Update, Oct. 23, 2024: This story, originally published Oct. 22, includes details of new security recommendations issued by the U.S. Cybersecurity and Infrastructure Security Agency which can apply to iPhone and Android users.
Comedy fans may well recognize “have you tried turning it off and on again” from the British sitcom The IT Crowd. But what if the National Security Agency told all smartphone users to do it? And, more to the point, if you follow that advice, will you be safe from malware and spyware in 2024 and beyond?
The NSA Turn It Off And On Again Advice For iPhone And Android Users
The NSA’s original warning was published in a mobile device best practices guide in 2020. If you are having difficulty opening the PDF document the previous link takes you to, then there is an alternative route to the same document that requires a few more clicks available from the NSA press room. With smartphones running across all operating system platforms becoming an increasingly popular target for threat actors of all flavors, the NSA said that “many of the features provide convenience and capability but sacrifice security” and attempted to pin down simple steps that even the most non-technical users could take to better protect their devices and the data stored within. Earlier this year, I reported on the NSA advice, and that article has continued to stir a myriad of responses to this day. I’ve had security experts and smartphone users alike thank me for bringing the warning to their attention and scold me for not going into more detail about what rebooting can’t help protect people from. All of these opinions are valid, of course, and this article is written in the hope of providing more clarification.
Let’s start by saying that I have nothing but praise for the document that the NSA has published; not only is the advice contained sage, but it is presented in such a way as to be clear to all audiences. Taking a pictorial approach, the NSA used an icon-based warning system informing readers what they should avoid, disable, do and not do. The do list includes using strong PINs and passwords, biometric locks and regular software updates, for example. The do-not advice covers rooting or jailbreaking your phone, clicking unknown links or opening unknown attachments. But it’s the disable icon that piqued my interest most, especially when it came to disabling power by turning the device off and on again on a weekly basis.
The second page of the infographic-heavy advice document took more of a tabular approach to warning smartphone users of things they should be doing regarding threat mitigation. This time, the iconography was divided between sometimes prevents and almost always prevents. When regularly rebooting your smartphone, the recommendation was to use it as it sometimes prevents spear phishing (to install malware) and zero-click exploits. It was never, therefore, a silver bullet solution or a one-size-fits-all security panacea.
Do iPhone And Android Users Need To Regularly Reboot Their Smartphones In 2024?
The short answer to whether you need to reboot your smartphone every week in 2024 is no. But need is doing a lot of heavy lifting in that question. From a security perspective, rebooting will still remove the threat from non-persistent malware — that is a threat that cannot survive a reboot. I know that’s pretty obvious, but it needs saying. There’s plenty of malware that fits into this category, and not all of it from the least advanced or sophisticated of threat actors.
When spyware was making the headlines for all the right reasons, with nation-states using advanced software such as Pegasus to infect both Android and iPhone devices, reports suggested that it changed from having persistence to relying upon binary payloads being exploited again after a reboot. This reliance on malware in memory, rather than being written to permanent storage, is another way to evade leaving evidence of surveillance during such sophisticated attacks.
“As long as people are regularly updating their devices when fresh operating system versions are released,” Jake Moore, global cybersecurity evangelist with ESET, said, “devices will remain healthy and protected. It is, however, a good idea to reboot your phone on a regular basis but more for battery reasons over security.”
Moore is right in saying that a quick reboot can often resolve performance issues and connectivity problems. However, that doesn’t mean that security reasons for rebooting are entirely off the table. “Zero-click malware is a recurring issue for both Apple and Android operating systems” Moore said, “but it is generally identified and addressed quickly. Once detected, a patch is developed, and a new update is released to mitigate the threat.”
There is no definitive answer when it comes to the voracity of the NSA warning and the rebooting recommendation, however, erring on the side of caution is never to be underestimated in my humble opinion. There’s an interesting discussion on Stack Exchange that sums things up rather nicely: the long answer is that it depends on what your handheld did since its last reboot, the short answer being, on average, that rebooting reduces vulnerability. Rebooting has little, if any, downside so why not reboot regularly? I’m siding with the NSA on this one.
The U.S. Cybersecurity And Infrastructure Security Agency Proposes New Security Requirements—iPhone And Android Users Take Note
As reported by Bleeping Computer, the U.S. Cybersecurity and Infrastructure Security Agency has just published a new set of security proposals designed to protect personal data and government information from hostile adversaries. The list of proposed security requirements is aimed directly at those government bodies moving sensitive data in bulk and, most specifically, at those doing so where the information might be exposed to persons or countries of concern. This most often means those engaged in cyber espionage campaigns against the U.S. or with a history of state sponsorship of advanced persistent threat actors. CISA said that it assesses the implementation of the requirements as necessary to validate an organization has the technical capability and sufficient governance structure to “appropriately select, successfully implement and continue to apply the covered data-level security requirements in a way that addresses the risks identified by Department of Justice for the restricted transactions.” At the same time it notes that specific requirements may vary for different transactional types.
The likes of maintaining an updated asset inventory of hardware and accurate network topologies are beyond the remit of most individuals, no matter how sensible they might be otherwise. But you would be foolish to focus just on the unobtainable benefit from what is a very sound list of recommendations.
The full list of security requirements being proposed by CISA is available as a PDF document and is highly recommended as a must-read for any organization looking to strengthen their security posture.
While the proposals are squarely aimed at federal agencies first and foremost, it doesn’t mean that the advice put forward has no consequence for us mere mortals. Indeed, some of the steps that are proposed should be etched on the smartphone screens of all iPhone and Android users: Updating devices to fix known vulnerabilities as quickly as possible, making use of second-factor authentication on all accounts where it is available and ensuring that passwords are at least 16 characters long, for example.