I hate lists like these. Not because they don’t contain good information. Some of these are excellent things to do regardless of your personal situation. But a lot of them make absolutely no sense for most people.
Rebooting your phone periodically removes zero day attacks that don’t persist on your device through a restart. People who are at risk of that are a vanishingly small fraction of the population. Those who are targeted with such attacks are often reinfected anyways because attackers are persistent and realize they’ve lost access to the device. Nothing about this is described in the recommendations, it’s just “oh you should do this” with zero threat modeling whatsoever. Then there’s stuff like “don’t use public Wi-Fi” which has been a bogeyman for probably longer than I’ve been alive. It’s not a problem anymore. Basically everything you do these days is using HTTPS. The author of this post goes on to shill VPNs, which are often snake oil that is even worse than the problem they aim to “cure”.
I have no problem with some parts of this list, including the NSA putting their name behind it. It’s good to keep your software up to date. Being cautious in unfamiliar contexts is usually a good trait to have. But when you throw in the other stuff it’s like if the NIH published a list like “oh you should exercise every day and also completely avoid shrimp”. Like yes some parts of it are good, some of this is only relevant to people who are allergic to shellfish. There’s no point, and actually I will say it’s actively harmful, to just publish stuff like this with explaining when it is applicable and the actual security it provides.
> People who are at risk of that are a vanishingly small fraction of the population.
It's probably a million dollars cheaper to buy access to a non-persistent exploit than a full one but those are probably looking for a one-off exfil anyway. And like you said they can just run it again a couple weeks later for new stuff.
but regardless I think most peoples phones batteries die once a week anyway so it's not a big deal
For what is worth, android accumulates minor glitches by running all the time, so rebooting is not a bad idea. These are small bugs, people might not notice them
> First and foremost, iVerify Basic is a security scanner that ensures you are using the iPhone's basic security features such as Face/Touch ID and Screen Lock, and are running the latest iOS version. It also runs a device scan that looks for security anomalies and notifies you if something seems out of place.
> For this analysis, we had access to the customer’s iTunes backups, crash logs, and sysdiagnose files. One of the best things about Threat Hunter is that we can gather these artifacts remotely without needing physical access to the device.
Yes, persistence is an additional expense in an exploit and fairly difficult to achieve on an iPhone. The idea with rebooting is that any malware living in memory will be cleared out and the attacker will have to throw the exploit again. Throwing the exploit again carries risk in getting it burnt and iPhone exploits are in the $1m - $2m range.
Given how we generally only reboot our phones for system updates, this is good practice.
You can get virtually of that benefit, without having to wait for the bootup, by using airplane mode each night.
Booting up takes a lot of battery power - I bet if you did airplane mode plus battery saver overnight, you would actually use less power than rebooting it. Try it!
Tornadoes are not hurricanes. They're small and very localized. When I lived in tornado country the sirens would go off only when rotations were detected.
I was thinking maybe you'd get some kind of generalised alert that tornadoes may be expected overnight, but generally, you'd be safe. If there are sirens anyway, it doesn't sound like you'd need the phone on.
If I (bizarrely) got a message informing me that a tornado was about to hit my house, I'd a) assume it was a scam b) have no idea about what I was supposed to do about it anyway. Hold on to something solid to avoid getting sucked away?
As someone who lives in Texas, the push alerts for dangerous weather has been very helpful. Not just tornadoes, but violent storms with damaging winds or hail also happen 10-20 times per year. As previously said, these storms are very localized and often materialize with only 10-30 minutes of notice. That notice can be used to relocate everyone to a safe place away from windows, in the case of a tornado warning, or protect outside pets/livestock, vehicles, etc in the case of a violent storm.
Coming from a reliable local source, so it's not a scam, a tornado warning will come in 10-15 minutes before it hits. This is enough time to go to the basement/storm cellar/shelter. If you live in tornado alley it's just how you live your life.
It's a point I suppose. I'd have to go to another room where I left the phone on the desk, hopefully not blocked by a fire, and turn it on. But I think my partner leaves her's on, so she could do it.
