He called on Americans to use encryption. attack given
NurPhoto (from Getty Images)
New cybersecurity regulations were proposed and republished on Dec. 6 with further warnings following the FBI’s push to encrypt communications.
Timing is everything. Apple’s adoption of RCS seemed to signal a return to text messaging for WhatsApp’s unstoppable growth, but then a surprising new hurdle stood in its way. Sending messages from Android to Android or iPhone to iPhone is safe, but sending messages from one to the other is not.
Now, even the FBI and the US cyber defense agency CISA are warning Americans to use encrypted messaging and phone calls responsibly when possible. The background is that China’s hacking of U.S. networks is “ongoing and may be larger than previously understood.” Fully encrypted communications are the best defense against this breach, and Americans are urged to use encrypted communications whenever possible.
Network cyberattacks by Salt Typhoon, a group affiliated with China’s Ministry of Public Security, have raised concerns about the vulnerability of critical communications networks in the United States. The reality is different. Without fully end-to-end encrypted messaging and calls, there is always the possibility that your content could be intercepted. This is the whole reason why Apple, Google, Meta, etc. recommend its use, highlighting the fact that even they can’t see the content.
According to a senior FBI official, “In any investigative operation, especially one as significant and large-scale as this, the facts will change over time. Significant cyber espionage activity revealed He said the campaign had “identified Chinese-linked cyber actors compromising the networks of multiple telecommunications companies to enable multiple activities,” and that “the FBI has been conducting this campaign since late spring and early summer of this year. “We have begun an investigation into the activities.”
FBI officials said the public will “receive timely and automatic operating system updates, responsibly managed encryption and phishing-resistant MFA for email, social media, and collaboration tool accounts.” “Use a mobile phone equipped with
As reported by Politico, CISA’s Jeff Green added, “We definitely need to encourage Americans to use encrypted communications where they can. We need to consider what this means in the long term and how we protect our networks.”
If anything good has come out of this virus storm, it’s that it has shined a light on the overall lack of security in SMS and basic RCS messaging. We welcome the fact that millions of users are now well-informed about the risks and are able to make informed decisions.
ESET’s Jake Moore said: “It is well documented that SMS messages are not encrypted, and the SS7 concept ensures that unencrypted forms of communication are accessible to law enforcement, appropriate tools, knowledge and It could be monitored by someone with software.”
As for what we know so far about the Salt Typhoon attack, FBI officials have warned that the attack stole extensive call and text metadata, but not extensive call and text content. did. However, “the attackers compromised the private communications of a limited number of individuals, primarily involved in government and political activities. This would have included the content of their phone calls and text messages.” .”
The scale of the hacking operation and its impact on the security of America’s critical infrastructure and networks sparked a stunning political storm. As reported by Reuters, “A U.S. government agency on Wednesday called a full Senate panel on allegations that China, known as Salt Typhoon, is trying to penetrate deeply into U.S. telecommunications companies and steal data about U.S. phone calls. After the press conference, “U.S. senators vowed to take action.”
Reuters also reported that “The Senate Commerce Subcommittee will hold a hearing on Dec. 11 on Salt Typhoon and how ‘security threats pose a risk to our nation’s communications networks and consider best practices.’ We are planning to do so.” Concerns are growing about the scale and scope of the reported Chinese hacking. Questions about U.S. telecommunications networks and when companies and the government can assure Americans on this issue. ”
At his first media conference on Tuesday, CISA’s Green reportedly suggested that “Americans should use encrypted apps for all communications” (1,2). This means that iMessage and Google Messages will be fully encrypted on those platforms, but you’ll stop sending texts from your iPhone to your Android.
Greene added, “What we’re proposing, what we’ve been telling people internally, is nothing new here. If you have the ability to use encrypted voice communications, whether it’s text messaging. , encryption is your friend. Even if an enemy could intercept your data, they won’t be able to if it’s encrypted.”
A joint warning issued by the FBI, CISA, NSA, and other Five Eyes agencies regarding the ongoing hacking of communications networks was released on Tuesday.
The lack of end-to-end encryption to protect SMS’s successor, cross-platform RCS, is a glaring omission. This was highlighted in Samsung’s recent celebratory PR release about the success of RCS, which included the caveat that only Android-to-Android messaging is protected. It’s crazy how Google and Apple are separately advising Android and iPhone users to rely on end-to-end encryption, but RCS remains unsupported and there’s no plan for a fix. It’s ironic.
Mobile standards setters GSMA and Google have said encryption will be introduced to RCS, but there is no firm date yet. The assurance appeared to be a response to the backlash following Apple’s latest update regarding media coverage of security issues. Apple, which has more complete encryption than ever built into its iPhone ecosystem, had no comment.
