Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Australia Privacy Security

Turn Your Phone Off Every Night For Five Minutes, Australian PM Tells Residents (theguardian.com) 126

Australia's prime minister, Anthony Albanese, has told residents they should turn their smartphones off and on again once a day as a cybersecurity measure -- and tech experts agree. From a report: Albanese said the country needed to be proactive to thwart cyber risks, as he announced the appointment of Australia's inaugural national cybersecurity coordinator. "We need to mobilise the private sector, we need to mobilise, as well, consumers," the prime minister said on Friday. "We all have a responsibility. Simple things, turn your phone off every night for five minutes. For people watching this, do that every 24 hours, do it while you're brushing your teeth or whatever you're doing." The Australian government's advice is not new. In 2020, the United State's National Security Agency issued best-practice guidelines for mobile device security, which included rebooting smartphones once a week to prevent hacking.
This discussion has been archived. No new comments can be posted.

Turn Your Phone Off Every Night For Five Minutes, Australian PM Tells Residents

Comments Filter:
  • So I have to wake up in the middle of the night to furn off my phone, wait 5 minutes, turn in back on. And then go back to sleep?
    For what?

    • Well, you’re obviously already waking up to brush your teeth then, so I don’t really see the problem.

      • by bn-7bc ( 909819 )
        He was obviously reffering to local time in Australia, would you like to wake up in the middle of the nite ( where you are) to turn off your phone for 5 minutes and then turn it back on again?
        • by bn-7bc ( 909819 )
          I (re) read the summary and... never mind I,ve missed an important detail that rendered my whole comment nonsense. How I wish we hadva delete button, but since we don't, Mods plz remove tis and #63635002
    • So I have to wake up in the middle of the night to furn off my phone, wait 5 minutes, turn in back on. And then go back to sleep?
      For what?

      Did you even read the fine summary? Do you brush your teeth in your sleep?

    • Couldn't even read the summary eh!

    • Re:Disrupting sleep (Score:5, Informative)

      by hollowpnt ( 5269436 ) on Monday June 26, 2023 @10:04AM (#63633650)
      If you are on IOS you can create a personal automation in the shortcuts app that reboots your phone every night without any user interaction.
      • How? I created an automation that runs the Shutdown action set to Restart. I disabled the "ask before running" but all it does it throw a notification up that asks whether I'm sure I want to restart. How do I get it to run without any interaction?

        • But without forcing you into awkward hand gymnastics and hysterically demanding multiple confirmations, how can we really be SURE that you want to reboot your phone?

    • Do you sleep 24 hours a day?

      If not, then just reboot your phone either before going to sleep, or when you wake up. Or, as the summary suggests, while you brush your teeth (if you do, and if you don't ... wtf).

      Or, if you do sleep 24 hours a day, then how did you post this stupidity to Slashdot, and why did you waste hundreds of dollars on a smartphone you'll never use while you Rip Van Winkle your time on earth away?

      • by cstacy ( 534252 )

        Do you sleep 24 hours a day?

        No, but I need to be able to receive emergency messages 7x24. Not just calls, but also the real-time monitoring data and associated alarms from bluetooth-connected medical devices implanted in my body.

        And I don't believe that rebooting my phone every 24 hours is a reasonable security measure. It's not going to help with any security. I don't reboot my computer either: it stays up for many months, until it gets a security patch that requires rebooting. Or unless the power at the house fails about twice a ye

        • by kenh ( 9056 )

          No, but I need to be able to receive emergency messages 7x24. Not just calls, but also the real-time monitoring data and associated alarms from bluetooth-connected medical devices implanted in my body.

          What?

          So what you're telling us is that your health is so precarious that you can't go 5 minutes without your cellphone to receive alerts? You don't think you need a second or backup device "just in case"? The systems you rely on only send one message when you are facing a health crisis, as in it sends a message like "your kidneys are failing" or "you are about to have a heart attack" once, then never repeat the message? That's crazy - why wouldn't your sensors repeat the message a few times?

          So yes, the answ

        • by bn-7bc ( 909819 )
          There are ofc exceptions to any recommendation, your specific use case is probably one such exception.
        • Do you expect every single public statement from a politician to include language around every possible edge case, ever?