If your device was compromised then a reboot will essentially not run that piece of software again (iOS) until you probably clicked that link and your device was exploited again (assuming its the same exact environment).
While 'once a week' is very arbitrary, rebooting a device (especially an iPhone) will make it 'safer' than what it was before the reboot in theory at least.
iOS and Android are big and all vulnerabilities aren't reported as there are many in the wild just like any software out there.
Imagine you are at a cafe that had a compromised auth portal where you clicked a bunch of things and there was a payload that exploited a vulnerability and was doing something on your phone. If you rebooted, then likely it's not running again and you may not visit the cafe again either. That way a reboot likely fixed your problem. the alternative is that you wait for that vulnerability to become public, apple or google patch it and then you update it and your device reboots. This could take literally months and that payload is still active until then. I know many people who dont reboot their phones at all unless the battery is dead while updates are also not as common as people think. So many are running iOS 16 even today when their phone says update but they just ignore.
When someone reads all this on HN it sounds not very smart but these lists are designed for people who have no knowledge of tech. Hence you can sell VPNs to these people as well which is where its a bit of an issue on whats right and whats just advertising and selling you stuff. So the outrage is valid but a reboot is actually more beneficial than people think it is.
GrapheneOS[1] has that option in the security settings. I have mine set up so it automatically reboots the device if I haven't unlocked it in the last 8 hours.
Think of holding down the power key for some seconds as a Secure Attention Key that forces control of the device away from the exploit. Automatic reboot might catch some exploits, but the SAK and trusted boot after it gets (practically) all of them.
I have this happening once in a while. I know you didn’t mean to single out iPhone 15, but this issue seems to occur in any device with iOS 17 (and all its minor releases till date). I have had to restart my phone several times because of the Files app not responding.
Does anyone else feel like this is basically a bunch of nonsense 'advice' designed to lull the public into a false sense of security? Especially considering this is coming from the NSA.
What is any of this supposed to protect against besides potential 0days being used by governments (both foreign and domestic)? It's not like phones are generally extremely vulnerable to the extent that this is necessary, and if you're legitimately under threat of being targeted by someone with access to an arsenal like that of the NSO Group's, this is very weak advice. Not connecting to public wifi and not downloading attachments isn't going to save you when you're hit with a zero-click exploit.
NSA don’t get to be the good guys of infosec. They’ve been the adversaries for decades fighting against good encryption, fighting against good security, illegally capturing data whenever they could. Remember the Snowden leaks? I certainly do.
Now they want to pretend none of that ever happened and advise on good security. No. Let’s take it back a couple steps and have some truth and accountability first.
Under no circumstances use your phone to place or receive phone calls. Never send or receive email & text messages. Do not install any apps. Leave it powered off at all times. Store your phone in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying "Beware of the leopard"
Rebooting your phone periodically removes zero day attacks that don’t persist on your device through a restart. People who are at risk of that are a vanishingly small fraction of the population. Those who are targeted with such attacks are often reinfected anyways because attackers are persistent and realize they’ve lost access to the device. Nothing about this is described in the recommendations, it’s just “oh you should do this” with zero threat modeling whatsoever. Then there’s stuff like “don’t use public Wi-Fi” which has been a bogeyman for probably longer than I’ve been alive. It’s not a problem anymore. Basically everything you do these days is using HTTPS. The author of this post goes on to shill VPNs, which are often snake oil that is even worse than the problem they aim to “cure”.
I have no problem with some parts of this list, including the NSA putting their name behind it. It’s good to keep your software up to date. Being cautious in unfamiliar contexts is usually a good trait to have. But when you throw in the other stuff it’s like if the NIH published a list like “oh you should exercise every day and also completely avoid shrimp”. Like yes some parts of it are good, some of this is only relevant to people who are allergic to shellfish. There’s no point, and actually I will say it’s actively harmful, to just publish stuff like this with explaining when it is applicable and the actual security it provides.