Hackers are getting craftier. Could this simple fix protect data?
| Richmond, Va.
As a member of the secretive Senate Intelligence Committee,聽Sen. Angus King聽has reason to worry about hackers. At a briefing by security staff this year, he said he got some advice on how to help keep his cellphone secure.
Step One: Turn off phone.
Step Two: Turn it back on.
That鈥檚 it. At a time of聽widespread digital insecurity聽it turns out that the oldest and simplest computer fix there is聽鈥 turning a device off then back on again聽鈥 can thwart hackers from stealing information from smartphones.
Regularly rebooting phones won鈥檛 stop the army of cybercriminals or spy-for-hire firms that have sowed chaos and doubt about the ability to keep any information safe and private in our digital lives. But it can make even the most sophisticated hackers work harder to maintain access and steal data from a phone.
鈥淭his is all about imposing cost on these malicious actors,鈥 said Neal Ziring, technical director of the National Security Agency鈥檚 cybersecurity directorate.
The NSA issued聽a 鈥渂est practices鈥 guide for mobile device security聽last year in which it recommends rebooting a phone every week as a way to stop hacking.
Mr. King, an independent from Maine, says rebooting his phone is now part of his routine.
鈥淚鈥檇 say probably once a week, whenever I think of it,鈥 he said.
Almost always in arm鈥檚 reach, rarely turned off, and holding huge stores of personal and sensitive data, cellphones have become top targets for hackers looking to steal text messages, contacts, and photos, as well as track users鈥 locations and even secretly turn on their video and microphones.
鈥淚 always think of phones as like our digital soul,鈥 said Patrick Wardle, a security expert and former NSA researcher.
The number of people whose phones are hacked each year is unknowable, but evidence suggests it鈥檚 significant. A聽recent investigation聽into phone hacking by a global media consortium has caused political uproars in France, India, Hungary, and elsewhere after researchers found scores of journalists, human rights activists, and politicians on a leaked list of what were believed to be potential targets of an Israeli hacker-for-hire company.
The advice to periodically reboot a phone reflects, in part, a change in how top hackers are gaining access to mobile devices and the rise of so-called 鈥渮ero-click鈥 exploits that work without any user interaction instead of trying to get users to open something that鈥檚 secretly infected.
鈥淭here鈥檚 been this evolution away from having a target click on a dodgy link,鈥 said Bill Marczak, a senior researcher at Citizen Lab, an internet civil rights watchdog at the University of Toronto.
Typically, once hackers gain access to a device or network, they look for ways to persist in the system by installing malicious software to a computer鈥檚 root file system. But that鈥檚 become more difficult as phone manufacturers such as Apple and Google have strong security to block malware from core operating systems, Mr. Ziring said.
鈥淚t鈥檚 very difficult for an attacker to burrow into that layer in order to gain persistence,鈥 he said.
That encourages hackers to opt for 鈥渋n-memory payloads鈥 that are harder to detect and trace back to whoever sent them. Such hacks can鈥檛 survive a reboot, but often don鈥檛 need to since many people rarely turn their phones off.
鈥淎dversaries came to the realization they don鈥檛 need to persist,鈥 Mr. Wardle said. 鈥淚f they could do a one-time pull and exfiltrate all your chat messages and your contact and your passwords, it鈥檚 almost game over anyways, right?鈥
A robust market currently exists for hacking tools that can break into phones. Some companies like Zerodium and Crowdfence publicly offer millions of dollars for zero-click exploits.
And hacker-for-hire companies that sell mobile-device hacking services to governments and law enforcement agencies have proliferated in recent years. The most well known is the Israeli-based NSO Group, whose spyware, researchers say has been used around the world to break into the phones of human rights activists, journalists, and even members of the Catholic clergy.
NSO Group is the focus of the recent聽expos茅s by a media consortium that reported the company鈥檚 spyware tool Pegasus was used in 37 instances of successful or attempted phone hacks of business executives, human rights activists, and others, according to The Washington Post.
The company is also being sued in the United States by Facebook for allegedly targeting some 1,400 users of its encrypted messaging service WhatsApp with a zero-click exploit.
NSO Group has said it only sells its spyware to 鈥渧etted government agencies鈥 for use against terrorists and major criminals. The company did not respond to a request for comment.
The persistence of NSO鈥檚 spyware used to be a selling point of the company. Several years ago its U.S.-based subsidy pitched law enforcement agencies a phone hacking tool that would survive even a factory reset of a phone, according to documents obtained by Vice News.
But Mr. Marczak, who has tracked NSO Group鈥檚 activists closely for years, said it looks like the company first starting using zero-click exploits that forgo persistence around 2019.
He said victims in the WhatsApp case would see an incoming call for a few rings before the spyware was installed. In 2020, Mr. Marczak and Citizen Lab exposed another zero-click hack attributed to NSO Group that targeted several journalists at Al Jazeera. In that case, the hackers used Apple鈥檚 iMessage texting service.
鈥淭here was nothing that any of the targets reported seeing on their screen. So that one was both completely invisible as well as not requiring any user interaction,鈥 Mr. Marczak said.
With such a powerful tool at their disposal, Mr. Marczak said rebooting your phone won鈥檛 do much to stop determined hackers. Once you reboot, they could simply send another zero-click.
鈥淚t鈥檚 sort of just a different model, it鈥檚 persistence through reinfection,鈥 he said.
The NSA鈥檚 guide also acknowledges that rebooting a phone works only sometimes. The agency鈥檚 guide for mobile devices has an even simpler piece of advice to really make sure hackers aren鈥檛 secretly turning on your phone鈥檚 camera or microphone to record you: don鈥檛 carry it with you.
This story was reported by The Associated Press.
