There have been plenty of cyber agency warnings for smartphone users in recent weeks. Only use encrypted messaging. No more SMS security codes. Avoid commercial VPNs. And update phones as soon as you can — which is timely this week. But now there’s more — you’re told to “completely deactivate Wi-Fi” whenever it’s not in use.
Most of the above advice comes via CISA, America’s cyber defense agency, but the latest is from CERT-FR, France’s equivalent, in conjunction with the U.K.’s agency. There is already plenty of Wi-Fi advice, but to completely disable the interface is new.
“These everyday devices exhibit multiple vulnerabilities,” CERT-FR says, “as well as a significant attack surface across multiple layers of the device architecture. These vulnerabilities may reside within wireless interfaces, applications, operating systems, and even within hardware components.”
Everything is covered by CERT-FR, with advice that hopefully you’re familiar with by now — only install apps from official stores, check permissions, update and reboot phones, use a VPN on public Wi-Fi, and never auto-join those networks.
There’s a nod to juice jacking — the threat from public charging points that America’s TSA also flagged this year. CERT-FR says don’t do it, unless you have a “trusted USB data blocker” between the charger and your phone. You should also “completely turn off your phone when it’s left unattended,” for example when charging.
Wireless connectivity is a standout though. This includes the well-publicized threat from aged 2G networks, which relies on a “weak encryption algorithm” which has “been publicly broken since 2010.” CERT-FR says “there is no way for a mobile device to check the authenticity of a base transceiver station, allowing for AITM attacks.”
And on Wi-Fi, the agency says “networks, specifically the unsecured public ones, may exhibit vulnerabilities or weaknesses in their configuration that make them vulnerable to AITM attacks: an attacker may position itself between the user and the Wi-Fi access point to intercept, modify or gather sensitive information.”
This points to the kind of evil twin attack making headlines in recent weeks, which have also garnered a TSA warning this year. “Fake Wi-Fi access points can be used to intercept credentials by redirecting victims to phishing websites or injecting malware on the visited websites in order to compromise the phone,” the French agency warns.
While I’ve repeatedly warned to disable auto-connecting or auto-joining networks, and to disable auto-join on any networks you use temporarily, CERT-FR goes further.
“Completely deactivate Wi-Fi interface on the phone when Wi-Fi is not needed, to avoid any connection to fake networks,” it says. “On iOS, turning-off Wi-Fi must be done by using the Settings application; the Control center parameter is indeed only disconnecting from the network without turning off the interface.”
The agency also says “deactivate automatic connection to the known networks already saved in the phone, including private networks,” and unsurprisingly “avoid as much as possible to connect the mobile device to public networks. When it cannot be avoided, a VPN must be used to encrypt the information passing through the public network.”
How far you go will depend on your own balance of convenience and risk. But I can’t recall a mobile threat landscape quite like the one we’re seeing now.
So maybe that balance is shifting.