          Also, if these notifications are so serious to medical implants, why are you trusting that to a consumer electronics device that has no redundancy, very little resiliency, and was built to the lowest price point they could while maintaining a healthy profit margin?

          And these life-critical notifications aren't sent via a protocol that confirms receipt or otherwise retries? Who would use a f

    • by Dusanyu ( 675778 )
      Turn it off when you go to bed and on when you wake up you don't need to use the phone nor can you while your sleeping.
  • by ickleberry ( 864871 ) <web@pineapple.vg> on Monday June 26, 2023 @09:47AM (#63633574) Homepage
    Despite android making it more awkward than it should be. The UI makes it look like "You want to turn off your phone completely? What?? You lunatic! Don't you know we're living in an 'always on' society now?"
    • If you turn off your phone now how will all these wonderful ads reach you?

      • Oh don't you worry, they'll all be there when you turn it back on, rendering the phone useless for at least 5 minutes while your phone catches up with them.

        • That must be an Android thing.

          • by dryeo ( 100693 )

            More likely his phone. My phone, a cheap Motorola which comes with close to stock Android simply turns off, displaying a shutting down graphic when I hold the power button down for a few seconds and choose power off.

        • by cstacy ( 534252 )

          Oh don't you worry, they'll all be there when you turn it back on, rendering the phone useless for at least 5 minutes while your phone catches up with them.

          The malware that you're afraid of will also just resume running when you turn the phone back on. What did you think you accomplished?

          • The malware that you're afraid of will also just resume running when you turn the phone back on. What did you think you accomplished?

            Persistent and non-persistent malware are both a thing. Some good links in the discussion here.

            https://security.stackexchange... [stackexchange.com]

      • They're wonderful because they are customized to your needs.
      • ads ? which ads ?

        Ain't no ads on my phone.

    • What?! Why don't you want Google to watch you while you sleep? It's a sign of their never-ending love & devotion towards you.
    • How does "android" make it awkward? On my pixel I press two buttons on the side (power and vol up, they are next to each other) then tap Power off or Restart. There are no warnings, no confirmation dialogs. Its literally a (two) button press and a single tap, done.

      • by dryeo ( 100693 )

        Mine, you just hold the power button down for a few seconds and choose power down or such. There's also the choice of emergency along with restart, which I've never tried.

    • i still remember the day when you could turn your phone off and it would turn itself on to play the alarm that you set. talk about smart.

      now today's "smart" phones can't do that

  • by Anonymous Coward

    There are so many different ways for apps that want to stay running to get a foothold on startup it's not worth entertaining such nonsense.

    • by kenh ( 9056 )

      Why do we, the people of Slashdot-landia, care what a random Australian PM said? Because "tech experts agree"?

      What does the Australian PM have to do with this? Nothing, the PM just happened to say something that experts agree on - that's not a news story.

      • by mysidia ( 191772 )

        No... This is Very dubious advise, and they do not seem to name a single tech expert willing to stand behind the advise. It's that sort of nonsense politicians sometimes use to reinforce their position -- cite "X experts", when in reality there is not such agreement or consensus by experts.

        If this Were a solution after all - the phone's makers would likely provide this solution as a convenient option, but in reality it's a non solution that won't mitigate malware, and any nefarious actors can adjust

  • by PseudoThink ( 576121 ) on Monday June 26, 2023 @09:55AM (#63633608)
    Why this is good security practice: https://security.stackexchange... [stackexchange.com]

    This used to be easy to do [samsung.com] on my Samsung Android phone. No longer, apparently [reddit.com]. "Thanks", Samsung.
    • by Midnight_Falcon ( 2432802 ) on Monday June 26, 2023 @10:12AM (#63633678)
      The stackexchange poster is 100% correct in that persistence is hard to achieve, especially on mobile phones, and a reboot will uninstall any malware that hasn't achieved persistence.

      However, the scenario in question basically depends on the use of a zero-day (or even a coveted zero-click) exploit, which threat actors are unlikely to use on "regular" targets. This is because they don't want the specifics of their zero day being made public and countermeasures developed, meaning, a patch or software update.

