NSA Tells iPhone And Android Users: Reboot Your Device Now

The National Security Agency warns smartphone users to reboot to defend against zero-click hackers. Here’s what you need to know.

​The National Security Agency warns smartphone users to reboot to defend against zero-click hackers. Here’s what you need to know.  Read More Technology

Update, Oct. 24, 2024: This story, originally published Oct. 22, includes details of new security recommendations issued by the U.S. Cybersecurity and Infrastructure Security Agency along with details of the U.K. Government Cyber Essentials scheme.

Comedy fans may well recognize “have you tried turning it off and on again” from the British sitcom The IT Crowd. But what if the National Security Agency told all smartphone users to do it? And, more to the point, if you follow that advice, will you be safe from malware and spyware in 2024 and beyond?

The NSA Turn It Off And On Again Advice For iPhone And Android Users

The NSA’s original warning was published in a mobile device best practices guide in 2020. If you are having difficulty opening the PDF document the previous link takes you to, then there is an alternative route to the same document that requires a few more clicks available from the NSA press room. With smartphones running across all operating system platforms becoming an increasingly popular target for threat actors of all flavors, the NSA said that “many of the features provide convenience and capability but sacrifice security” and attempted to pin down simple steps that even the most non-technical users could take to better protect their devices and the data stored within. Earlier this year, I reported on the NSA advice, and that article has continued to stir a myriad of responses to this day. I’ve had security experts and smartphone users alike thank me for bringing the warning to their attention and scold me for not going into more detail about what rebooting can’t help protect people from. All of these opinions are valid, of course, and this article is written in the hope of providing more clarification.

Let’s start by saying that I have nothing but praise for the document that the NSA has published; not only is the advice contained sage, but it is presented in such a way as to be clear to all audiences. Taking a pictorial approach, the NSA used an icon-based warning system informing readers what they should avoid, disable, do and not do. The do list includes using strong PINs and passwords, biometric locks and regular software updates, for example. The do-not advice covers rooting or jailbreaking your phone, clicking unknown links or opening unknown attachments. But it’s the disable icon that piqued my interest most, especially when it came to disabling power by turning the device off and on again on a weekly basis.

The second page of the infographic-heavy advice document took more of a tabular approach to warning smartphone users of things they should be doing regarding threat mitigation. This time, the iconography was divided between sometimes prevents and almost always prevents. When regularly rebooting your smartphone, the recommendation was to use it as it sometimes prevents spear phishing (to install malware) and zero-click exploits. It was never, therefore, a silver bullet solution or a one-size-fits-all security panacea.

Do iPhone And Android Users Need To Regularly Reboot Their Smartphones In 2024?

The short answer to whether you need to reboot your smartphone every week in 2024 is no. But need is doing a lot of heavy lifting in that question. From a security perspective, rebooting will still remove the threat from non-persistent malware — that is a threat that cannot survive a reboot. I know that’s pretty obvious, but it needs saying. There’s plenty of malware that fits into this category, and not all of it from the least advanced or sophisticated of threat actors.

When spyware was making the headlines for all the right reasons, with nation-states using advanced software such as Pegasus to infect both Android and iPhone devices, reports suggested that it changed from having persistence to relying upon binary payloads being exploited again after a reboot. This reliance on malware in memory, rather than being written to permanent storage, is another way to evade leaving evidence of surveillance during such sophisticated attacks.

“As long as people are regularly updating their devices when fresh operating system versions are released,” Jake Moore, global cybersecurity evangelist with ESET, said, “devices will remain healthy and protected. It is, however, a good idea to reboot your phone on a regular basis but more for battery reasons over security.”

Moore is right in saying that a quick reboot can often resolve performance issues and connectivity problems. However, that doesn’t mean that security reasons for rebooting are entirely off the table. “Zero-click malware is a recurring issue for both Apple and Android operating systems” Moore said, “but it is generally identified and addressed quickly. Once detected, a patch is developed, and a new update is released to mitigate the threat.”

There is no definitive answer when it comes to the voracity of the NSA warning and the rebooting recommendation, however, erring on the side of caution is never to be underestimated in my humble opinion. There’s an interesting discussion on Stack Exchange that sums things up rather nicely: the long answer is that it depends on what your handheld did since its last reboot, the short answer being, on average, that rebooting reduces vulnerability. Rebooting has little, if any, downside so why not reboot regularly? I’m siding with the NSA on this one.

