ADVERTISEMENT
NEWS EXPRESS is Nigeria’s leading online newspaper. Published by Africa’s international award-winning journalist, Mr. Isaac Umunna, NEWS EXPRESS is Nigeria’s first truly professional online daily newspaper. It is published from Lagos, Nigeria’s economic and media hub, and has a provision for occasional special print editions. Thanks to our vast network of sources and dedicated team of professional journalists and contributors spread across Nigeria and overseas, NEWS EXPRESS has become synonymous with newsbreaks and exclusive stories from around the world.
Timing is everything. Just as Apple’s adoption of RCS had seemed to signal a return to text messaging versus the unstoppable growth of WhatsApp, then along comes a surprising new hurdle to stop that in its tracks. While messaging Android to Android or iPhone to iPhone is secure, messaging from one to the other is not.
Now, even the FBI and CISA, and the US cyber defense agency are warning Americans to use responsibly encrypted messaging and phone calls where they can. The backdrop is the Chinese hacking of US networks that is reportedly “ongoing and likely larger in scale than previously understood.” Fully encrypted comms is the best defense against this compromise, and Americans are being urged to use that wherever possible.
The network cyberattacks, attributed to Salt Typhoon, a group associated with China’s Ministry of Public Security, has generated heightened concern as to the vulnerabilities within critical US communication networks. The reality is different. Without fully end-to-end encrypted messaging and calls, there has always been a potential for content to be intercepted. That’s the entire reason the likes of Apple, Google and Meta advise its use, highlighting the fact that even they can’t see content.
According to a senior FBI official, “within the investigative activity, especially one this significant and this large, the facts will evolve over time… The continued investigation into the PRC targeting commercial telecom infrastructure has revealed a broad and significant cyber espionage campaign.” This campaign, he warned, “identified that PRC affiliated cyber actors have compromised networks of multiple telecom companies to enable multiple activities,” confirming that “the FBI began investigating this activity in late spring and early summer of this year.”
The FBI official warned that citizens should be “using a cell phone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant MFA for email, social media and collaboration tool accounts.”
As reported by Politico, CISA’s Jeff Greene added to this, “strongly urging Americans to ‘use your encrypted communications where you have it… we definitely need to do that, kind of look at what it means long-term, how we secure our networks’.”
If any good has come from this viral storm, it’s the light now shining on the lack of security across SMS and basic RCS messaging. That millions of users are now better informed as to the risks such that they can make informed decisions is welcome.
ESET’s Jake Moore says “it is well documented that SMS messages are not encrypted and any non-encrypted forms of communication can be surveilled by law enforcement or anyone with the right tools, knowledge and software due to the concept of SS7.”
In terms of what is known about the Salt Typhoon attacks thus far, while the FBI official warned that widespread call and text metadata was stolen in the attack, expansive call and text content was not. But “the actors compromised private communications of a limited number of individuals who are primarily involved in the government or political activities. This would have contained call and text contents.”
The scale of the hacking campaign and the implications for US critical infrastructure and the security of its networks has created an unsurprising political storm. As reported by Reuters, “US government agencies held a classified briefing for all senators on Wednesday on China's alleged efforts known as Salt Typhoon to burrow deep into American telecommunications companies and steal data about U.S. calls.” Following the briefing, “US senators vow[ed] action.”
Reuters also reported that “a Senate Commerce subcommittee will hold a December 11 hearing on Salt Typhoon and how ‘security threats pose risks to our communications networks, and review best practices” There is growing concern about the size and scope of the reported Chinese hacking into U.S. telecommunications networks and questions about when companies and the government can assure Americans over the matter.”
During Tuesday’s original media briefing, CISA’s Greene reportedly suggested “that Americans should use encrypted apps for all their communications,” (1,2). That means stop sending texts iPhone to Android, albeit iMessages and Google Messages are fully encrypted while on those platforms.
Greene added that “our suggestion, what we have told folks internally, is not new here: encryption is your friend, whether it's on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.”
An alert into the ongoing telco network hacks jointly issued by FBI, CISA and NSA—as well as other Five Eyes agencies—was released on Tuesday.
The lack of end-to-end encryption to protect cross-platform RCS, the successor to SMS, is a glaring omission. It was highlighted in Samsung’s recent celebratory PR release on the success of RCS, which included the caveat that only Android to Android messaging is secured. It remains a stark irony that while Google and Apple separately advise Android and iPhone users to rely on end-to-end encryption, when it comes to RCS it’s still missing, with no timeline in sight for a fix.