      The best piece of advice for normal users is probably not to do daily reboots, but to install software updates for the phone OS and apps as soon as possible. That limits the attack surface area to those unpatched, zero-day exploits. From there, if one thinks they're a target for such exploits, a daily reboot is probably not the best thing you can do. It's much more effective to use iOS lockdown mode etc to minimize the attack surface area.

      But, a reboot is easy to understand and makes people think they're doing something...and does have a little value. But if you're really concerned someone is trying to send you Pegasus, a daily reboot is well down the list of best things you can do to protect yourself.

      • by cstacy ( 534252 )

        The stackexchange poster is 100% correct in that persistence is hard to achieve, especially on mobile phones, and a reboot will uninstall any malware that hasn't achieved persistence.

        Most malware is persistent because the user deliberately installed it. There are reports of infected apps (thousands of them, on Android anyway) being mass-installed, all the time.

        • Those infected apps have a lot harder time in the last several years, as Google has changed permissions in apps to be far more granular and require a lot more user interaction. They also have a hard time (if not impossible) getting root- or system- level privileges, as is the case with Pegasus etc that the article is referring to.

          But, on Android you can get a user to deliberately install an .apk, and on a rooted phone you can get persistence...unless they have a phone with a security-co processor like a

      • The stackexchange poster is 100% correct in that persistence is hard to achieve, especially on mobile phones, and a reboot will uninstall any malware that hasn't achieved persistence.

        What makes it hard to achieve? I can understand explicitly not wanting to achieve it to thwart detection but it actually being hard? Why? If you can exploit a privilege escalation vuln once to get root what prevents you from installing a program to do it again?

        This all sounds to me like a variation on https://xkcd.com/1200/ [xkcd.com]

        Too much emphasis placed on ultra secure trusted boot while the reality of what really matters to real people (e.g. unmolested user mode) is ignored.

        • Most of these exploits, once run, are unable to install themselves undetected on persistent storage. So, they live in volatile memory, and thus get uninstalled after a poweroff cycle (and five minutes is given to ensure volatile memory is cleared).

          What prevents you from installing a program to do it again is the Secure Enclave, or the Titan on Google Pixel phones -- aka the "security co-processor." It is a heck of a lot harder on modern, flagship phones (e.g. any iPhone, Google Pixel, Samsung S series,

          • Most of these exploits, once run, are unable to install themselves undetected on persistent storage.

            They can install themselves in the apps container or anywhere if they also include a chained privilege escalation vulnerability.

            What prevents you from installing a program to do it again is the Secure Enclave, or the Titan on Google Pixel phones -- aka the "security co-processor."

            Can you name a specific capability you think is applicable? Security chips perform cryptographic operations on behalf of host keeping internal secrets from host processor. As far as I know they are not able to discriminate between software with good and evil intent. If they had such a capability why would they allow the initial intrusion to begin with?

            It is a heck of a lot harder on modern, flagship phones (e.g. any iPhone, Google Pixel, Samsung S series, etc) to get persistence even if you have a working exploit in memory because of the security co processor checks.

            Can you be more specific?

            • Read this article about the Titan M2 [google.com], it does a lot more than offload cryptographic operations. Notably, it ensures that the firmware/bootloader is not tampered with (secure bot), and then hands that off to the (verified) bootloader to conduct further validations on kernel/file integrity. It also checks the contents of memory to ensure that nothing unexpected is persistently stored there, as most of this malware lives in memory. Finally, it creates an immutable audit trail of system messages useful in
    • This used to be easy to do [samsung.com] on my Samsung Android phone. No longer, apparently [reddit.com]. "Thanks", Samsung.

      Auto-restart is not a good security practice.

      My phone has full-disk encryption (so even if someone steals my phone, it's extremely difficult to get data off of it).

      In order to boot my phone with full-disk encryption you need to enter the correct passcode/pattern so the OS has the decryption key.

      That means my phone doesn't come online after a reboot until I enter my passcode.

      If my phone automatically rebooted while I slept... well then my phone wouldn't turn on until I woke up, which is extremely inconvenien

      • by kenh ( 9056 )

        Full disk encryption doesn't prevent malware from installing on your phone. It is to prevent others from accessing the information you put in your phone thru the user interface (if you click an attachment and install malware on your phone, it has free-range over your data on the device).

