Turn Your Phone Off Every Night For Five Minutes, Australian PM Tells Residents (theguardian.com) 126
Australia's prime minister, Anthony Albanese, has told residents they should turn their smartphones off and on again once a day as a cybersecurity measure -- and tech experts agree. From a report: Albanese said the country needed to be proactive to thwart cyber risks, as he announced the appointment of Australia's inaugural national cybersecurity coordinator. "We need to mobilise the private sector, we need to mobilise, as well, consumers," the prime minister said on Friday. "We all have a responsibility. Simple things, turn your phone off every night for five minutes. For people watching this, do that every 24 hours, do it while you're brushing your teeth or whatever you're doing." The Australian government's advice is not new. In 2020, the United State's National Security Agency issued best-practice guidelines for mobile device security, which included rebooting smartphones once a week to prevent hacking.
Disrupting sleep (Score:1, Troll)
So I have to wake up in the middle of the night to furn off my phone, wait 5 minutes, turn in back on. And then go back to sleep?
For what?
Re: (Score:3)
Well, you’re obviously already waking up to brush your teeth then, so I don’t really see the problem.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
So I have to wake up in the middle of the night to furn off my phone, wait 5 minutes, turn in back on. And then go back to sleep?
For what?
Did you even read the fine summary? Do you brush your teeth in your sleep?
Re: Disrupting sleep (Score:3)
You're working under the assumption that he brushes his teeth
Re: (Score:1)
And you're working under the assumption that he even has teeth.
Re: Disrupting sleep (Score:2)
And you assume this entity is not an AI.
Re: Disrupting sleep (Score:2)
He isn't wearing his pronouns on his shirt, so he's already in violation.
Re: (Score:2)
Re: (Score:1)
The summary is BS: you are supposed to close your phone for 5 minutes, but the recommend time to brush your teeth is 2 minutes.
Re: Disrupting sleep (Score:1)
Couldn't even read the summary eh!
Re:Disrupting sleep (Score:5, Informative)
Re: (Score:2)
How? I created an automation that runs the Shutdown action set to Restart. I disabled the "ask before running" but all it does it throw a notification up that asks whether I'm sure I want to restart. How do I get it to run without any interaction?
Re: Disrupting sleep (Score:2)
But without forcing you into awkward hand gymnastics and hysterically demanding multiple confirmations, how can we really be SURE that you want to reboot your phone?
Re: (Score:2)
Do you sleep 24 hours a day?
If not, then just reboot your phone either before going to sleep, or when you wake up. Or, as the summary suggests, while you brush your teeth (if you do, and if you don't ... wtf).
Or, if you do sleep 24 hours a day, then how did you post this stupidity to Slashdot, and why did you waste hundreds of dollars on a smartphone you'll never use while you Rip Van Winkle your time on earth away?
Re: (Score:2)
Do you sleep 24 hours a day?
No, but I need to be able to receive emergency messages 7x24. Not just calls, but also the real-time monitoring data and associated alarms from bluetooth-connected medical devices implanted in my body.
And I don't believe that rebooting my phone every 24 hours is a reasonable security measure. It's not going to help with any security. I don't reboot my computer either: it stays up for many months, until it gets a security patch that requires rebooting. Or unless the power at the house fails about twice a ye
Re: (Score:2)
No, but I need to be able to receive emergency messages 7x24. Not just calls, but also the real-time monitoring data and associated alarms from bluetooth-connected medical devices implanted in my body.
What?
So what you're telling us is that your health is so precarious that you can't go 5 minutes without your cellphone to receive alerts? You don't think you need a second or backup device "just in case"? The systems you rely on only send one message when you are facing a health crisis, as in it sends a message like "your kidneys are failing" or "you are about to have a heart attack" once, then never repeat the message? That's crazy - why wouldn't your sensors repeat the message a few times?
So yes, the answ
Re: (Score:2)
Re: (Score:2)
Do you expect every single public statement from a politician to include language around every possible edge case, ever?
Also, if these notifications are so serious to medical implants, why are you trusting that to a consumer electronics device that has no redundancy, very little resiliency, and was built to the lowest price point they could while maintaining a healthy profit margin?
