A Word on Smartphone Security from The
Land Down Under,
By Way of The NSA.
On this July 4th, circa 2023, I would like to thank all of this nation's cyber warriors for your much needed service and your selfless devotion to duty. You deserve more credit than you get.
On June 14, 2023, The Sydney Morning Herald, reported that "a Russian-linked criminal gang known as BlackCat, or AlphV – claimed to have stolen extensive data from law firm HWL Ebsworth in April." This, and other similar attacks that have occurred in Australia, prompted the Aussie government to appoint its first Cyber Security Czar (or, Tsar, in Aussie Speak.). "Federal cabinet on Tuesday signed off on the appointment of Air Vice-Marshal Darren Goldie as the government’s first co-ordinator of cybersecurity," is how The Sydney Morning Herald, announced the news June 23, 2023. It was at the ceremony for the installation of Air Vice-Marshal Goldie, that Australian Prime Minister Anthony Albanese, made some news that quickly spread around the globe. As reported in the The Sydney Morning Herald, June 26, 2023, PM Albanese told the citizens of Australia:
We all have a responsibility ... turn your phone off every night for five minutes ... do it while you are brushing your teeth and whatever you are doing,” he said last week. “This is a task for all of us.”
His comments about powering down one's smartphone once a day was picked up by the English Newspaper, The Guardian, also on June 23, 2023, and from there the story went global. The report in The Guardian added more of the PM's statement, and placed the comment in better context.
We need to mobilise the private sector, we need to mobilise, as well, consumers... We all have a responsibility. Simple things, turn your phone off every night for five minutes. For people watching this, do that every 24 hours, do it while you’re brushing your teeth or whatever you’re doing.
In The Guardian report cited above, Dr Priyadarsi Nanda, a senior lecturer "at the University of Technology Sydney who specialises in cybersecurity development," was asked about the PM's admonition for Aussie's to power down their phones. Dr. Nanda concurred, to a degree.
If there’s a process running from the adversarial side, turning off the phone breaks the chain, even if it’s only for the time the phone is off, it certainly frustrates the potential hacker... It may not fully protect you, but [rebooting] can make things more difficult for hackers.
There is, however, nothing new about the suggestion that turning off the smartphone once a day may well thwart many types of smartphones attacks. It was reported in USA Today, July 28, 2021, that Senator Angus King, "a member of the secretive Senate Intelligence Committee," was given similar advice.
As a member of the secretive Senate
Intelligence Committee, Sen. Angus King has reason to worry about
hackers. At a briefing by security staff this year, he said he got some
advice on how to help keep his cellphone secure.
Step One: Turn
off phone.
Step Two: Turn it back on.
This advice actually originated with the NSA in October 2020 when the agency released its Info Sheet: Mobile Device Best Practices (October 2020). In the Info Sheet, NSA security experts suggested users power down their phones once a week.
Security expert, Troy Hunt, is best known as the creator of the HaveIbeenpwnd website. In a tweet dated June 25, 2023, Hunt reminded his readers that government leaders. like PM Albanese, have different security needs than regular citizens.
The type of malware that's able to infect modern, patched devices outside wilful installation from untrusted sources isn't going to be burned on the masses. World leaders, journos in certain parts of the world, political dissidents etc is the target demo, not "mums and dads".
Other experts also discounted the power down advice as simplistic and naive. June 26, 2023, 9to5mac.com, reported on the power down advice. 9to5mac reminded its readers that the NSA was not as definitive about the benefits of powering down the phone than was PM Albanese. The NSA's suggestion can “sometimes prevent” things like spear phishing and zero-click exploits." The 9to5mac author mirrored Hunt's criticism that the power down admonition was not relevant to everyday users.
Essentially what Albanese did was cherry-pick a piece of advice meant for the security community, remove the nuance, and pass it off as generalized advice for all iPhone users.
The power down advice is neither a magic bullet, nor just plain bull. Many types of malware only exist in memory. Although powering down does not remove the source of the attack, powering down can mitigate some of the worst aspects of an attack. The possibility of reinfection is not always guaranteed. Anything that can help is in itself worthwhile. If nothing else, clearing the memory will increase overall performance of the phone. No harm — No foul.
So, now I do power down my phone once a day. If for no other reason than to prove to myself that I can.
¯¯\_(ツ)_/¯
Gerald Reiff