The mobile standard setter, GSMA, and Google have said encryption will be coming to RCS, but there’s no firm date yet. That assurance seemed a response to the backlash post Apple’s update with the media pickup on the security issue. Apple—whose iPhone ecosystem includes ever more fully encryption, has not commented.
There is an ironic twist to these warnings. As PC Mag commented, “this push to use end-to-end encryption is ironic since the FBI has long complained that the same technology can stymie their investigations into seized smartphones and online accounts belonging to criminal suspects.”
According to additional Reuters reporting, “US Federal Communications Commission Chairwoman Jessica Rosenworcel is proposing that communications service providers be required to submit an annual certification attesting that they have a plan in place to protect against cyberattacks, the agency said in a statement on Thursday. The proposal is in part in response to efforts by an allegedly Beijing-sponsored group of hackers, dubbed ‘Salt Typhoon,’ to burrow deep into American telecommunications companies to steal data about US calls.”
Meanwhile, CISA has assured that an independent review of the Chinese hacking campaign will begin in short order. Per The Record, a review board “will launch its investigation of an unprecedented Chinese hack of global telecommunications systems later this week, the head of the Cybersecurity and Infrastructure Security Agency said on Wednesday. Speaking to reporters after a classified briefing for all senators on Wednesday about the breach by the state-sponsored group known as Salt Typhoon, CISA Director Jen Easterly said the first meeting of the Cyber Safety Review Board (CSRB) focused on the ongoing breach will take place on Friday.”
Easterly told the media “we wanted to make sure that we had a good understanding of what was happening, in terms of the scope and scale, and, quite frankly, most of the agencies who would be involved in the Cyber Safety Review Board are still involved in the incident response… We wanted to make sure we did it before the holidays, so we could start writing out how we think about the problem, and then ultimately, what are the key recommendations that we need to bring forward to enable us to strengthen the security of the telco networks going forward.”
Ahead of any recommendations being made, the FBI’s precise wording is critical, with its emphasis on responsible encryption that has been mostly overlooked in reports. Responsible in this context means providing access to user data through lawful requests, including—potentially—content. While this may come across as a subtlety, it is anything but. This rules out many of the the largest, best known messaging platforms—such as WhatsApp and Signal, as they cannot provide access to any content absent an endpoint (device) compromise, accessing the data at one end of the end-to-end encryption.
One can expect recommendations to linger on the right balance between full encryption to protect contents from network vulnerabilities and lawful access. That risks revisiting the debate between big tech and lawmakers around how to breach the encryption enclave without fatally weakening it. It will be heavily resisted, albeit there is a lack of clarity as to which way ther new Trump administration will swing on this.
With ironic timing, Europe’s so-called chat control is back on the table this week. This seeks to solve the unsolvable problem of pushing big tech to monitor content on their platforms for child sexual abuse material (CSAM) in the first instance, albeit once that is enabled, the fears are that other content can be screened as well.
Privacy experts have railed heavily against this political campaign and European lawmakers and regulators are divided on the issue. Should Europe manage to fuel a collation with enough power to drive this into some form of policy setting, and the US jump onboard post Salt Typhoon with an “end-to-end encrypted, kind of” approach, we will be set for an almighty battle through 2025 and beyond.
Notwithstanding that, my advice remains to use the fully encrypted WhatsApp over RCS for any cross-platform messaging, at least until such a time as RCS adds its own full encryption between iPhones and Androids. Once you step outside Apple’s or Google’s walled gardens, this security protections falls away. With many good secured platforms now readily available, it’s not worth taking the risk. The need for full security has never been greater given the ongoing cyber threat landscape.
ESET’s Moore cautions that “it is important to treat any non privacy focused messaging platform with care and they should not be used for private communication or to transfer sensitive data. Encrypted channels offer privacy and security but although Meta-owned WhatsApp may not be everyone’s choice, at least it offers end-to-end encryption as standard. There are lots of other options such as Signal and iMessage but it’s about choices and understanding what level of security is right for individuals.”
There are other fully encrypted platforms as well – notably Signal, the best of the bunch, albeit with a much smaller install base. Even Facebook Messenger now fully encrypts messaging, making standard SMS/RCS texting even more an outlier. Signal and WhatsApp also enable fully encrypted voice and video calls cross platform, and so they should also be your default choices given this FBI/CISA warning. (Zak Doffman/Forbes, excluding ehadline)
