits and other threats: turn it off and on again once a week.
How often do you fully shut down your device and reboot it, not just put it in standby mode? Many people likely only do this when an update requires it. But that could be a big mistake, the NSA warns.
Simple Steps for Better Security
In a document with best practices for mobile devices, the NSA says users should turn their phones off and back on once a week. This can help protect against zero-click exploits that attackers use to spy on phones and steal data.
It can also sometimes stop spear-phishing attacks that install malware and spyware. But the NSA notes this won’t always prevent these attacks from working.
Threats to mobile devices are growing in number and complexity, the NSA cautions. Some phone features offer convenience but sacrifice security. Doing something is better than doing nothing to actively protect your device and data.
Not a Perfect Solution
To be clear, turning your phone off and on again isn’t a magic fix for all security problems. The NSA includes a chart showing how well each tactic works against different threats.
Rebooting won’t help against many advanced malware and spyware threats designed to reload when the phone restarts.
Convenience vs. Security
The NSA also advises disabling Bluetooth when not in use, updating your device promptly, and turning off location services when you don’t need them. Much of the advice involves choosing security over convenience.
The NSA even says not to use public Wi-Fi or charging stations, though many security experts consider the real-world risk to be low in most cases.
With public Wi-Fi, the actual danger to an individual is often less than the potential risk. A determined criminal could trick an unsuspecting user into connecting to their malicious hotspot instead of a legitimate one. But most unsecured public Wi-Fi is safe for general use.
The U.K.’s cyber security agency suggests using your mobile data network for sensitive activities like online banking. There’s a great Reddit thread that dives into the facts.
Still, I fully support the “off and on again” advice. It only takes a minute or two each week and is a good habit. I’d suggest doing it daily, perhaps as part of your bedtime routine.
More Tips for Staying Secure
The NSA says to use “strong” lock-screen PINs and passwords. They advise a PIN of at least six digits if your phone wipes itself after 10 wrong attempts and locks after 5 minutes of inactivity.
Avoid opening email links and attachments, even from seemingly legitimate senders. They could unknowingly pass on malicious content or have compromised accounts.
“Learn to spot phishing by checking email addresses, verifying URLs, and looking for signs of manipulation in email content,” advises Oliver Page, CEO of Cybernut.
The NSA also warns against sensitive conversations on personal devices, even if the content seems generic. This is quite restrictive, given how many of us use smartphones for this purpose.
But falling for social engineering tricks like responding to unsolicited messages is another story. “Trusting calls or messages without verifying can have serious consequences, as scammers trick victims into revealing sensitive info or taking actions that compromise their security,” Page says.
FCC Offers Additional Advice
The FCC, a U.S. government agency, provides some additional smartphone security tips:
- Don’t modify your phone’s security settings. “Tampering with factory settings, jailbreaking, or rooting your phone weakens built-in security features and makes it more vulnerable to attack,” the FCC warns.
- Understand app permissions, as malicious apps could use these to bypass security. Modern operating systems have made granting permissions more transparent.
- Set up the ability to remotely erase data from a lost or stolen phone. “Some apps can activate a loud alarm, even if your phone is on silent. These can also help you locate and recover a lost phone,” the FCC notes.
- Always wipe data and reset to factory settings before selling or disposing of your phone.
Ultimately, following this expert guidance – including the simple “off and on again” tactic – can go a long way in keeping your smartphone and personal information secure.
Add comment