It’s rare that a piece of FBI advise prompts a Snopes fact check. But the agency’s urgent message to Americans this month, commonly characterized as “stop texting,” stunned many customers.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about vulnerabilities in text messaging systems used by millions of Americans on a daily basis.
The US believes hackers affiliated with China’s government, dubbed Salt Typhoon, are waging a “broad and significant cyber-espionage campaign” to infiltrate commercial telecoms and steal users’ data, as well as record phone calls in isolated cases, according to a senior FBI official who spoke to reporters on condition of anonymity during a Dec. 3 briefing call.
The new advise may have startled customers, but not security experts.
“People have been talking about things like this for years in the computer security community,” Jason Hong, a professor at Carnegie Mellon University’s School of Computer Science, told NPR. “You should not rely on these kinds of unencrypted communications because of this exact reason: There could be snoopers in lots of infrastructure.”
So what should you do to keep your messages private?
“Encryption is your friend” for text messages and phone calls, said Jeff Greene, CISA’s executive assistant director for cybersecurity, during the briefing call. “Even if the adversary is able to intercept the data, encryption makes detection impossible, if not extremely difficult. So, our advise is to avoid utilizing plain text.
Full end-to-end encryption allows only the sender and recipient of a message to decipher it, not anyone else, including the company. It has been the default on WhatsApp since 2016. Along with the promise of increased security, it renders businesses “warrant-proof” against surveillance attempts.
The good news for Apple users is that iMessage and FaceTime are already end-to-end encrypted, says Hong. Encryption is accessible in Google Messages for Android phones if both the sender and the recipient have enabled it.
However, messages sent between iPhones and Android phones are less secure. According to Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), using an end-to-end encrypted software like Signal or WhatsApp is the most effective approach to prevent prying on your messages. “Your communications are end-to-end encrypted every single time,” she explains.
Another risk, according to Galperin, is that a hacker who has obtained your website ID and password can intercept a one-time passcode used in two-factor authentication (2FA) by monitoring your text messages.
“This is a really serious security risk,” Galperin warns. She recommends receiving 2FA notifications via an app such as Google Authenticator or Authy, or using a physical security key to authenticate access.
The FBI and CISA also advise people to configure their phones to automatically update operating systems.
“Most compromises of systems do not involve taking advantage of vulnerabilities that no one else knows about,” according to Galperin, and “often, the maker of the product has in fact figured out what the vulnerability is, fixed it and pushed out a patch in the form of a security update.”
How at risk are you?
You should be aware of your own “threat model” – a fundamental idea in computer security.
Hong thinks it comes down to three questions: What exactly are you trying to protect? How essential is it to you? And what precautions should you take to protect it?
If the most precious objects on your phone are family photos, he believes you shouldn’t be concerned about foreign hackers targeting you. What if you occasionally text about national or corporate secrets, or politically sensitive information?
“If you are in business, if you are a journalist, if you are somebody in contact with democracy protesters in Hong Kong or Shenzhen or Tibet, then you might want to assume that your phone calls and text messages are not safe from the Chinese government,” Galperin, who represents the EFF, adds.
Bad actors, such as cybercriminals, may have varied goals, Hong adds, “but if you just do a few relatively simple things, you can actually protect yourself from the vast majority of those kinds of threats.”
What are the hackers doing?
The FBI and CISA issued the alert two months after The Wall Street Journal reported that hackers linked to the Chinese government had breached systems that allow US law enforcement agencies to conduct electronic surveillance operations under the Communications Assistance for Law Enforcement Act (CALEA).
“These are for legitimate wiretaps that have been authorized by the courts,” Hong tells me. However, in the hands of hackers, he claims that the technologies may be used “to surveil communications and metadata for a large number of people.” And it appears that [the hackers’] primary aim is Washington, D.C.”
According to the FBI, the attack went far beyond the CALEA system, and the hackers continue to gain access to telecom networks. The United States has been working since late spring to assess the scope of their actions. This month, the Biden administration announced that at least eight telecommunications infrastructure businesses in the United States, and potentially more, had been compromised by Chinese hackers.
The FBI and CISA reported that the hackers stole a considerable amount of metadata. They stated that in far fewer occasions, the actual content of conversations and texts was targeted.
As agencies try to remove the hackers, the FBI urged Americans to adopt strong encryption — a shift from years of pushing on a “back door” for law enforcement to access communications, according to Galperin.
The agencies also urge corporations to improve their security policies and collaborate with the government to make their networks more difficult to penetrate.
“The adversaries we face are tenacious and sophisticated, and working together is the best way to ensure eviction,” the top FBI official stated during the press briefing.
Concerning the risk to common customers, security experts such as Hong and Galperin believe that with large volumes of information passing between our phones, people should receive more assistance in safeguarding themselves.
“I think it’s really incumbent on software developers and these companies to have much better privacy and security by default,” Hong points out. “That way you don’t need a Ph.D. to really understand all the options and to be secure.”