And these life-critical notifications aren't sent via a protocol that confirms receipt or otherwise retries? Who would use a f
Re: (Score:2)
Re: Disrupting sleep (Score:2)
Re: (Score:2)
So I have to wake up in the middle of the night to furn off my phone, wait 5 minutes, turn in back on. And then go back to sleep? For what?
My phone can do that for me automatically [makeuseof.com].
"When needed" may not be often. I have that enabled and my current uptime is 26 days.
I think the purpose of this is to remove any memory resident malware that does not persist across reboots, but to be fair I did not RTFA.
I turn it off for the whole night (Score:3, Interesting)
Re: (Score:3)
If you turn off your phone now how will all these wonderful ads reach you?
Re: (Score:3)
Oh don't you worry, they'll all be there when you turn it back on, rendering the phone useless for at least 5 minutes while your phone catches up with them.
Re: (Score:2)
That must be an Android thing.
Re: (Score:2)
More likely his phone. My phone, a cheap Motorola which comes with close to stock Android simply turns off, displaying a shutting down graphic when I hold the power button down for a few seconds and choose power off.
Re: (Score:2)
Oh don't you worry, they'll all be there when you turn it back on, rendering the phone useless for at least 5 minutes while your phone catches up with them.
The malware that you're afraid of will also just resume running when you turn the phone back on. What did you think you accomplished?
Re: (Score:2)
The malware that you're afraid of will also just resume running when you turn the phone back on. What did you think you accomplished?
Persistent and non-persistent malware are both a thing. Some good links in the discussion here.
https://security.stackexchange... [stackexchange.com]
Re: (Score:2)
Re: (Score:3)
My need to CONSUME
ADs ? (Score:2)
ads ? which ads ?
Ain't no ads on my phone.
Re: (Score:2)
Re: (Score:2)
That's what the smartwatch is for.
Re: (Score:2)
How does "android" make it awkward? On my pixel I press two buttons on the side (power and vol up, they are next to each other) then tap Power off or Restart. There are no warnings, no confirmation dialogs. Its literally a (two) button press and a single tap, done.
Re: (Score:2)
Mine, you just hold the power button down for a few seconds and choose power down or such. There's also the choice of emergency along with restart, which I've never tried.
Re: (Score:2)
i still remember the day when you could turn your phone off and it would turn itself on to play the alarm that you set. talk about smart.
now today's "smart" phones can't do that
April fools was like three months ago (Score:1)
There are so many different ways for apps that want to stay running to get a foothold on startup it's not worth entertaining such nonsense.
Re: (Score:2)
Why do we, the people of Slashdot-landia, care what a random Australian PM said? Because "tech experts agree"?
What does the Australian PM have to do with this? Nothing, the PM just happened to say something that experts agree on - that's not a news story.
Re: (Score:2)
No... This is Very dubious advise, and they do not seem to name a single tech expert willing to stand behind the advise. It's that sort of nonsense politicians sometimes use to reinforce their position -- cite "X experts", when in reality there is not such agreement or consensus by experts.
If this Were a solution after all - the phone's makers would likely provide this solution as a convenient option, but in reality it's a non solution that won't mitigate malware, and any nefarious actors can adjust
Good security, poorly supported by phone makers? (Score:5, Informative)
This used to be easy to do [samsung.com] on my Samsung Android phone. No longer, apparently [reddit.com]. "Thanks", Samsung.
Re:Good security, poorly supported by phone makers (Score:5, Insightful)
However, the scenario in question basically depends on the use of a zero-day (or even a coveted zero-click) exploit, which threat actors are unlikely to use on "regular" targets. This is because they don't want the specifics of their zero day being made public and countermeasures developed, meaning, a patch or software update.
The best piece of advice for normal users is probably not to do daily reboots, but to install software updates for the phone OS and apps as soon as possible. That limits the attack surface area to those unpatched, zero-day exploits. From there, if one thinks they're a target for such exploits, a daily reboot is probably not the best thing you can do. It's much more effective to use iOS lockdown mode etc to minimize the attack surface area.
