The Australian Prime Minister, Anthony Albanese, has apparently advised people Down Under to turn off their mobile phones once a day, for the surprisingly precise period of five minutes, as a cybersecurity measure.
UK newspaper The Guardian quotes the PM as saying:
We all have a responsibility.
Simple things, turn your phone off every night for five minutes.
For people watching this, do that every 24 hours, do it while you’re brushing your teeth or whatever you’re doing.
Why at night? Why every day? Why for five minutes, and not, say, two minutes or 10 minutes?
We’re not sure.
But the Guardian suggests that the reason is that this will “stop any spyware that may be running in the background on your device.”
There’s some truth in this, given that malware infections can generally be divided into two separate categories, known in the jargon as persistent threats and the rest.
In malware terms, persistence generally refers to rogue software that outlives the app that launched it, that outlives your current logon session (if you’re on a laptop), or that survives even a full power-off and reboot.
But non-persistent threats are transient, and don’t survive from app launch to app launch, or from session to session, or from shutdown to reboot.
And shutting down generally closes all your apps, then closes down the entire operating system, thus stopping any malware or spyware that was active in the background, along with everything else.
In that sense, regularly rebooting your phone won’t do any harm.
There’s a lot more to it
The problem is that most malware these days, especially secretive mobile spyware developed at the likely cost of millions of dollars, will be of the persistent threat sort, meaning that it won’t exist only in memory until the end of your current session and then evaporate like early-morning summer mist.
For example, Apple’s latest spyware-crushing security update for iPhones, iPads and Macs included patches for two zero-day code execution vulnerabilities: one in WebKit, Apple’s low-level browser software, and one in the operating system’s own kernel.
If attackers can only trigger the execution of unauthorised code inside your browser, then it’s likely that their malware won’t be able to escape from the browser process and therefore won’t be able to access or modify any other parts of the device.
The malware might therefore be limited to the current browser session, so that rebooting your phone (which would bump the browser software and its injected malware code out of memory) would indeed magically disinfect the device.
But if the unauthorised code that the attackers run inside your browser via the zero-day WebKit bug follows up by triggering the other zero-day bug in the kernel, you are in a pickle.
The attackers can use the non-persistent malware in your browser to compromise the kernel itself, getting control over your entire device.
Then, the attackers can use the unauthorised code running inside your kernel to implant a persistent malware infection that will automatically start back up whenever your phone does.
If that’s how the attackers choose to do it, then religiously rebooting your phone every day will give you a false sense of security, because it will feel as though you’re doing something really important and useful, even though you aren’t.
Other tips to consider as well
With that in mind, here are some additional mobile cybersecurity tips to consider as well.
Unfortunately, none of these are quite as easy and unintrusive as simply “turning it off and back on again”, but they’re all worth knowing about:
- Get rid of apps you don’t need. Uninstall unnecessary apps entirely, and delete all their associated data. If your needs change, you can always reinstall the app in the future. The best way to avoid having data snooped on by malware is not to have it stored where the malware can see it in the first place. Unfortunately, many mobile devices come with a raft of preinstalled software that can’t be uninstalled, known disparagingly in the jargon as bloatware, but some of these non-removable packages can be turned off to prevent them running automatically in the background.
- Explicitly log out from apps when you aren’t using them. This is unpopular advice, because it means you can’t just open an app such as Zoom, Outlook or Strava and be back in the middle of a meeting, a discussion forum or a group ride at a moment’s notice. And logging in with passwords and 2FA codes via the fiddly keyboard of a mobile phone can be annoying. But the best way to avoid exposing data by mistake is to authorise yourself, and therefore your device, to access it only when genuinely necessary. Rebooting your device doesn’t “reboot” the logged-in status of the apps you use, so your phone starts back up with all your commonly used apps automatically reauthenticated to their respective online accounts, unless you previously logged out deliberately. Unfortunately, different apps (and different operating system options) implement their logout processes in different ways, so you may need to dig around to find out how to do this.
- Learn how to manage the privacy settings of all the apps and services you use. Some configuration settings can be controlled centrally via your phone’s operating system Settings app, others can be managed in the app itself, and others may need you to visit an online portal. Sadly, there’s no shortcut for this, because different apps, different operating systems, and even different mobile network providers, have different setup tools. Consider setting aside a rainy weekend afternoon to explore the myriad privacy and security options that exist in your own chosen apps and services.