        Maybe reconsider putting such high-value data on your phone?

        • Full disk encryption doesn't prevent malware from installing on your phone. It is to prevent others from accessing the information you put in your phone thru the user interface (if you click an attachment and install malware on your phone, it has free-range over your data on the device).

          Or, if someone steals your phone it stops them from yanking out a chip and reading your data directly.

          So yes, full disk encryption is a definite security feature.

          Maybe reconsider putting such high-value data on your phone?

          You mean like emails, IM logs, text messages, banking apps, etc, etc.

          Btw, if they're not doing that stuff on their phone where are they doing it? They've got the same malware risks on their computer. You can go fully offline for your banking and such (and some people do it), but there's a big convenience cost.

    • Have you tried turning it off and on again?

      https://www.youtube.com/watch?... [youtube.com]

    • Thanks for this.

      I followed through to the Sophos article and while I think this is nonsense and rather than placing the burden on the users, they should request politely from the two telephone operating system vendors to set a default option to close all apps and possibly even reboot during an idle time. In my case, I think when on charger and the microphone detects snoring would work. But then it should restart and make sure my messaging apps are alive.
  • by AmazingRuss ( 555076 ) on Monday June 26, 2023 @10:13AM (#63633682)
    ... place it on the floor, and dance 16 times widdershins around it, chanting "Out! Out internet demons!"
  • The reason you might want to reboot your phone for security is because transient root attacks are easier than persistent root attacks.

    Modern mobile OSes have pretty tight boot verification schemes to ensure that your device is only running official software, which is designed to protect your security and privacy. Vulnerabilities are inevitable, though, and there are occasional vulns on both iOS and Android (fewer on Android, actually, assuming your device is up to date, which many aren't) that allow a remote attacker to take control of your device through some web site you visited or something. But once in control, it's very hard for the attacker to convert their temporary foothold into a persistent one that will survive reboot, because that would require defeating the boot-time verification scheme, and if the device is rebooted it may be difficult for the attacker to recreate the circumstances that allowed the initial intrusion.

    So, by rebooting your device you evict any attacker who has gained temporary access.

    How often does this actually happen to the typical user? Well, it obviously depends on the user's usage habits and on whether or not they're being specifically targeted. But on average the answer is "hardly ever". Still, if you want to be extra cautious, rebooting regularly isn't a bad practice. The NSA's suggestion of a weekly reboot makes more sense to me than a daily reboot, though, and I can see no reason at all to turn your phone off for five minutes.

    • When I re-boot my router, many times I get the same IP address, but if I leave it off for five or ten minutes, I get a different IP number. Is there possibly a similar mechanism that happens with Cell Phones?
      • When I re-boot my router, many times I get the same IP address, but if I leave it off for five or ten minutes, I get a different IP number. Is there possibly a similar mechanism that happens with Cell Phones?

        The reason that happens with DHCP is that devices that have received an IP address lease will attempt to renew it periodically. If they can't contact the router to renew it, they'll stop trying to renew and will instead shift to requesting a new one. By leaving the router off for a while you're just increasing the probability that your device tries to renew while the router is down. Though usually leases are long enough that 5-10 minutes shouldn't be enough... but maybe your router issues short leases.

        I'm

        • It just seems that if a hacker knew an IP address has a vulnerability, to use an analogy, and the address changes, then they would have to start all over scanning addresses for the same vulnerability. I don't know if it is a valid comparison to cell phones or not, just an idle thought.
        • Parent question was actually about his router getting a different IP address itself after rebooting, from his ISP's DHCP server. Not that that changes anything about your answer regarding mobile handsets...
      • With routers that is more likely to get the same IP(s) as your ISP generally does not randomize IP addresses assignments for fixed location devices. The ISP should but does not mean they will. I imagine with cell phones is harder to assign the same IP as the location of the device keeps changing and individual towers assigning addresses would have to keep track of it. It would be far easier in this case to grab any unused IP address.
    • How often does this actually happen to the typical user? Well, it obviously depends on the user's usage habits and on whether or not they're being specifically targeted. But on average the answer is "hardly ever". Still, if you want to be extra cautious, rebooting regularly isn't a bad practice. The NSA's suggestion of a weekly reboot makes more sense to me than a daily reboot, though, and I can see no reason at all to turn your phone off for five minutes

      Personally, reboots happen with major OS updates. Minor ones normally do not require a reboot. In my daily life, I have run out of battery on occasion and not be near an outlet or a battery pack. The most common scenario for me is when the phone is low before I got to bed and I do not charge it while I sleep.