There is an ironic twist to these warnings. As PC Mag commented, “The FBI has changed its use of end-to-end encryption after years of complaints that the same technology could impede investigations into seized smartphones and criminal suspects’ online accounts. This push is ironic.”
According to additional reporting from Reuters, “U.S. Federal Communications Commission Chairwoman Jessica Rosenworcel will require telecommunications service providers to submit annual certifications proving they have plans in place to protect against cyberattacks. We are proposing to make it mandatory,” the department said in a statement Thursday. The proposal is part of a response to efforts by a Chinese government-backed hacker group known as Salt Typhoon to penetrate deeply into U.S. telecommunications companies and steal data about U.S. phone calls. It is. ”
Meanwhile, CISA assured that an independent investigation into China’s hacking activities will be launched soon. The review board “will begin investigating China’s unprecedented hack of the world’s telecommunications systems later this week,” the head of the Cybersecurity and Infrastructure Security Agency said on Wednesday, according to The Record. Speaking to reporters after Wednesday’s confidential briefing for the full Senate on the breach by the state-sponsored group known as Salt Typhoon, CISA Director Jen Easterly told reporters that the cyber security crisis focused on the ongoing breach. He said the first meeting of the Safety Review Board (CSRB) will take time. The location is Friday. ”
“We wanted to make sure we had a good understanding of what was going on in terms of scope and scale, and quite frankly, the institutions that would be on the cyber safety review board,” Easterly told the media. Most of them are still there.” We’re involved in incident response…we wanted to make sure that was done before the holidays. Then you can start writing about how you think about the problem and, ultimately, strengthen the security of communication networks in the future. ”
Before any recommendations are made, it is important that the FBI accurately word its emphasis on responsible encryption, which has been largely overlooked in the report. Responsibility in this context means providing access to user data (potentially including content) through lawful requests. This may seem subtle, but it’s definitely not. This excludes many of the largest and most well-known messaging platforms, such as WhatsApp and Signal. These platforms access data at one end with end-to-end encryption, which does not provide access to content unless the endpoint (device) is compromised. .
We expect that recommendations will continue to be based on the right balance between full encryption and lawful access to protect content from network vulnerabilities. This risks reigniting debate between big tech companies and lawmakers over how to break through encryption without fatally weakening it. It’s unclear what direction the new Trump administration will take on this issue, but the bill is likely to be fiercely resisted.
In an ironic move, Europe’s so-called chat regulations are back on the agenda this week. It seeks to solve the unsolvable problem of forcing big tech companies to monitor child sexual abuse material (CSAM) content on their platforms, but once they can do so, other content There are concerns that they may be similarly monitored.
Privacy experts have slammed the political move, and European lawmakers and regulators are divided on the issue. Europe has succeeded in promoting matching strong enough to bring this into policy-making in some form, and the US has been able to use an “end-to-end encrypted, sort of” approach to salt typhoons. If we piggyback on this later, we will be ready for omnipotence. We’ll keep fighting until 2025 and beyond.
Nevertheless, my advice remains to use fully encrypted WhatsApp via RCS for cross-platform messaging, at least until RCS adds its own full encryption between iPhone and Android. yeah. Once you step outside of Apple or Google’s walled garden, this security protection is no longer in effect. With so many good and secure platforms readily available today, it’s not worth the risk. In light of ongoing cyber threats, the need for complete security has never been greater.
ESET’s Moore warns that “messaging platforms that are not privacy-focused should be treated with caution and should not be used for private communications or the transfer of sensitive data.” Encrypted channels offer privacy and security, but while Meta-owned WhatsApp may not be everyone’s choice, it at least offers end-to-end encryption as standard. There are many other options, such as Signal and iMessage, but the key is making a choice and understanding what level of security is right for you personally. ”
There are other fully encrypted platforms as well. Signal in particular is the best one, despite having a much smaller installed base. Even Facebook Messenger now fully encrypts messaging, making standard SMS/RCS text messages even more of an outlier. Signal and WhatsApp also enable cross-platform, fully encrypted voice and video calls, so given this FBI/CISA warning, these should also be your default choices.
Moore, a former police forensics expert, said end-to-end encryption is “more than a basic right, it’s an essential part of all communication tools, and any messaging that isn’t protected by this layer of protection is more than just a fundamental right. Services need to be treated with care.” ” Perhaps in the future such messages will be viewed differently by different users.
Ironically, Apple’s iOS 18.2, released this month, will allow iPhone users to change their device’s default messenger from iMessage. Timing really is everything.