- Learn how to clear your browser history, cookies and site data, and do so frequently. Rebooting your device doesn’t “reboot” your browser history, so all sorts of tracking cookies and other personal history items get left behind, even when your phone restarts. Once again, each browser does it slightly differently, so you need to match the history-and-cookie-clearing procedure to the browser or browsers you use.
- Turn off as much as you can on the lock screen. Ideally, your lock screen would be just that, a locked screen at which you can do exactly two things, namely: make an emergency call, or unlock your device for use. Every app that you allow to access your “lock” screen, and every bit of personal data that you allow to be shown on it (upcoming meetings, message subject lines, personal notifications, and so on) weakens your cybersecurity posture, even if only slightly.
- Set the longest lock code and the shortest lock time you can tolerate. A little inconvenience to you can be a massive extra hassle to cybercrooks. And get in the habit of manually locking your device whenever you put it down, even if it’s right in front of you, just for added peace of mind.
- Be aware of what you share. If you don’t actually need to know your location precisely, consider turning off Location Services completely. If you don’t need to be online, try turning off Wi-Fi, Bluetooth or your mobile connection. And if you genuinely don’t need your phone at all (for example, if you are going to go out for a walk without it), consider powering it down completely until later, just as the Australian PM suggests.
- Set a PIN code on your SIM card, if you have one. A physical SIM card is the cryptographic key to your phone calls, text messages and perhaps some of your 2FA security codes or account resets. Don’t make it easy for a crook who steals your phone to take over the “phone” part of your digital life simply by swapping your unlocked SIM card into a phone of their own. You only need to re-enter your SIM PIN when you reboot your phone, not before every call.
By the way, if you’re planning to start rebooting your phone regularly – as we mentioned above, it doesn’t do any harm, and it does give you a fresh operating system startup every day – why not follow exactly the same process with your laptop as well?
Sleep mode on modern laptops is mightily convenient, but it really only saves you a couple of minutes every day, given how quickly modern laptops boot up in the first place.
Oh, and don’t forget to clear your laptop browser history regularly, too – it’s a minor inconvenience for you, but a major blow to those stubborn website owners who are determined to track you as closely and as doggedly as they can, simply because you let them do so.
Richard Pennington
Another good reason (but not directly related to cybersecurity) for a nightly shut-down-and-reboot is that it limits the effects of memory leaks. Also it may trigger alerts to upgrade some of your apps.
Crystal
It kind of makes me think Albanese’s Cyber sec advisor has just watched a lot of IT Crowd and sent him the meme in jest; only to be take it too literally.
Side note:
I know that some Aus banks are running war games for ransomware etc- this sounds like such a great way to encourage awareness! I would be curious to know how to push this kind of gamified training onto the public.
Barbara Denham
I found this quite interesting. My mobile charges faster – and stays cooler, when it’s switched off. So I switch it off every day anyway. And I leave it at home doing this, whilst walking the dog, some days too. And for the rest, I might very well follow some of these tips. Better to be safe than sorry.
Kim
Some of the things you mentioned were simple enough. However some could use a little more explanation or a script for those of us not completely tech savvy.
Paul Ducklin
That’s not a bad idea, given that no two apps or OSes seem to be the same. I have Edge on my iPhone, but Safari is still there (built-in, can’t be removed), and the cookie-zapping process is quite different for each one.
If time allows… maybe I could do some short video explainers for popular apps, he said hopefully…
Jorge Acosta
Why only 5 min? Why once a day? My wife and I have a saying: when we sleep our phones are asleep. I. O. W, we turn them off for 8 or hours every night. Extends the life if the battery.
AJ
What if someone is in an emergency and needs to reach you? That’s not very wise.
Paul Ducklin
They could call at many times each day when you aren’t able to hear the phone for a few minutes, even when your phone is on, right?
Presumably they’d be stuck with leaving a voicemail (or messaging you in another way) in any case?
(I’m assuming that you don’t take your phone into the bathroom, for example, or for a swim, and that you don’t take calls while riding a bicycle or driving a car, and so on.)