But, a reboot is easy to understand and makes people think they're doing something...and does have a little value. But if you're really concerned someone is trying to send you Pegasus, a daily reboot is well down the list of best things you can do to protect yourself.
Re: (Score:3)
The stackexchange poster is 100% correct in that persistence is hard to achieve, especially on mobile phones, and a reboot will uninstall any malware that hasn't achieved persistence.
Most malware is persistent because the user deliberately installed it. There are reports of infected apps (thousands of them, on Android anyway) being mass-installed, all the time.
Re: (Score:3)
But, on Android you can get a user to deliberately install an .apk, and on a rooted phone you can get persistence...unless they have a phone with a security-co processor like a
Re: (Score:2)
The stackexchange poster is 100% correct in that persistence is hard to achieve, especially on mobile phones, and a reboot will uninstall any malware that hasn't achieved persistence.
What makes it hard to achieve? I can understand explicitly not wanting to achieve it to thwart detection but it actually being hard? Why? If you can exploit a privilege escalation vuln once to get root what prevents you from installing a program to do it again?
This all sounds to me like a variation on https://xkcd.com/1200/ [xkcd.com]
Too much emphasis placed on ultra secure trusted boot while the reality of what really matters to real people (e.g. unmolested user mode) is ignored.
Re: (Score:2)
What prevents you from installing a program to do it again is the Secure Enclave, or the Titan on Google Pixel phones -- aka the "security co-processor." It is a heck of a lot harder on modern, flagship phones (e.g. any iPhone, Google Pixel, Samsung S series,
Re: (Score:2)
Most of these exploits, once run, are unable to install themselves undetected on persistent storage.
They can install themselves in the apps container or anywhere if they also include a chained privilege escalation vulnerability.
What prevents you from installing a program to do it again is the Secure Enclave, or the Titan on Google Pixel phones -- aka the "security co-processor."
Can you name a specific capability you think is applicable? Security chips perform cryptographic operations on behalf of host keeping internal secrets from host processor. As far as I know they are not able to discriminate between software with good and evil intent. If they had such a capability why would they allow the initial intrusion to begin with?
It is a heck of a lot harder on modern, flagship phones (e.g. any iPhone, Google Pixel, Samsung S series, etc) to get persistence even if you have a working exploit in memory because of the security co processor checks.
Can you be more specific?
Re: (Score:2)
Re: (Score:3)
This used to be easy to do [samsung.com] on my Samsung Android phone. No longer, apparently [reddit.com]. "Thanks", Samsung.
Auto-restart is not a good security practice.
My phone has full-disk encryption (so even if someone steals my phone, it's extremely difficult to get data off of it).
In order to boot my phone with full-disk encryption you need to enter the correct passcode/pattern so the OS has the decryption key.
That means my phone doesn't come online after a reboot until I enter my passcode.
If my phone automatically rebooted while I slept... well then my phone wouldn't turn on until I woke up, which is extremely inconvenien
Re: (Score:2)
Full disk encryption doesn't prevent malware from installing on your phone. It is to prevent others from accessing the information you put in your phone thru the user interface (if you click an attachment and install malware on your phone, it has free-range over your data on the device).
Maybe reconsider putting such high-value data on your phone?
Re: (Score:2)
Full disk encryption doesn't prevent malware from installing on your phone. It is to prevent others from accessing the information you put in your phone thru the user interface (if you click an attachment and install malware on your phone, it has free-range over your data on the device).
Or, if someone steals your phone it stops them from yanking out a chip and reading your data directly.
So yes, full disk encryption is a definite security feature.
Maybe reconsider putting such high-value data on your phone?
You mean like emails, IM logs, text messages, banking apps, etc, etc.
Btw, if they're not doing that stuff on their phone where are they doing it? They've got the same malware risks on their computer. You can go fully offline for your banking and such (and some people do it), but there's a big convenience cost.
Re: (Score:2)
Have you tried turning it off and on again?
