NSA warns iPhone and Android users to turn it off and on again

Updated 31/05, this article was originally published on 30/05.

While some people may worry that the National Security Agency itself will spy on their phones, the NSA has some sage advice for iPhone and Android users concerned about zero-click exploits and the like: turn it off and on again once a week.

How often do you turn off your iPhone or Android device? Turn it off completely and then restart it instead of just going to standby mode. I suspect for many people the answer is only when a security or operating system update requires it. According to the NSA, this could be a serious mistake.

ForbesFBI Issues Hacker Attack Advisory: Email Administrators Do One Thing NowBy Davey Winder

NSA advice on best practices for iPhone and Android security and privacy

In a document detailing several best practices for mobile devices, the NSA advises users to turn their devices off and on once a week to protect against zero-click exploits that attackers often use to eavesdrop on phones and harvest data from them.

Users can mitigate the threat of spear-phishing, which can lead to the installation of even more malware and spyware, by performing the same simple action. However, the NSA document warns that turning off and on advice will only sometimes prevent these attacks from succeeding.

“Threats to mobile devices are becoming more widespread, increasing in scope and complexity,” the NSA said, warning that some smartphone features “provide convenience and capability, but at the expense of security.” Therefore, doing something is always better than doing nothing when it comes to being proactive about device and data security.

It’s important to note that the advice given is not a silver bullet that will solve all your security problems. Indeed, the NSA document includes a chart showing the effectiveness of each tactic against various threats. While this is good general advice, turning it off and on again will not help combat many of the more advanced malware and spyware threats that are programmed to reload when you restart your computer.

Balance between smartphone convenience and security

The NSA also advises phone users to turn off Bluetooth technology when they are not using it, update their device as soon as possible when operating system and application updates become available, and turn off location services when they are not needed. As you can already see, most of the advice given is about safety, not convenience. Add to this not using public Wi-Fi networks (they are usually completely secure) and not using public charging stations (same), and many users are likely to roll the dice. Having said all that, I wholeheartedly agree with the advice to turn it on and off again, as it only takes a minute or two a week and is a good habit to learn. In fact, I’d say get into the habit of doing this every day, maybe as part of your bedtime routine.

ForbesSecurity experts send Jenny Green warning emails to millionsBy Davey Winder

The NSA also says you should use “strong” screen lock PINs and passwords, recommending that you use at least a six-digit PIN, provided your smartphone is configured to self-delete after 10 incorrect attempts and lock automatically after 5 minutes no entry. More broadly, Oliver Page, CEO of cybersecurity firm Cybernut, says users should “generate strong, unique passwords for each account using a password manager” and avoid using common phrases, dictionary words and reusing passwords across multiple accounts.

The NSA further warns that opening email attachments and links is prohibited, even if the sender appears trustworthy, because they could easily transmit malicious content without realizing it, or because their account has been compromised. “Learn to spot phishing attempts by checking email sender addresses, verifying website URLs, and examining the content of email messages for signs of manipulation,” says Page.

When it comes to confidential conversations or messages, the NSA warns against such conversations on personal devices, even if you think the content is general. This is at least a little restrictive, considering many of us use our smartphones to do this. However, falling for social engineering tactics such as replying to unsolicited emails or messages is a completely different type of phishing. “Relying on social engineering tactics such as responding to unsolicited emails requesting sensitive information may result in account compromise and identity theft. These phishing attempts often impersonate legitimate entities and trick them into disclosing sensitive information,” says Page, adding: “Trusting phone calls or messages without verification can lead to serious consequences as fraudsters manipulate victims into revealing confidential information or taking actions threatening their safety. “