As you can see, I’m not personally very impressed by this advice, and though I do turn my phone off regularly, I don’t do it algorithmically once a night… and I don’t quite understand the specific “5 minutes” part of it. To me it feels like those weird and never, ever explained airline rules about “maximum 100ml of toothpaste” whereby you can have three 75ml tubes in but not one 110ml tube. Maybe you could just do a 2-minute reboot period?
Anonymous
It’s for only 5 minutes for goodness sake,!!
Paul Ducklin
Though why 5 minutes we simply don’t know. That sounds a bit like sympathetic magic to me… why 5 mins but not, say, 2 mins or even just 30 seconds? And if 5 mins “just to be sure” (of what, we don’t know, unless it’s to let RAM lose it contents for sure), why not go for 10 mins to be sure, to be sure?
Cassandra
Why 5 minutes?
Because the PM says so? He is of course an economist, so like all PMs, he is wonderfully qualified to give scientific advice!
Who advised him, or did he read it on Twitter?
Perhaps a SPAD (Special Adviser) who read media studies at University heard that “switching off and on again” solved most IT problems – so they tarted up the advice a bit before advising their boss that 5 minutes “was a good amount of time” – because that is less time than it takes to brush your teeth, have a shave and take a d**p – and was therefore a politically acceptable message (an economist’s trade-off). All very scientific.
A colleague at a place I worked convinced our director that if he picked up his phone and got a dial tone before he switched on his computer terminal (which he used for emails), it would log on faster – you almost wonder if some minion thought it would be fun to get the PM to say “switch your phone off whilst you brush your teeth” – and then see if they could get some urban myth going that smartphones interfered with electronic toothbrushes!
Paul Ducklin
I have read that airlines often make sure that the baggage carousels chosen for very popular short-haul flights aren’t too close the the gate where the flight arrives. The extra couple of minutes that it takes to reach the baggage reclaim makes the final wait at the carousel seem much shorter and apparently reduces complaints about tardiness…
Pete
What kind of emergency are you thinking of, which isn’t handled much better by professional emergency services but requires your 24/7 availability?
And how do you ensure this availability? Probably you can’t drink or travel a significant distance, need to have back up phones, back up cars, etc. Sounds like a stressful life…
Ivan
I’m curious about the impact of simcard cloning. Would taking your device offline, not make that process easier?
Paul Ducklin
SIM cards can’t (easily) be cloned.
They can, however, be “swapped”, which is where a crook tricks or bribes a phone shop employee into issuing them a new, replacement SIM with your number on it.
This invalidates the old SIM, so your phone loses its mobile connection.
So, if your phone is turned off, you aren’t in a position to notice this, which could indeed buy the SIM swappers a bit more time before you report the problem…
…on the other hand, if all the crooks want to do is to hijack one 2FA code to take over (say) your email account, they don’t need much time anyway.
JohnL
Certainly on the Apple devices you can set it to wipe the phone after a certain number of missed PIN entries, which I do (it’s unhelpfully called “Erase Data”, which people might be nervous about turning on). If they can hack around the PIN it doesn’t help, if not PIN length is less of an issue…
BTW I set “Require Passcode” to immediately.
Paul Ducklin
You’re talking about the lock code *on the phone itself* to keep people out of the device.
That’s separate from setting a PIN on your SIM card, so it can’t be removed from your phone and used immediately in another phone.
SIM PINs can be 4 to 8 digits, and a SIM card will automatically lock after 3 wrong PINs.
At this point you have to put in a 10-digit PUK code, which is usually on a scratch card you get when you buy the SIM.
If you get the PUK wrong 10 times then the SIM basically invalidates itself and has to be replaced.
Tom
Plot twist: rebooting your phone reboots the Spyware that may have crashed over the last 24 hours 😜
Paul Ducklin
Drum sound effect/Cymbal sound effect!
(And a neat reminder of the “law of unintended consequences”.)
My personal opinion is that rebooting your phone every day is unlikely to do any harm, but any cybersecurity good it might do is more by accident than by design.
And if it is *all* you do on the mobile cybersecurity front, because it is so much easier than actually learning how to protect your own privacy online, and adapting your digital lifestyle to suit…
…then you are part of the problem, not the solution.
