How Wise Is the NSA’s Zero-Click Threat Advice in 2024?
Update, October 23, 2024: This story, originally published on October 22, includes details of new security recommendations issued by the US Cybersecurity and Infrastructure Security Agency that may apply to iPhone and Android users.
Comedy fans may recognize “have you tried turning it off and on again” from the British sitcom The IT crowd. But what if the National Security Agency told all smartphone users to do this? And, what’s more, if you follow this advice, will you be safe from malware and spyware in 2024 and beyond?
NSA to turn it off and on again tips for iPhone and Android users
The original NSA warning was published in a mobile device best practices guide in 2020. If you’re having trouble opening the PDF document the previous link takes you to, then there’s an alternate path to the same document that takes a few clicks others available from the NSA press room. With smartphones running on all operating system platforms becoming an increasingly popular target for threat actors of all tastes, the NSA said “many of the features offer convenience and capability but sacrifice security” and sought to identified simple steps that even the most non-technical users can take to better protect their devices and the data stored within. Earlier this year, I reported on the NSA’s tips, and that article has continued to elicit a flurry of responses to this day. I’ve had security experts and smartphone users thank me for bringing the warning to them and chastise me for not going into more detail about what rebooting can’t help protect people from. All of these opinions are valid, of course, and this article is written in the hope of providing more clarification.
Let’s start by saying that I have nothing but praise for the document that the NSA has released; not only does the advice contain wisdom, but it is presented in such a way that it is clear to the entire audience. Taking a painterly approach, the NSA used an icon-based warning system, informing readers of what to avoid, disable, do and not do. The list of things includes using strong PINs and passwords, biometric locks and regular software updates, for example. The “Don’t” advice covers rooting or jailbreaking your phone, clicking unknown links or opening unknown attachments. But it’s the disable icon that piqued my interest the most, especially when it came to powering off by turning the device off and on again every week.
The second page of the infographic advice document took more of a tabular approach to alerting smartphone users of things to do regarding threat mitigation. This time, the iconography was divided into several times prevents and almost always prevents. When you reboot your smartphone regularly, the recommendation was to use it as it sometimes prevents spear phishing (to install malware) and zero-click exploits. Therefore, it has never been a silver bullet solution or a one-size-fits-all safety potion.
Do it iPhone and Android Will users have to regularly reset their smartphones in 2024?
The short answer to whether you need to reboot your smartphone every week in 2024 is no. But the need is to do a lot of heavy lifting in this matter. From a security perspective, rebooting will still remove the threat from non-persistent malware – this is a threat that cannot survive a reboot. I know it’s pretty obvious, but it needs to be said. There is a lot of malware that fits into this category, and not all of it is from less advanced or sophisticated threat actors.
When spyware was making headlines for all the right reasons, with nation-states using advanced software like Pegasus to infect both Android devices and iPhones, reports suggested it changed from persistence to relying on binary payloads being exploited again after a reboot. This reliance on in-memory malware, rather than being written to permanent storage, is another way to avoid leaving surveillance evidence during such sophisticated attacks.
“As long as people regularly update their devices when new versions of the operating system are released,” said Jake Moore, global cybersecurity evangelist with ESET, “the devices will remain healthy and protected. However, it is an idea of good to reboot your phone regularly, but more for battery reasons than security.”
Moore is right that a quick reboot can often resolve performance issues and connectivity issues. However, that doesn’t mean security reasons for rebooting are completely off the table. “Zero-click malware is a recurring issue for Apple and Android operating systems,” Moore said, “but it’s generally identified and addressed quickly. Once discovered, a patch is developed and a new update is released to mitigate the threat.”
There is no definitive answer when it comes to the glut of the NSA warning and reboot recommendation, however, erring on the side of caution should never be underestimated in my humble opinion. There’s an interesting discussion on Stack Exchange that sums things up quite nicely: the long answer is that it depends on what your machine has been doing since the last reboot, the short answer is, on average, that rebooting reduces vulnerability. Rebooting has few, if any, downsides, so why not reboot regularly? I side with the NSA on this one.
US Cybersecurity and Infrastructure Security Agency Proposes New Security Requirements—iPhone and Android Users Take Note
As reported by Bleeping Computer, the US Cybersecurity and Infrastructure Security Agency has just released a new set of security proposals designed to protect personal data and government information from hostile adversaries. The list of proposed security requirements is directed directly at those government bodies that move sensitive data in bulk and, more specifically, those that do so where the information may be exposed to persons or parties of interest. This most often means those involved in cyber espionage campaigns against the US or with a history of state sponsorship of advanced persistent threat actors. CISA said it assesses the implementation of the requirements as necessary to demonstrate that an organization has the technical capability and sufficient governance structure to “appropriately select, successfully implement and continue to implement the covered security requirements at the of data in a manner that addresses identified risks. by the Department of Justice for restricted transactions.” At the same time he notes that the specific requirements may differ for different types of transactions.
The likes of maintaining an up-to-date inventory of hardware assets and accurate network topologies are beyond the competence of most individuals, no matter how reasonable they might otherwise be. But you’d be foolish to focus solely on the unattainable benefit of what is a very healthy list of recommendations.
The full list of security requirements proposed by CISA is available as a PDF document and is highly recommended as a must-read for any organization looking to strengthen its security posture.
While the proposals are aimed squarely at federal agencies first and foremost, that doesn’t mean the advice presented has no consequences for us mere mortals. Indeed, some of the steps that are proposed should be etched into the smartphone screens of all iPhone and Android users: Updating devices to fix known vulnerabilities as soon as possible, using second factor authentication on all accounts where it is available and ensuring passwords are at least 16 characters, for example.