    • Vulnerabilities are inevitable, though, and there are occasional vulns on both iOS and Android (fewer on Android, actually, assuming your device is up to date, which many aren't) that allow a remote attacker to take control of your device through some web site you visited or something. But once in control, it's very hard for the attacker to convert their temporary foothold into a persistent one that will survive reboot

      I don't understand the basis of this line of thought. Even if you were to stipulate the OS is an infallible read only brick prior to switching to "user mode".

      What stops an app having obtained root from creating a new app or modifying an existing one that gets called on startup and re-executing the exploit? How exactly is persistence difficult? My understanding is anything that has notification enabled basically has an excuse to run whenever it wants. How is this "very hard"?

      • What stops an app having obtained root from creating a new app or modifying an existing one that gets called on startup and re-executing the exploit?

        Depends on how the exploit works. A lot of them are "drive bys', from malicious web sites or similar, and a lot of them rely on getting lucky to get the vulnerability to work in the face of ASLR and other mitigations. There certainly are exploits initiated reproducibly by malicious apps and they can re-exploit the device at every reboot. But they're a minority, and verified boot schemes make it approximately impossible to modify the system software to install a persistent backdoor.

        • Depends on how the exploit works. A lot of them are "drive bys', from malicious web sites or similar, and a lot of them rely on getting lucky to get the vulnerability to work in the face of ASLR and other mitigations.

          I don't know how these two things can both concurrently be true. Either there is such a low probability of exploit succeeding that being affected is akin to winning the lottery or the app can simply keep spawning processes after the phone boots up until it gets "lucky".

          and verified boot schemes make it approximately impossible to modify the system software to install a persistent backdoor.

          It is not necessary to modify system software to persist exploits.

        • Depends on how the exploit works. A lot of them are "drive bys', from malicious web sites or similar, and a lot of them rely on getting lucky to get the vulnerability to work in the face of ASLR and other mitigations.

          And the other thing is that with the initial exploit you are flying blind. This isn't the case post-exploit. A software program written intentionally to achieve privilege escalation can be designed to gather layout data necessary so that it is no longer making blind guesses.

    • by cstacy ( 534252 )

      if the device is rebooted it may be difficult for the attacker to recreate the circumstances that allowed the initial intrusion.

      It will be just as easy as it was when it happened earlier that day. In other words: your phone might possibly be running the malware for a few minutes after you reboot it. Then it will happen as soon as you use the phone again (because you installed malware or because you use an app that is easily compromised).

      There is a small class of non-persistent attacks that a reboot MIGHT mitigate. That is, you use a vulnerable app that is compromised by external interaction. Such as a browser accessing a hostile web

      • if the device is rebooted it may be difficult for the attacker to recreate the circumstances that allowed the initial intrusion.

        It will be just as easy as it was when it happened earlier that day.

        Which may not have been easy at all, and may have relied on an unusual set of circumstances, such as tricking you into visiting a particular web page, plus ASLR happening to pick a particular address, etc.. A lot of exploitation is opportunistic... attackers cast a wide net and only manage to exploit a tiny fraction of devices. Rebooting will get you back to a good state, and odds are low that you'll get exploited again.

  • Get yourself a Moto and you won't have to worry about this as it will randomly reboot and takes at least 5 minutes to come back. Problem solved! Seems they were doing security right all along and nobody realized their frustrations were really for their own good! /s
  • But you're more addicted than a junky, and can't possibly turn the damn thing off.

  • And leave it there until morning. For the first three decades of my life it was perfectly fine to not be able to reach somebody directly except during special windows, like after dinner. That was your best opportunity. Calling during dinner time was considered rude. And for those who use their phone as their alarm clock... well, they do, in fact, still make alarm clocks. At the very least, make use of the do not disturb feature, and exercise some personal self control.

