I hate lists like these. Not because they don’t contain good information. Some of these are excellent things to do regardless of your personal situation. But a lot of them make absolutely no sense for most people.
Rebooting your phone periodically removes zero day attacks that don’t persist on your device through a restart. People who are at risk of that are a vanishingly small fraction of the population. Those who are targeted with such attacks are often reinfected anyways because attackers are persistent and realize they’ve lost access to the device. Nothing about this is described in the recommendations, it’s just “oh you should do this” with zero threat modeling whatsoever. Then there’s stuff like “don’t use public Wi-Fi” which has been a bogeyman for probably longer than I’ve been alive. It’s not a problem anymore. Basically everything you do these days is using HTTPS. The author of this post goes on to shill VPNs, which are often snake oil that is even worse than the problem they aim to “cure”.
I have no problem with some parts of this list, including the NSA putting their name behind it. It’s good to keep your software up to date. Being cautious in unfamiliar contexts is usually a good trait to have. But when you throw in the other stuff it’s like if the NIH published a list like “oh you should exercise every day and also completely avoid shrimp”. Like yes some parts of it are good, some of this is only relevant to people who are allergic to shellfish. There’s no point, and actually I will say it’s actively harmful, to just publish stuff like this with explaining when it is applicable and the actual security it provides.
> People who are at risk of that are a vanishingly small fraction of the population.
It's probably a million dollars cheaper to buy access to a non-persistent exploit than a full one but those are probably looking for a one-off exfil anyway. And like you said they can just run it again a couple weeks later for new stuff.
but regardless I think most peoples phones batteries die once a week anyway so it's not a big deal
For what is worth, android accumulates minor glitches by running all the time, so rebooting is not a bad idea. These are small bugs, people might not notice them
> First and foremost, iVerify Basic is a security scanner that ensures you are using the iPhone's basic security features such as Face/Touch ID and Screen Lock, and are running the latest iOS version. It also runs a device scan that looks for security anomalies and notifies you if something seems out of place.
Yes, persistence is an additional expense in an exploit and fairly difficult to achieve on an iPhone. The idea with rebooting is that any malware living in memory will be cleared out and the attacker will have to throw the exploit again. Throwing the exploit again carries risk in getting it burnt and iPhone exploits are in the $1m - $2m range.
Given how we generally only reboot our phones for system updates, this is good practice.
You can get virtually of that benefit, without having to wait for the bootup, by using airplane mode each night.
Booting up takes a lot of battery power - I bet if you did airplane mode plus battery saver overnight, you would actually use less power than rebooting it. Try it!
If your device was compromised then a reboot will essentially not run that piece of software again (iOS) until you probably clicked that link and your device was exploited again (assuming its the same exact environment).
While 'once a week' is very arbitrary, rebooting a device (especially an iPhone) will make it 'safer' than what it was before the reboot in theory at least.
iOS and Android are big and all vulnerabilities aren't reported as there are many in the wild just like any software out there.
Imagine you are at a cafe that had a compromised auth portal where you clicked a bunch of things and there was a payload that exploited a vulnerability and was doing something on your phone. If you rebooted, then likely it's not running again and you may not visit the cafe again either. That way a reboot likely fixed your problem. the alternative is that you wait for that vulnerability to become public, apple or google patch it and then you update it and your device reboots. This could take literally months and that payload is still active until then. I know many people who dont reboot their phones at all unless the battery is dead while updates are also not as common as people think. So many are running iOS 16 even today when their phone says update but they just ignore.
When someone reads all this on HN it sounds not very smart but these lists are designed for people who have no knowledge of tech. Hence you can sell VPNs to these people as well which is where its a bit of an issue on whats right and whats just advertising and selling you stuff. So the outrage is valid but a reboot is actually more beneficial than people think it is.
GrapheneOS[1] has that option in the security settings. I have mine set up so it automatically reboots the device if I haven't unlocked it in the last 8 hours.
Think of holding down the power key for some seconds as a Secure Attention Key that forces control of the device away from the exploit. Automatic reboot might catch some exploits, but the SAK and trusted boot after it gets (practically) all of them.
