- CPA to Cybersecurity
- Posts
- Top 16 Tips to Secure Your Phone
Top 16 Tips to Secure Your Phone
Table of Contents
Introduction
The NSA released guidance for the general public to secure their mobile phones. It's a two pager with pictures, And has some great tips to fill the current void in cybersecurity awareness.
However, I know that my friends and family, like most people in the general public out there, are not actively seeking out this information. And while they want to be cyber safe, for such a big, complicated topic it's tough to figure out how to get started.
So I made this video and blog post to try and amplify the message that these tips from the top experts are out there in a 2-pager that you can follow. And I walk through it to make it easier to consume. Pass it on to people you care about, to help them protect their identities, critical data and money from mobile phone risks.
There's 16 tips in total and I'll start with the ones that align to CISA's top 4 tips to be cyber safe.
1. Software Updates
Update device software and applications as soon as possible. Those prompts on your phone that a software update is ready to install are annoying, but they're important to action because all software has flaws. And there’s an arms race going on between attackers finding these flaws and defenders patching them up. Here’s a great read on this topic:
2. Strong Passwords
Use strong lock-screen pins/passwords: a 6-digit PIN is sufficient if the device wipes itself after 10 incorrect password attempts. Set the device to lock automatically after 5 minutes.
If your phone is lost or stolen, this pin and Lock Screen are the only things standing between you, and a hacker getting access to your digital life. On an iPhone it’s Settings > Face ID & Passcode > Change Passcode.
3. Do Not Open Unknown Email Attachments and Links
Even legitimate senders can pass on malicious content accidentally, or as a result of being compromised or impersonated by a malicious actor. This is CISA's “think before you click”. And it's the FBI's list of common scams and crimes including:
Adoption fraud
Business and investment fraud
Business email compromise
Elder fraud
Romance scams
And more
This is big business and it's awful stuff. In elder fraud, scammers are contacting grandparents to say that a child or grandchild is in trouble. And then that patriarch or matriarch instinct kicks in with the grandparent and they want to help. But pump the brakes on those emotions and call around to verify legitimacy, before clicking links or sending money, because it's probably a scam.
4. Do Not Click Unexpected Pop-Ups
Same deal: Unexpected pop-ups on your phone can be malicious. If one appears, forcibly close all applications.
5. MFA Everyday
The last top 4 tip from CISA is to MFA everyday (use Multifactor Authentication). That’s application specific and not phone specific, but I'll shoehorn it in here where it talks about applications. The more applications you have, with or without MFA, the more attack surface you have. And the more attack surface you have The more risk you're holding onto. Install the minimal number of applications, and only from official application stores. Be cautious of personal data entered into applications. Close applications when not using.
Even apps that look legitimate could be lying to you in the app store when they say "no data collected". We saw this in the Google Play Store a few months ago, when some innocent looking apps called File and Data Recovery and File Manager, which were downloaded half a million and a million times, turned out to be malicious spyware that stole contact lists, photos, audio files, video files and other information.
6. Do Not Have Sensitive Conversations on Personal Devices, Even if You Think the Content is Generic.
This should be a campaign in itself. Your text messages are sent on an old unencrypted protocol. That means the words you type, go out on the wire in plain text. They haven't been encrypted into cipher text like in the movie the Imitation Game.
So hackers can intercept your messages and they don't need a password or a secret key to view what you typed in a SMS chat. Now you might say, that you're not worried about this, because you're not a journalist or a politician, you’re not interesting and you have nothing to hide.
I thought the same thing, until I saw this poster from security experts called “You Are a Target”
It lists specific ways that your accounts, digital assets and devices are targeted to make what can be small amounts of money but they add up at scale. They don’t need to rob one bank to make a million dollars. On the internet they can rob 100,000 people for $10 each.
When it comes to text message risks, there’s also some concepts to wrap your head around of permanent record and Service Provider data breaches.