The U.S. Cybersecurity And Infrastructure Security Agency Proposes New Security Requirements—iPhone And Android Users Take Note

As reported by Bleeping Computer, the U.S. Cybersecurity and Infrastructure Security Agency has just published a new set of security proposals designed to protect personal data and government information from hostile adversaries. The list of proposed security requirements is aimed directly at those government bodies moving sensitive data in bulk and, most specifically, at those doing so where the information might be exposed to persons or countries of concern. This most often means those engaged in cyber espionage campaigns against the U.S. or with a history of state sponsorship of advanced persistent threat actors. CISA said that it assesses the implementation of the requirements as necessary to validate an organization has the technical capability and sufficient governance structure to “appropriately select, successfully implement and continue to apply the covered data-level security requirements in a way that addresses the risks identified by Department of Justice for the restricted transactions.” At the same time it notes that specific requirements may vary for different transactional types.

The likes of maintaining an updated asset inventory of hardware and accurate network topologies are beyond the remit of most individuals, no matter how sensible they might be otherwise. But you would be foolish to focus just on the unobtainable benefit from what is a very sound list of recommendations.

The full list of security requirements being proposed by CISA is available as a PDF document and is highly recommended as a must-read for any organization looking to strengthen their security posture.

“For U.S. cybersecurity efforts, these requirements represent a crucial step towards securing national infrastructure against evolving threats,” Dr Marc Manzano, general manager of cybersecurity at SandboxAQ, said, “These new guidelines, focusing on protecting sensitive information, present opportunities for modern cryptography management systems enabling asset discovery, observability, fine-grained management, and protection.” Deploying solutions like these will, Manzano concluded, contribute toward making government entities enhance their encryption frameworks, ensuring compliance and securing data against future cryptographic threats.

While the proposals are squarely aimed at federal agencies first and foremost, it doesn’t mean that the advice put forward has no consequence for us mere mortals. Indeed, some of the steps that are proposed should be etched on the smartphone screens of all iPhone and Android users: Updating devices to fix known vulnerabilities as quickly as possible, making use of second-factor authentication on all accounts where it is available and ensuring that passwords are at least 16 characters long, for example.

The U.K. Government Cyber Essentials Scheme Brings Better Security To Businesses

The U.K. government has a newly published research paper that seeks to detail the impact that its Cyber Essentials scheme has on improving the cybersecurity of those businesses and organizations taking part. The Cyber Essentials scheme is, effectively, a set of standards and technical controls that organizations of any size, and in any sector, should consider as essential in the effort to protect themselves and their users against the most common of online security threats. Although, as with any such advice, the scheme cannot claim to provide a security panacea, official statistics from the U.K. government show that those organizations with the Cyber Essentials scheme controls in place make 92% fewer insurance claims for cyberattacks than those without.

“This evaluation clearly demonstrates that Cyber Essentials offers significant security benefits to organizations,” William Wright, CEO of Closed Door Security, said. “Accredited businesses are clearly more cyber-aware, they feel more prepared to handle routine cyber attacks and they feel confident with the controls they have in place.” What’s also evident, according to Wright, is that organizations feel much more confident when entering into business partnerships with suppliers who are also Cyber Essentials accredited, and as such the certification process it provides is being used practically to support third-party and supply chain resilience.

However, just as with the NSA advice for smartphone users to turn it off and on again, a single piece of advice is never going to be enough to provide anything more than surface-level protection. As I’ve mentioned earlier in this article, a multi-layered approach is the only way to improve your security and that applies to businesses as much as it does to individuals, if not more. The study data reveals that 53% of respondents are using Cyber Essentials as the only form of external assurance they have for their cyber security. “If these organizations are only accredited with the basic version of the certification,” Wright warns, “this will not be enough to protect their systems against many of the attacks we are seeing today.”

Wright is, if you’ll forgive the pun, right. Cyber Essentials certification itself is in the form of a self-assessment questionnaire, which is examined by a Cyber Essentials assessor. There is no physical verification of the answers and, therefore, of the claimed controls being in place. While I’m not suggesting that some organizations would lie to gain certification that could provide a business benefit, well, OK, I am; but there is little to confirm those controls are deployed correctly. This basic version of the Cyber Essentials certification is “not enough to defend against today’s sophisticated attacks,” Wright concludes, “organizations should strive to achieve the Cyber Essentials Plus certification, but blend this with other principles like NIST, CIS Controls and ISO27001 to really improve their cyber resilience.”