FBI warns iPhone and android users—Stop sending texts

Republished on December 6 as new cybersecurity regulations are proposed, and with further warnings following the FBI’s encrypted communications push.

Timing is everything. Just as Apple’s adoption of RCS had seemed to signal a return to text messaging versus the unstoppable growth of WhatsApp, then along comes a surprising new hurdle to stop that in its tracks. While messaging Android to Android or iPhone to iPhone is secure, messaging from one to the other is not.

Now even the FBI and CISA, the US cyber defense agency, are warning Americans to use responsibly encrypted messaging and phone calls where they can. The backdrop is the Chinese hacking of US networks that is reportedly “ongoing and likely larger in scale than previously understood.” Fully encrypted comms is the best defense against this compromise, and Americans are being urged to use that wherever possible.

The network cyberattacks, attributed to Salt Typhoon, a group associated with China’s Ministry of Public Security, has generated heightened concern as to the vulnerabilities within critical US communication networks. The reality is different. Without fully end-to-end encrypted messaging and calls, there has always been a potential for content to be intercepted. That’s the entire reason the likes of Apple, Google and Meta advise its use, highlighting the fact that even they can’t see content.

According to a senior FBI official, “within the investigative activity, especially one this significant and this large, the facts will evolve over time… The continued investigation into the PRC targeting commercial telecom infrastructure has revealed a broad and significant cyber espionage campaign.” This campaign, he warned, “identified that PRC affiliated cyber actors have compromised networks of multiple telecom companies to enable multiple activities,” confirming that “the FBI began investigating this activity in late spring and early summer of this year.”

The FBI official warned that citizens should be “using a cell phone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant MFA for email, social media and collaboration tool accounts.”

As reported by Politico, CISA’s Jeff Greene added to this, “strongly urging Americans to ‘use your encrypted communications where you have it… we definitely need to do that, kind of look at what it means long-term, how we secure our networks’.”
If any good has come from this viral storm, it’s the light now shining on the lack of security across SMS and basic RCS messaging. That millions of users are now better informed as to the risks such that they can make informed decisions is welcome.

ESET’s Jake Moore says “it is well documented that SMS messages are not encrypted and any non encrypted forms of communication can be surveilled by law enforcement or anyone with the right tools, knowledge and software due to the concept of SS7.”

In terms of what is known about the Salt Typhoon attacks thus far, while the FBI official warned that widespread call and text metadata was stolen in the attack, expansive call and text content was not. But “the actors compromised private communications of a limited number of individuals who are primarily involved in the government or political activities. This would have contained call and text contents.”

The mobile standard setter, GSMA, and Google have said encryption will be coming to RCS, but there’s no firm date yet. That assurance seemed a response to the backlash post Apple’s update with the media pickup on the security issue. Apple—whose iPhone ecosystem includes ever more fully encryption, has not commented.

There is an ironic twist to these warnings. As PC Mag commented, “this push to use end-to-end encryption is ironic since the FBI has long complained that the same technology can stymie their investigations into seized smartphones and online accounts belonging to criminal suspects.”

According to additional Reuters reporting, “US Federal Communications Commission Chairwoman Jessica Rosenworcel is proposing that communications service providers be required to submit an annual certification attesting that they have a plan in place to protect against cyberattacks, the agency said in a statement on Thursday. The proposal is in part in response to efforts by an allegedly Beijing-sponsored group of hackers, dubbed ‘Salt Typhoon,’ to burrow deep into American telecommunications companies to steal data about US calls.”

Meanwhile, CISA has assured that an independent review of the Chinese hacking campaign will begin in short order. Per The Record, a review board “will launch its investigation of an unprecedented Chinese hack of global telecommunications systems later this week, the head of the Cybersecurity and Infrastructure Security Agency said on Wednesday. Speaking to reporters after a classified briefing for all senators on Wednesday about the breach by the state-sponsored group known as Salt Typhoon, CISA Director Jen Easterly said the first meeting of the Cyber Safety Review Board (CSRB) focused on the ongoing breach will take place on Friday.”

Easterly told the media “we wanted to make sure that we had a good understanding of what was happening, in terms of the scope and scale, and, quite frankly, most of the agencies who would be involved in the Cyber Safety Review Board are still involved in the incident response… We wanted to make sure we did it before the holidays, so we could start writing out how we think about the problem, and then ultimately, what are the key recommendations that we need to bring forward to enable us to strengthen the security of the telco networks going forward.”

Ahead of any recommendations being made, the FBI’s precise wording is critical, with its emphasis on responsible encryption that has been mostly overlooked in reports. Responsible in this context means providing access to user data through lawful requests, including—potentially—content. While this may come across as a subtlety, it is anything but. This rules out many of the the largest, best known messaging platforms—such as WhatsApp and Signal, as they cannot provide access to any content absent an endpoint (device) compromise, accessing the data at one end of the end-to-end encryption.

One can expect recommendations to linger on the right balance between full encryption to protect contents from network vulnerabilities and lawful access. That risks revisiting the debate between big tech and lawmakers around how to breach the encryption enclave without fatally weakening it. It will be heavily resisted, albeit there is a lack of clarity as to which way ther new Trump administration will swing on this.

With ironic timing, Europe’s so-called chat control is back on the table this week. This seeks to solve the unsolvable problem of pushing big tech to monitor content on their platforms for child sexual abuse material (CSAM) in the first instance, albeit once that is enabled, the fears are that other content can be screened as well.

Privacy experts have railed heavily against this political campaign and European lawmakers and regulators are divided on the issue. Should Europe manage to fuel a collation with enough power to drive this into some form of policy setting, and the US jump onboard post Salt Typhoon with an “end-to-end encrypted, kind of” approach, we will be set for an almighty battle through 2025 and beyond.

Notwithstanding that, my advice remains to use the fully encrypted WhatsApp over RCS for any cross-platform messaging, at least until such a time as RCS adds its own full encryption between iPhones and Androids. Once you step outside Apple’s or Google’s walled gardens, this security protections falls away. With many good secured platforms now readily available, it’s not worth taking the risk. The need for full security has never been greater given the ongoing cyber threat landscape.

ESET’s Moore cautions that “it is important to treat any non privacy focused messaging platform with care and they should not be used for private communication or to transfer sensitive data. Encrypted channels offer privacy and security but although Meta-owned WhatsApp may not be everyone’s choice, at least it offers end-to-end encryption as standard. There are lots of other options such as Signal and iMessage but it’s about choices and understanding what level of security is right for individuals.”

There are other fully encrypted platforms as well—notably Signal, the best of the bunch, albeit with a much smaller install base. Even Facebook Messenger now fully encrypts messaging, making standard SMS/RCS texting even more an outlier. Signal and WhatsApp also enable fully encrypted voice and video calls cross platform, and so they should also be your default choices given this FBI/CISA warning.

Moore, a former police forensics expert, describes end-to-end encryption as “more than a fundamental right—it is a vital necessity for all communication tools and any messaging service that is not secured with this layer of protection must be treated with caution.” Perhaps now such messaging will be seen differently by its users.

Ironically, Apple’s iOS 18.2, due this month, will enable iPhone users to change the default messenger on their devices from iMessage. Timing really is everything.

credit: Zak Doffman/Frobes