Lynne
Sociologically minded (rather than techo minded) would understand that Anthony Albanese’s “5 minutes” to a REAL Australian is like a “country mile”. 5 minutes is whatever fits the need, situation and environment.
Paul Ducklin
5 mins. “A brief period, but not so short as to make it impossible to get a fair shake of the sauce bottle.”
Jim B
Could you clarify the difference between clearing a browser history, and clearing browser cookies.
Clearing cookies erases tracking data, logins, session, etc.
Clearing history erases the list of places that you’ve been, which breaks autocompletion of addresses, which increases the chance of mistyping an address, which plays into the hands of typo-squatting malware sites. Not ideal.
Paul Ducklin
I meant “clearing everything”, including cookies and history.
Clearing history doesn’t clear your bookmarks. Leaving your browser history intact for ages is definitely not recommended. If you are worried about typosquatting, carefully set your own bookmarks and use those. Don’t rely on browser history, which can be manipulated, leeched (very useful to attackers), and also records sites you did not mean to visit, which would tend to compound typosquatting mistakes, not to prevent them!
Anonymous Coward
Hi Paul,
Excellent article as always. Would suggest that with later versions of Windows, shutting down a computer and rebooting a computer is now no longer the same thing.
AIUI, shutting down is now more akin to a hibernate, where large parts of the working memory are saved to disk, and many processes preserved through the shutdown / boot cycle – for purposes of convenience and speed.
Rebooting on the other hand is a clean refresh, in the traditional sense.
Just thought your readers would want to know that.
Paul Ducklin
I deliberately chose the words “shut down” in the sense of “full power-down and computer off, wait a bit and then turn it back on yourself”, not just closing the lid, hitting the Lock key-combination, logging off, or doing a software reboot.
In other words, what Windows and Mac refer to as “Shut Down” and what most mobile phones refer to as “Power off”, an option usually accessed by long-pressing the lock button (rather than just locking your phone by short-pressing the lock button).
I am guessing, as suggested above, that the reason that the suggested process is “shut down, wait a bit, turn back on” instead of simply “do a restart/reboot” is because some RAM chips retain some of their contents for some time, perhaps even tens of seconds, even after losing power.
Although RAM chips consist of zillions of capacitors that need recharging several times a second to ensure that they don’t lose their contents by mistake during regular use…
…they don’t reliably or inevitable *lose* their contents within, say, the first second after losing power. Which raises the question, “How long to wait to be sure that the RAM data has drained away and that nothing could possibly survive?” 10 seconds? Not enough. 30 seconds? Probably OK, but who can say? An hour? Overkill that no one will accept! A minute? Hmmmm, let’s avoid arguments and say 5 mins.
John B
On W10 (probably 11) the windows Shut Down option does not do a shut down, it enters a hibernate mode.
Hold down the shift key whilst clicking on shut down to perform a full old fashioned power down, so the OS starts fresh.
A Reboot does perform a full flush of the OS and shuts down but restarts immediatly, so you could also reboot then shutdown before logging back on.
Paul Ducklin
On my Windows 11 (VM, admittedly) the Shut Down option does what it says. All apps exit; OS logs you off; computer powers down.
John B
Sorry late reply
I use Shift+Shutdown so much I had forgotten the original reason behind it.
Its due to the Fast Startup feature introduced in W8. This can be disabled via power options but is still available in W11.
Niels Peter B. Nielsen
Why not try to see, how many minutes or perhaps hours you can be independent on screen and online activity – every day ?
I feel obsessed myself and want my life back. This could be a beginning.
Paul Ducklin
Turning your phone off for 5 mins while you’re in the bathroom isn’t likely to help much because you wouldn’t have your phone with you anyway. (One assumes. For hygiene and humidity reasons if nothing else :-)
In fact, this sort of “think of it as a behaviour that works for the common good” routine might end up being counterproductive, because it will feel as though you are actively doing something that addresses the problem, when in fact you are merely turning your phone off when you wouldn’t be using it anyway in order to “tick a box” labelled cybergoodness…
…but if you think it will help, don’t let me discourage you!
John
Good article. Very clear and to the point.
Paul Ducklin
Thanks. Glad you found it useful!