FBI Warns iPhone and Android Users – Stop Texting

Republished on December 5 with additional comments from the FBI and reports of US political pressure given the scale of these Chinese cyberattacks.

Timing is everything. Just as Apple’s adoption of RCS seemed to signal a return to texting versus the unstoppable growth of WhatsApp, a surprising new obstacle is coming to stop it. While Android-to-Android or iPhone-to-iPhone messages are secure, one-to-one messages are not.

Now even the FBI and CISA, the US Cyber ​​Defense Agency, are warning Americans to responsibly use encrypted messages and phone calls where they can. The backdrop is the Chinese hacking of US networks that is reportedly “ongoing and likely greater in scope than previously understood.” Fully encrypted communications are the best defense against this compromise, and Americans are encouraged to use them wherever possible.

ForbesFBI Hacking Warning – Change 2 Settings on Your iPhoneBy Zak Doffman

Network cyber attack, attributed to Salt Typhoona group affiliated with China’s Ministry of Public Security, has raised concerns about the vulnerabilities of critical US communications networks. The reality is different. Without completely end-to-end encrypted messages and calls have there always been a potential for content to be intercepted. This is the whole reason why Apple, Google and Meta recommend its use, highlighting the fact that even they cannot see content.

According to a senior FBI official, “within investigative activity, especially one this significant and this large, facts will develop over time… The continued investigation into China’s targeted commercial telecommunications infrastructure has revealed a broad and significant cyberespionage campaign.” That campaign, he warned, “identified that PRC-affiliated cyber actors have compromised networks of multiple telecommunications companies to enable multiple activities,” confirming that “the FBI began investigating this activity in the late spring and early summer of this year.”

The FBI official warned that citizens should “use a cell phone that automatically receives timely operating system updates, responsibly managed encryption, and phishing-resistant MFA for email, social media, and collaboration tool accounts.”

As reported by Politicaladded CISA’s Jeff Greene to this, “strongly urging Americans to ‘use your encrypted communications where you have them… we certainly need to do that, as well as look at what it means long term, how we secure our networks’ .”

As for what is known about the Salt Typhoon attacks so far, while the FBI official warned that extensive call and text metadata was stolen in the attack, expansive call and text content was not. But “the actors compromised private communications of a limited number of individuals primarily involved in government or political activities. This would have included call and text content.”

The scale of the hacking campaign and the implications for US critical infrastructure and the security of its networks have created an unsurprising political storm. As reported by Reuters, “U.S. government agencies held a classified briefing for all senators Wednesday about China’s alleged efforts known as Salt Typhoon to dig deep into U.S. telecommunications companies and steal data on U.S. calls.” After the briefing, “US senators promise action.”

Reuters also reported that “a Senate Commerce subcommittee will hold a hearing on Dec. 11 on Salt Typhoon and how ‘security threats pose risks to our communications networks, and review best practices.'” There are growing concerns about the size and scope of the reported Chinese hacking of US telecommunications networks and questions about when companies and the government can reassure Americans about the matter.”

During Tuesday’s original media briefing, CISA’s Greene reportedly suggested “that Americans use encrypted apps for all their communications,” (1,2). This means stop sending texts from iPhone to Android, even though iMessages and Google Messages are fully encrypted while on these platforms.

Greene added that “our proposition, what we’ve been telling people internally, is not new here: encryption is your friend, whether it’s on text messages or if you have the capacity to use encrypted voice communications. Even if the adversary is able to intercepting the data if it is encrypted will make it impossible.”

An alert into the ongoing telecom network hacks issued jointly by the FBI, CISA and NSA — as well as other Five Eyes agencies — were released Tuesday.

The lack of end-to-end encryption to protect cross-platform RCS, the successor to SMS, is a glaring omission. It was highlighted in Samsung’s recent PR release celebrating the success of RCS, which included the caveat that only Android to Android messages are secured. It’s still a stark irony that while Google and Apple separately advise Android and iPhone users to rely on end-to-end encryption, it’s still lacking when it comes to RCS, with no timeline in sight for a correction.

The mobile standards setter, GSMA, and Google have said encryption will come to RCSbut there is no fixed date yet. This assurance appeared to be a response to the backlash following Apple’s update with the media coverage of the security issue. Apple – whose iPhone ecosystem includes increasingly full encryption – has not commented.

There is an ironic twist to these warnings. Seam PC Mag commented, “this push to use end-to-end encryption is ironic, since the FBI has long complained that the same technology could hinder its investigations into seized smartphones and online accounts belonging to criminal suspects.”

Given this, the FBI’s precise wording is critical, emphasis on responsible encryption that has been mostly overlooked in reports. Responsible in this context means providing access to user data through legal requests, including – potentially – content. While this may seem like a subtlety, it is anything but. This rules out many of the biggest, best-known messaging platforms – such as WhatsApp and Signal, as they cannot provide access to any content without an endpoint (device) compromise that accesses the data at one end of the end-to-end encryption .

ForbesBad news from Microsoft for millions of Windows users – you are now at riskBy Zak Doffman

That said, my advice is to continue to use the fully encrypted WhatsApp over RCS for any cross-platform messaging, at least until such time as RCS adds its own full encryption between iPhones and Androids. Once you step outside the walled gardens of Apple or Google, this security protection falls away. With many good secured platforms now readily available, it is not worth taking the risk. The need for complete security has never been greater given the ongoing cyber threat landscape.

There are also other fully encrypted platforms – notably Signal, the best of the bunch, albeit with a much smaller install base. Even Facebook Messenger now fully encrypts messages, making standard SMS/RCS messages even more deviant. Signal and WhatsApp also enable fully encrypted voice and video calls across platforms, so they should also be your default choices given this FBI/CISA warning.

Ironically, Apple’s iOS 18.2, due out this month, will allow iPhone users to change the default messenger on their devices from iMessage. Timing really is everything.