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
I followed through to the Sophos article and while I think this is nonsense and rather than placing the burden on the users, they should request politely from the two telephone operating system vendors to set a default option to close all apps and possibly even reboot during an idle time. In my case, I think when on charger and the microphone detects snoring would work. But then it should restart and make sure my messaging apps are alive.
Re: (Score:2)
..and as it reboots... (Score:5, Funny)
Re: (Score:2)
You forgot the dead chickens and pig's blood.
Re: (Score:2)
The chickens aren't dead until you've swung them around your head three times [newsweek.com]. No pig's blood involved.
Re: (Score:2)
Wouldn't that be deosil? Australia is in the southern hemisphere.
Re: (Score:2)
Re:..and as it reboots... (Score:5, Funny)
Five minutes makes no sense, but rebooting does (Score:5, Informative)
The reason you might want to reboot your phone for security is because transient root attacks are easier than persistent root attacks.
Modern mobile OSes have pretty tight boot verification schemes to ensure that your device is only running official software, which is designed to protect your security and privacy. Vulnerabilities are inevitable, though, and there are occasional vulns on both iOS and Android (fewer on Android, actually, assuming your device is up to date, which many aren't) that allow a remote attacker to take control of your device through some web site you visited or something. But once in control, it's very hard for the attacker to convert their temporary foothold into a persistent one that will survive reboot, because that would require defeating the boot-time verification scheme, and if the device is rebooted it may be difficult for the attacker to recreate the circumstances that allowed the initial intrusion.
So, by rebooting your device you evict any attacker who has gained temporary access.
How often does this actually happen to the typical user? Well, it obviously depends on the user's usage habits and on whether or not they're being specifically targeted. But on average the answer is "hardly ever". Still, if you want to be extra cautious, rebooting regularly isn't a bad practice. The NSA's suggestion of a weekly reboot makes more sense to me than a daily reboot, though, and I can see no reason at all to turn your phone off for five minutes.
Re: (Score:1)
Re: (Score:3)
When I re-boot my router, many times I get the same IP address, but if I leave it off for five or ten minutes, I get a different IP number. Is there possibly a similar mechanism that happens with Cell Phones?
The reason that happens with DHCP is that devices that have received an IP address lease will attempt to renew it periodically. If they can't contact the router to renew it, they'll stop trying to renew and will instead shift to requesting a new one. By leaving the router off for a while you're just increasing the probability that your device tries to renew while the router is down. Though usually leases are long enough that 5-10 minutes shouldn't be enough... but maybe your router issues short leases.
I'm
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
How often does this actually happen to the typical user? Well, it obviously depends on the user's usage habits and on whether or not they're being specifically targeted. But on average the answer is "hardly ever". Still, if you want to be extra cautious, rebooting regularly isn't a bad practice. The NSA's suggestion of a weekly reboot makes more sense to me than a daily reboot, though, and I can see no reason at all to turn your phone off for five minutes
Personally, reboots happen with major OS updates. Minor ones normally do not require a reboot. In my daily life, I have run out of battery on occasion and not be near an outlet or a battery pack. The most common scenario for me is when the phone is low before I got to bed and I do not charge it while I sleep.
Re: (Score:2)
Vulnerabilities are inevitable, though, and there are occasional vulns on both iOS and Android (fewer on Android, actually, assuming your device is up to date, which many aren't) that allow a remote attacker to take control of your device through some web site you visited or something. But once in control, it's very hard for the attacker to convert their temporary foothold into a persistent one that will survive reboot
I don't understand the basis of this line of thought. Even if you were to stipulate the OS is an infallible read only brick prior to switching to "user mode".
What stops an app having obtained root from creating a new app or modifying an existing one that gets called on startup and re-executing the exploit? How exactly is persistence difficult? My understanding is anything that has notification enabled basically has an excuse to run whenever it wants. How is this "very hard"?
Re: (Score:2)
What stops an app having obtained root from creating a new app or modifying an existing one that gets called on startup and re-executing the exploit?
Depends on how the exploit works. A lot of them are "drive bys', from malicious web sites or similar, and a lot of them rely on getting lucky to get the vulnerability to work in the face of ASLR and other mitigations. There certainly are exploits initiated reproducibly by malicious apps and they can re-exploit the device at every reboot. But they're a minority, and verified boot schemes make it approximately impossible to modify the system software to install a persistent backdoor.
