• jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    49
    ·
    7 months ago

    It’s actually good advice to periodically restart your secure devices. There are many exploits that can only persist in memory and not on the actual storage device itself. So by restarting you go back into a known good state. And any malicious actor would have to reinfect your phone, which may not be guaranteed

    • acetanilide@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      7 months ago

      This is fascinating to me because I was taught not to restart your computer if you suspected malware because restarting it would basically activate it

      • RGB3x3@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        7 months ago

        You can’t activate malware by restarting your system. There’s no reason why an attacker would wait for a restart to do what they want to do.

        What can happen is that restarting doesn’t help fix anything related to malware if the malware has been written to gain persistence. It’ll edit the registry so that it can run on startup, so restarting your system makes no difference.

        • yildolw@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          ·
          7 months ago

          They might be thinking of malware spread on floppy disk or a usb stick. A restarting computer with sus media inserted might have treated them as a boot device back in the day and run the executable code with higher privileges

        • CameronDev@programming.dev
          link
          fedilink
          English
          arrow-up
          4
          ·
          7 months ago

          It would entirely depend on the design of the malware. If a malware author wanted to chronologically separate infection from detection, doing persistance and then not activating until next reboot wouldnt be unreasonable.

          For example, if a user visits a site, and 10 seconds later their PC gets cryptolockered, they can report the site. If they visit a site, and then a hundred others, and then 10 days later their PC reboots and gets cryptolockered, they will have no idea which site did it.

    • CameronDev@programming.dev
      link
      fedilink
      English
      arrow-up
      4
      ·
      7 months ago

      Only exploits that require human intervention would be defeated by this though. If you have a zero touch exploit that can privesc, the persistance doesnt need to be anything special, you can just wrap your exploit in an ordinary android app and request it be woken up on next boot.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        7 months ago

        Not necessarily true. It could be a buffer overflow in text message processing, it’s still requires a text message to be sent to the phone.

        It could be a Wi-Fi or Bluetooth exploit, which requires locality.

        It could be a browser, webview, certificate exploit that requires a sophisticated chain of events with a low probability to intercept a web page and get the user to do something that isn’t guaranteed.

        The exploit might display itself to a user on the phone, so every time it’s applied there’s a risk of discovery.

        Not to mention many advanced persistent threats do not want their exploits to be analyzed, so they will not leave them sitting around to be collected, just waiting for the device to need a reinfection. That’s valuable signals capability that you give to your adversary they just need to analyze it.

        • CameronDev@programming.dev
          link
          fedilink
          English
          arrow-up
          3
          ·
          7 months ago

          Those all are things that require external human intervention though?

          If the malware is persistent, then one way or another it needs to leave an exploit on the device, it can either be a persistance exploit, or a privesc exploit.

    • Emotet@slrpnk.net
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      7 months ago

      Just be mindful when restarting automatically, as some OS offer. It’s neat not having to remember to manually restart every few days, but your pending notifications will get lost and, depending on your setup, your cellular/network connections will not automatically reconnect until you login.

    • taladar
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 months ago

      It is also a good idea for computing devices in general since not restarting means effectively restarting and finding out that the restart didn’t work properly or that you do not have all the information needed to log back in at the worst possible time, one you didn’t choose yourself. And if you do it often enough the number of updates/changes that could be the cause is significantly lower than if you keep things running for a long time before a restart.

    • Socsa
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 months ago

      It also guarantees you will cycle keys out of memory, which is always a good idea when crossing borders and whatnot.