    People have forgotten how to be alone w

    • Ah, medical waiting rooms with copies of medical journals full of pharmaceutical ads in the days before prescription drug advertising to the public. From my teen years I remember one with a cartoon of aggressive circus animals "Morning Cats", referring to catecholamines, probably advertising propranolol (beta blocker).
    • by CAIMLAS ( 41445 )

      People used to do morning chores before work or school, too - like milking the cows or feeding the chickens/cows around 4-5am. We don't do that anymore, either - to our detriment, I feel.

      Most people don't have thoughts to be alone with, anymore.

      • by cstacy ( 534252 )

        People used to do morning chores before work or school, too - like milking the cows or feeding the chickens/cows around 4-5am. We don't do that anymore, either - to our detriment, I feel.

        Most people don't have thoughts to be alone with, anymore.

        They didn't have any thoughts back then, either. It's just that now they have better technology with which to advertise this.

        (Well, I don't know how far "back then" you want to go -- my personal knowledge only extends back about 70 years. I have no evidence that this has changed since Lucy's time, though. And I don't mean Ball.)

    • by cstacy ( 534252 )

      And leave it there until morning. For the first three decades of my life it was perfectly fine to not be able to reach somebody directly except during special windows, like after dinner.

      Life doesn't work on the same schedule and communications patterns as it did when I was a kid, 60-some years ago. But back then we certainly did have alarm clocks. And our phones were always on, 7x24. If you were privileged, your phone was in your room. (Much nicer than stretching the cord into the bathroom.) So what kind of phone do you have that doesn't allow you to turn off the ringer? Even my Western Electric has that feature.

      • "Life doesn't work on the same schedule and communications patterns as it did when I was a kid, 60-some years ago."

        I fundamentally disagree with you on this. We have become used to the idea of constant communication, but nearly all aspects of life continue to run fine if you forget your phone at home.

        "And our phones were always on, 7x24"

        Yep. But you weren't guaranteed to be beside it. Large parts of the time, nobody was "home". Communication deferred.

        My timeline is less than yours - I'm 53. But when I was a kid, the farm house had party lines.

        • by cstacy ( 534252 )

          "Life doesn't work on the same schedule and communications patterns as it did when I was a kid, 60-some years ago."

          I fundamentally disagree with you on this. We have become used to the idea of constant communication, but nearly all aspects of life continue to run fine if you forget your phone at home.

          How do you coordinate the numerous inevitable glitches in multiplexing the daily activities of you, your job, your wife's job, and the three children each involved in complicated transportation and activities?

          I'll tell you how we did it "back in the day".
          We didn't.
          Life was much simpler, less busy, and infinitely more constrained.We didn't do all those things; we could not do them: it would have been impossible.

          Cell phones have fundamentally changed the world, enabling things that were never practical or pos

  • Piles of Shit (Score:2, Insightful)

    This just goes to show that these smartphone things are just bags of shit that were designed by total absolute morons who should be put to death for their inability to design something that works properly.

    It would also be helpful if turning the damn thing off actually did anything -- but it does not. The same shite is still running after the power cycle as was running before the power cycle, so this will do absolutely fucking nothing whatsoever. The only way to actually "power down" one of these stupid-as

  • Usually the first Monday of the month, after google sends updates to my pixel phone.
  • This "security" idea brought to you from the folks at TSA, the Bigfoot/UFO chasers society and the inventor of the Covid bleach cure.

  • Will the giant spiders take it and make prank calls?
  • I've had the argument about "turning your phone off" or "rebooting your phone" with too many engineers. Very few systems are really meant to run 24/7/365, without being cleared, cleaned, rebooted, wiped, reset or maintained. Apart from rebooting your phone, clear the clipboard, clear messages, clear apps, clear temp storage, and just clean it up. I recommended removing email from your phone, especially work email, and never having old stale data on it.

    Oh, and do all the same stuff with your computer,
  • I mean we could penalize companies each time they do something wrong, or we could just ignore it. And put crappy band aids on everything. I mean that random person won't be held liable for ANYTHING EVER so whatever... I'm just smiling on the way to the super nova.

  • No wonder my parents have never been hacked. They let their phones run flat at least once a day!

Trap full -- please empty.

Working...