Re: (Score:2)
Depends on how the exploit works. A lot of them are "drive bys', from malicious web sites or similar, and a lot of them rely on getting lucky to get the vulnerability to work in the face of ASLR and other mitigations.
I don't know how these two things can both concurrently be true. Either there is such a low probability of exploit succeeding that being affected is akin to winning the lottery or the app can simply keep spawning processes after the phone boots up until it gets "lucky".
and verified boot schemes make it approximately impossible to modify the system software to install a persistent backdoor.
It is not necessary to modify system software to persist exploits.
Re: (Score:2)
Depends on how the exploit works. A lot of them are "drive bys', from malicious web sites or similar, and a lot of them rely on getting lucky to get the vulnerability to work in the face of ASLR and other mitigations.
And the other thing is that with the initial exploit you are flying blind. This isn't the case post-exploit. A software program written intentionally to achieve privilege escalation can be designed to gather layout data necessary so that it is no longer making blind guesses.
Re: (Score:2)
if the device is rebooted it may be difficult for the attacker to recreate the circumstances that allowed the initial intrusion.
It will be just as easy as it was when it happened earlier that day. In other words: your phone might possibly be running the malware for a few minutes after you reboot it. Then it will happen as soon as you use the phone again (because you installed malware or because you use an app that is easily compromised).
There is a small class of non-persistent attacks that a reboot MIGHT mitigate. That is, you use a vulnerable app that is compromised by external interaction. Such as a browser accessing a hostile web
Re: (Score:2)
if the device is rebooted it may be difficult for the attacker to recreate the circumstances that allowed the initial intrusion.
It will be just as easy as it was when it happened earlier that day.
Which may not have been easy at all, and may have relied on an unusual set of circumstances, such as tricking you into visiting a particular web page, plus ASLR happening to pick a particular address, etc.. A lot of exploitation is opportunistic... attackers cast a wide net and only manage to exploit a tiny fraction of devices. Rebooting will get you back to a good state, and odds are low that you'll get exploited again.
Problem solved (Score:1)
No, turn it off ALL NIGHT (Score:2)
But you're more addicted than a junky, and can't possibly turn the damn thing off.
Re: (Score:2)
My phone is my alarm clock.
Re:No, turn it off ALL NIGHT (Score:4, Funny)
My phone is my alarm clock.
Checkmate. Obviously there's nothing you could do to fix *that*.
Re:No, turn it off ALL NIGHT (Score:5, Funny)
Sleep in?
Re: (Score:2)
Why? No seriously why? My phone goes to silent at 10pm until the alarm goes off in the morning. I don't charge it over night and it looses 2% battery. I have no compulsion to touch it. Do you gravitate towards touching everything purely because it is on?
Put it "elsewhere" after a certain time. (Score:2)
And leave it there until morning. For the first three decades of my life it was perfectly fine to not be able to reach somebody directly except during special windows, like after dinner. That was your best opportunity. Calling during dinner time was considered rude. And for those who use their phone as their alarm clock... well, they do, in fact, still make alarm clocks. At the very least, make use of the do not disturb feature, and exercise some personal self control.
People have forgotten how to be alone w
Re: (Score:2)
Re: (Score:2)
People used to do morning chores before work or school, too - like milking the cows or feeding the chickens/cows around 4-5am. We don't do that anymore, either - to our detriment, I feel.
Most people don't have thoughts to be alone with, anymore.
Re: (Score:2)
People used to do morning chores before work or school, too - like milking the cows or feeding the chickens/cows around 4-5am. We don't do that anymore, either - to our detriment, I feel.
Most people don't have thoughts to be alone with, anymore.
They didn't have any thoughts back then, either. It's just that now they have better technology with which to advertise this.
(Well, I don't know how far "back then" you want to go -- my personal knowledge only extends back about 70 years. I have no evidence that this has changed since Lucy's time, though. And I don't mean Ball.)