Your cell phone carrier has all your text chats in a database, and they might not have told you when they will delete them, or if they ever will. One day a hacker might steal that database from your carrier, and post it on the dark web. Then your phone number, name, and every text message you've ever sent is available for sale in criminal marketplaces. That wouldn't be good.
Here's a 4 year old article from Mandiant called who's reading your text messages that talks about this.
Some messaging apps use encrypted, making them more secure than text messages, but they have other flaws about keys and logs, so "don't have sensitive conversations on your phone” from the NSA here is good advice.
Moving over to phone Conversations - they say the same thing:
7. Do Not Have Sensitive Conversations in the Vicinity of Mobile Devices Not Configured to Handle Secure Voice
It’s similar themes here as we went through for text messages.
8.1 Do Not Connect to Public WiFi Networks
It's easy for hackers to set up fake Starbucks WiFi that looks like real Starbucks wifi, but if you connect to the bad one, it allows crooks to see everything you do including typing in banking or email passwords, or when you type in puppies.com it will re-route you to a malicious websites.
As an alternative, just stay on your cell network, and don’t connect to WiFi outside your home. If you need to do something with your laptop on the road. Connect you your phone as a mobile WiFi host spot instead of the airport or coffee shop WiFi.
Or if you must use public WiFi. Use a VPN app to make an encrypted tunnel that hides your traffic from the WiFi provider.
8.2 Disable WiFi When Not Using It and Remove Unused WiFi Networks
This is because your phone could be sending WiFi probe requests. Naomi Brockwell has a good video about this:
As you carry your phone around with you in your pocket, it could be broadcasting every WiFi network you've ever connected to, as you walk around. It’s saying:
“Are you my in laws house?”
“Are you my home WiFi?”
And it’s giving information about those networks to whatever devices are listening. This allows hackers to track you, see everywhere you've been, and can even help them get access to your device
9. Disable Bluetooth When You're Not Using It
Similar reasons, as well as Bluetooth specific vulnerabilities and attacks:
Bluejacking: unsolicited messages
Bluesnarfing: stealing information such as contacts, messages, and even photos, without the owner's knowledge
Bluebugging: take control of a phone to make calls, send messages, and access the internet, potentially incurring costs or accessing sensitive information.
10. Do Not Enable Location Services When Not Needed
For similar reasons as the prior topics, as well as privacy concerns.
11. Power On And Off Weekly
That's a good way to clear persistence if a hacker is already in your phone. If they’re in there it's hard to tell because cybersecurity is a silent killer. The NSA gave similar guidance to power off home routers weekly in February:
12. Do not Jailbreak Your Device to Sideload Apps
This increases risk related to software updates and Trojan horse applications like that spyware we talked about a minute ago
13. Maintain Physical Control of the Device
If your phone gets into a hackers physical hands, it's easier for them to break in than doing it remotely. Having physical access to a computer system is at the the top of the “pyramid of pain”, meaning that if you don't give hackers physical access you make it more painful, or harder for them to hack you.
14. Cover Your Camera and Mic
I get made fun of for my case that has a big awkward flap by trendy friends and family members. My response:
If I could clip my phone to my belt I would like in the old days, that was optimal
The flap covers my camera, which the experts recommends that I do. It seems prudent for cyber safety
15. Consider Using Biometrics
I’ve heard that face scans can be vulnerable to photo based hacks. It’s a balancing act here of security and convenience for your personal threat model.
16. Use only Trusted Accessories, Not Public USB Charging Stations
Similar to #13 about maintaining physical control. Also a great example here from David Bombal:
Conclusion: What Do These Controls Help Reduce Your Risk Of?
Page two of the handout has a list:
Spear phishing
Malicious apps
Zero-click exploits
Malicious WiFi Networks
Untrusted cellular networks
And other threats/vulnerabilities
These things that can result in your identity, critical data and money being stolen. I hope you found this walk through helpful. If you have any questions or feedback just let me know in a YouTube comment.
Thanks for reading and/or watching. Be safe, be well.