How wise is the NSA’s zero-click threat advisory in 2024?
Update, October 23, 2024: This story, originally published on October 22, details new security recommendations from the US Cybersecurity and Infrastructure Security Agency that may apply to iPhone and Android users.
Comedy fans may recognize “have you tried turning it off and on again” from the British sitcom The IT crowd. But what if the National Security Agency told all smartphone users to do this? And, more importantly, if you follow that advice, will you be safe from malware and spyware in 2024 and beyond?
The NSA turns it off and on again Advice for iPhone and Android users
The NSA’s original warning was published in 2020 in a best practices guide for mobile devices. If you’re having trouble opening the PDF document that the previous link takes you to, there is an alternate route to the same document that requires a few more clicks: the NSA press room. As smartphones across all operating system platforms become an increasingly popular target for threat actors of all sizes, the NSA said that “many of the features provide convenience and capabilities but sacrifice security” and sought to identify simple steps that even the most – tech users could take steps to better protect their devices and the data stored on them. Earlier this year I reported on the NSA advisory, and that article has generated numerous responses to this day. Security experts and smartphone users have thanked me for bringing the warning to their attention and scolded me for not delving deeper into what a restart won’t help protect people from. All of these opinions are valid, of course, and this article was written in the hope of providing further clarification.
Let’s start by saying that I have nothing but praise for the document that the NSA published; The advice is not only sage, but also presented in such a way that it is clear to all listeners. The NSA took a pictorial approach, using an icon-based alert system that informed readers what to avoid, disable, do’s and don’ts. The do list includes using strong PINs and passwords, biometric locks and regular software updates. The non-advice relates to rooting or jailbreaking your phone, clicking on unknown links, or opening unknown attachments. But it’s the power off icon that piqued my interest the most, especially when it came to turning off the power by turning the device off and on again weekly.
The second page of the infographic-heavy advisory document took a more tabular approach to alert smartphone users of things they should do regarding threat mitigation. This time the iconography was divided between sometimes prevents and almost always prevents. When you restart your smartphone regularly, we recommend that you use it as it sometimes prevents spear phishing (to install malware) and zero-click exploits. It was therefore never a panacea or a one-size-fits-all security wonder.
Doing iPhone and Android Will users need to restart their smartphones regularly in 2024?
The short answer to the question of whether you should restart your smartphone every week in 2024 is no. But necessity does a lot of the heavy lifting in that area. From a security perspective, restarting will still remove the threat of non-persistent malware; that’s a threat that can’t survive a reboot. I know this is pretty obvious, but it needs to be said. There is a lot of malware that fits into this category, and not all of it comes from the least sophisticated or sophisticated threat actors.
When spyware hit the headlines for all the right reasons, with nation states using sophisticated software like Pegasus to infect both Android and iPhone devices, reports suggested that it shifted from persistence to a reliance on re-exploiting binary payloads after a reboot. This reliance on malware in memory, rather than being written to persistent storage, is another way to prevent surveillance traces from being left behind during such sophisticated attacks.
“As long as people regularly update their devices as new operating system versions are released,” says Jake Moore, global cybersecurity evangelist at ESET, “devices will remain healthy and protected. However, it is a good idea to restart your phone regularly, but more for battery reasons than security.”
Moore is right when he says that a quick restart can often resolve performance and connection issues. However, that doesn’t mean safety reasons for reboots are completely off the table. “Zero-click malware is a recurring problem for both Apple and Android operating systems,” says Moore, “but it is generally identified and addressed quickly. Once this is detected, a patch is developed and a new update is released to mitigate the threat.”
There is no definitive answer when it comes to the voracity of the NSA warning and restart recommendation, but erring on the side of caution should never be underestimated in my humble opinion. There’s an interesting discussion on Stack Exchange that sums things up quite nicely: the long answer is that it depends on what your handheld has done since the last restart, while the short answer is on average, restarting reduces vulnerability. Rebooting has few if any downsides, so why not reboot regularly? I’m on the side of the NSA on this one.
The US Cybersecurity And Infrastructure Security Agency is proposing new security requirements: iPhone and Android users take note
As reported by Bleeping Computer, the US Cybersecurity and Infrastructure Security Agency has just released a new set of security proposals designed to protect personal data and government information from hostile adversaries. The list of proposed security requirements is aimed squarely at government agencies that move sensitive data in bulk and, more specifically, those who do so where the information may be exposed to individuals or countries of concern. Typically, these are those involved in cyberespionage campaigns against the US or who have a history of state sponsorship of advanced, persistent threat actors. CISA said it assesses implementation of the requirements as necessary to validate that an organization has the technical capabilities and sufficient governance structure to “appropriately select, successfully implement, and continue to apply the covered data-level security requirements in a manner that addresses the identified risks. by the Department of Justice for the limited transactions.” At the same time, it notes that specific requirements may vary for different types of transactions.
Maintaining an updated inventory of hardware and accurate network topologies is beyond the purview of most individuals, no matter how wise they might otherwise be. But it would be foolish to focus solely on the unattainable benefit of a very solid list of recommendations.
The full list of security requirements proposed by CISA is available as a PDF document and is highly recommended as a must-read for any organization looking to strengthen their security posture.
Although the proposals are primarily aimed directly at federal agencies, this does not mean that the proposed guidance does not impact us mere mortals. Some of the suggested steps should be engraved on the smartphone screens of all iPhone and Android users: updating devices to fix known vulnerabilities as quickly as possible, using second-factor authentication on all accounts where it is available and ensuring that passwords, for example be at least 16 characters long.