Re: (Score:2)
And leave it there until morning. For the first three decades of my life it was perfectly fine to not be able to reach somebody directly except during special windows, like after dinner.
Life doesn't work on the same schedule and communications patterns as it did when I was a kid, 60-some years ago. But back then we certainly did have alarm clocks. And our phones were always on, 7x24. If you were privileged, your phone was in your room. (Much nicer than stretching the cord into the bathroom.) So what kind of phone do you have that doesn't allow you to turn off the ringer? Even my Western Electric has that feature.
Re: (Score:2)
"Life doesn't work on the same schedule and communications patterns as it did when I was a kid, 60-some years ago."
I fundamentally disagree with you on this. We have become used to the idea of constant communication, but nearly all aspects of life continue to run fine if you forget your phone at home.
"And our phones were always on, 7x24"
Yep. But you weren't guaranteed to be beside it. Large parts of the time, nobody was "home". Communication deferred.
My timeline is less than yours - I'm 53. But when I was a kid, the farm house had party lines.
Re: (Score:2)
"Life doesn't work on the same schedule and communications patterns as it did when I was a kid, 60-some years ago."
I fundamentally disagree with you on this. We have become used to the idea of constant communication, but nearly all aspects of life continue to run fine if you forget your phone at home.
How do you coordinate the numerous inevitable glitches in multiplexing the daily activities of you, your job, your wife's job, and the three children each involved in complicated transportation and activities?
I'll tell you how we did it "back in the day".
We didn't.
Life was much simpler, less busy, and infinitely more constrained.We didn't do all those things; we could not do them: it would have been impossible.
Cell phones have fundamentally changed the world, enabling things that were never practical or pos
Piles of Shit (Score:2, Insightful)
This just goes to show that these smartphone things are just bags of shit that were designed by total absolute morons who should be put to death for their inability to design something that works properly.
It would also be helpful if turning the damn thing off actually did anything -- but it does not. The same shite is still running after the power cycle as was running before the power cycle, so this will do absolutely fucking nothing whatsoever. The only way to actually "power down" one of these stupid-as
Re: (Score:2)
I reboot mine once a month (Score:1)
Bah (Score:2)
This "security" idea brought to you from the folks at TSA, the Bigfoot/UFO chasers society and the inventor of the Covid bleach cure.
If You Put Your Phone Down (Score:2)
Reboot anything not mission critical! (Score:2)
Oh, and do all the same stuff with your computer,
Yeah, why punish the people in control of them... (Score:2)
I mean we could penalize companies each time they do something wrong, or we could just ignore it. And put crappy band aids on everything. I mean that random person won't be held liable for ANYTHING EVER so whatever... I'm just smiling on the way to the super nova.
Automatic Reset (Score:2)
No wonder my parents have never been hacked. They let their phones run flat at least once a day!
Re: (Score:3)
Modern flash filesystems with a compromised kernel don't care when you turn off your phone after they've infected it.
Dude, do you even do security? Even with a compromised kernel module, achieving persistence is still difficult due to integrity checks.
A kernel-level access gives you ring 0 access (full control) of the machine..but on an iPhone, that's checked by the security-co processor: the Secure Enclave. Persistence is quite hard to achieve when you have an external, immutable chip doing checks on the kernel on load. https://support.apple.com/guid... [apple.com] .
Re: (Score:2)
Modern flash filesystems with a compromised kernel don't care when you turn off your phone after they've infected it.
Dude, do you even do security? Even with a compromised kernel module, achieving persistence is still difficult due to integrity checks.
The hook into the root exploit was through malware that you purposely installed (your favorite new app). You don't need persistence -- simply re-attack whenever the app is run. Which will be a few minutes after you reboot your phone. (Actually, lots of apps run in the background even though you don't think you launched them. So the malware will go get root again, same as before, automatically when you reboot).
You don't need root or anything to "persistently" compromise a phone.
Re: (Score:2)
Re: First Ever (Score:2)
Re: (Score:2)
That's that I was wondering. I switch mine off every night. Why would I want to drain the battery? I usually charge my phone once a week. If I left it on all night for no reason I'd have to keep charging every few days.