Turn off your phone once every week, spooks say.
Updated 05/31, this article was originally published on 05/30.
Although some people might worry about the National Security Agency itself spying on their phones, the NSA has some sage advice for iPhone and android users concerned about zero-click exploits and the like: turn it off and on again once per week.
How often do you turn off your iPhone or android device? Completely turn it off and then reboot it, rather than just going into standby mode, that is. I suspect that the answer for many people is only when a security or operating system update requires it. That, according to the NSA, could be a big mistake.
NSA iPhone And Android Device Security And Privacy Best Practice Advice
In a document detailing several mobile device best practices, the NSA recommends users turn their devices off and then back on once every week to protect against zero-click exploits, which attackers often use to eavesdrop on and collect data from phones.
Users can mitigate the threat of spear-phishing, which can lead to the installation of yet more malware and spyware, by the same simple action. However, the NSA document does warn that the turn it off and on again advice will only sometimes prevent these attacks from being successful.
“Threats to mobile devices are more prevalent and increasing in scope and complexity,” the NSA said while warning that some smartphone features “provide convenience and capability but sacrifice security.” As such, doing something is always better than doing nothing when it comes to being proactive about your device and data security.
The advice given is not some silver bullet that will solve all your security ills, it must be noted. Indeed, the NSA document includes a chart that shows how effective each tactic is against different threats. While good general advice, turning it off and on again will not help you against many of the more advanced malware and spyware threats that are programmed to reload on reboot.
Balancing Smartphone Convenience And Security
The NSA also advises Phone users to disable Bluetooth when not using it, update the device as soon as possible when operating system and application updates become available and disable location services when not needed. The small matter of security over convenience comes into play for much of the advice given, as you can tell already. Throw in not using public Wi-Fi networks (these are usually perfectly safe) and not using public charging stations (ditto), and many users are likely to roll the dice. All that said, I heartily agree with the on and off again advice as this only takes a minute or two of your week and is a good habit to get into. In fact, I’d say get into the habit of doing so every day, maybe as part of your bedtime routine.
The NSA also says that ‘strong’ lock-screen PINs and passwords should be used, advising a minimum of a six-digit PIN as long as your smartphone is set up to wipe itself after 10 incorrect attempts and to lock automatically after 5 minutes of no input. More broadly, Oliver Page, the CEO of cybersecurity company Cybernut, says that users should “generate strong, unique passwords for each account using a password manager” and avoid using common phrases, dictionary words and password reuse across multiple accounts.
The NSA further warns that opening email attachments and links is a no-no, even when the sender appears legitimate, as they can easily pass on malicious content without realizing it or because their accounts are compromised. “Learn to recognize phishing attempts by checking email sender addresses, verifying website URLs, and scrutinizing email content for signs of manipulation,” Page says.
When it comes to sensitive conversations or messaging, the NSA warns against these on personal devices, even if you think the content is generic. This is a little restrictive, to say the least, given that many of us use our smartphones for that. However, falling for social engineering tactics such as responding to unsolicited emails or messages is a completely different kettle of phish. “Falling for social engineering tactics, like responding to unsolicited emails requesting sensitive information, can result in account compromise and identity theft. These phishing attempts often mimic legitimate entities, deceiving individuals into divulging confidential details,” Page says, adding, “Trusting phone calls or messages without verification can lead to serious consequences, as scammers manipulate victims into disclosing sensitive information or taking actions that compromise their security.”