I have this happening once in a while. I know you didn’t mean to single out iPhone 15, but this issue seems to occur in any device with iOS 17 (and all its minor releases till date). I have had to restart my phone several times because of the Files app not responding.
Does anyone else feel like this is basically a bunch of nonsense 'advice' designed to lull the public into a false sense of security? Especially considering this is coming from the NSA.
What is any of this supposed to protect against besides potential 0days being used by governments (both foreign and domestic)? It's not like phones are generally extremely vulnerable to the extent that this is necessary, and if you're legitimately under threat of being targeted by someone with access to an arsenal like that of the NSO Group's, this is very weak advice. Not connecting to public wifi and not downloading attachments isn't going to save you when you're hit with a zero-click exploit.
NSA don’t get to be the good guys of infosec. They’ve been the adversaries for decades fighting against good encryption, fighting against good security, illegally capturing data whenever they could. Remember the Snowden leaks? I certainly do.
Now they want to pretend none of that ever happened and advise on good security. No. Let’s take it back a couple steps and have some truth and accountability first.
Under no circumstances use your phone to place or receive phone calls. Never send or receive email & text messages. Do not install any apps. Leave it powered off at all times. Store your phone in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying "Beware of the leopard"
[+] [-] saagarjha|1 year ago|reply
Rebooting your phone periodically removes zero day attacks that don’t persist on your device through a restart. People who are at risk of that are a vanishingly small fraction of the population. Those who are targeted with such attacks are often reinfected anyways because attackers are persistent and realize they’ve lost access to the device. Nothing about this is described in the recommendations, it’s just “oh you should do this” with zero threat modeling whatsoever. Then there’s stuff like “don’t use public Wi-Fi” which has been a bogeyman for probably longer than I’ve been alive. It’s not a problem anymore. Basically everything you do these days is using HTTPS. The author of this post goes on to shill VPNs, which are often snake oil that is even worse than the problem they aim to “cure”.
I have no problem with some parts of this list, including the NSA putting their name behind it. It’s good to keep your software up to date. Being cautious in unfamiliar contexts is usually a good trait to have. But when you throw in the other stuff it’s like if the NIH published a list like “oh you should exercise every day and also completely avoid shrimp”. Like yes some parts of it are good, some of this is only relevant to people who are allergic to shellfish. There’s no point, and actually I will say it’s actively harmful, to just publish stuff like this with explaining when it is applicable and the actual security it provides.
[+] [-] transpute|1 year ago|reply
Individuals: https://www.ncsc.gov.uk/cyberaware/home
Business: https://www.ncsc.gov.uk/collection/device-security-guidance/... & https://github.com/ukncsc/Device-Security-Guidance-Configura...
[+] [-] dmix|1 year ago|reply
It's probably a million dollars cheaper to buy access to a non-persistent exploit than a full one but those are probably looking for a one-off exfil anyway. And like you said they can just run it again a couple weeks later for new stuff.
but regardless I think most peoples phones batteries die once a week anyway so it's not a big deal
[+] [-] Fire-Dragon-DoL|1 year ago|reply
[+] [-] transpute|1 year ago|reply
Apple Configurator can define WiFi SSID allowlist, so the phone will only connect to known access points.
iOS Lockdown mode blocks a class of attacks and is mostly invisible to UX. It can be disabled for trusted apps and websites.
Brave can disable Javascript by default, and allow on trusted sites.
Since iPhones no longer power off, a faraday bag can be useful in some contexts.
iVerify claims to check for malware, unclear if it's meaningful given iOS restrictions, but the app regularly reminds the user to reboot.
[+] [-] beretguy|1 year ago|reply
Is this true? I’m still using first se do i don’t know.
[+] [-] orf|1 year ago|reply
> First and foremost, iVerify Basic is a security scanner that ensures you are using the iPhone's basic security features such as Face/Touch ID and Screen Lock, and are running the latest iOS version. It also runs a device scan that looks for security anomalies and notifies you if something seems out of place.
[+] [-] akira2501|1 year ago|reply
That way I don't have to touch the light switch three times and turn my phone on and off while turning in a circle to keep the bad actors away.
:|
[+] [-] transpute|1 year ago|reply
[+] [-] Citizen8396|1 year ago|reply
[+] [-] aussieguy1234|1 year ago|reply
[+] [-] carom|1 year ago|reply
Given how we generally only reboot our phones for system updates, this is good practice.
[+] [-] incompatible|1 year ago|reply
[+] [-] ars|1 year ago|reply
Booting up takes a lot of battery power - I bet if you did airplane mode plus battery saver overnight, you would actually use less power than rebooting it. Try it!
[+] [-] derwiki|1 year ago|reply
I was alerted to a garage break-in because a push to my phone went to my watch, and then I called the police immediately.
[+] [-] tamimio|1 year ago|reply
[+] [-] bustling-noose|1 year ago|reply
While 'once a week' is very arbitrary, rebooting a device (especially an iPhone) will make it 'safer' than what it was before the reboot in theory at least.
iOS and Android are big and all vulnerabilities aren't reported as there are many in the wild just like any software out there.
Imagine you are at a cafe that had a compromised auth portal where you clicked a bunch of things and there was a payload that exploited a vulnerability and was doing something on your phone. If you rebooted, then likely it's not running again and you may not visit the cafe again either. That way a reboot likely fixed your problem. the alternative is that you wait for that vulnerability to become public, apple or google patch it and then you update it and your device reboots. This could take literally months and that payload is still active until then. I know many people who dont reboot their phones at all unless the battery is dead while updates are also not as common as people think. So many are running iOS 16 even today when their phone says update but they just ignore.
When someone reads all this on HN it sounds not very smart but these lists are designed for people who have no knowledge of tech. Hence you can sell VPNs to these people as well which is where its a bit of an issue on whats right and whats just advertising and selling you stuff. So the outrage is valid but a reboot is actually more beneficial than people think it is.
[+] [-] nomilk|1 year ago|reply
[+] [-] jamesponddotco|1 year ago|reply
[1]: https://grapheneos.org/
[+] [-] EasyMark|1 year ago|reply
[+] [-] yencabulator|1 year ago|reply
[+] [-] 0xDEAFBEAD|1 year ago|reply
[+] [-] whatindaheck|1 year ago|reply
[+] [-] uuddlrlrbaba|1 year ago|reply
[+] [-] AnonHP|1 year ago|reply
[+] [-] salamo|1 year ago|reply
[+] [-] Red_Leaves_Flyy|1 year ago|reply
[+] [-] mensetmanusman|1 year ago|reply
I had to learn the new reset sequence: quick volume up, quick volume down, hold power
[+] [-] transpute|1 year ago|reply
[+] [-] omoikane|1 year ago|reply
https://s3.documentcloud.org/documents/21018353/nsa-mobile-d...
[+] [-] ejj28|1 year ago|reply
What is any of this supposed to protect against besides potential 0days being used by governments (both foreign and domestic)? It's not like phones are generally extremely vulnerable to the extent that this is necessary, and if you're legitimately under threat of being targeted by someone with access to an arsenal like that of the NSO Group's, this is very weak advice. Not connecting to public wifi and not downloading attachments isn't going to save you when you're hit with a zero-click exploit.
[+] [-] wheelerwj|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] BriggyDwiggs42|1 year ago|reply
[+] [-] gmoore|1 year ago|reply
[+] [-] tpoacher|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] thefz|1 year ago|reply
[+] [-] more_corn|1 year ago|reply
[+] [-] inopinatus|1 year ago|reply
[+] [-] hnburnsy|1 year ago|reply
Powered off, how cute that you think you can actually power off your phone.
>How are iPhones still findable even when turned off >https://www.xda-developers.com/iphone-findable-turned-off/
[+] [-] yjftsjthsd-h|1 year ago|reply
[+] [-] aaron695|1 year ago|reply
[deleted]