Last week, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) recommended that all Americans start using encrypted messaging apps such as Signal, WhatsApp, or Facebook Messenger instead of text messaging. The warning comes after the Chinese government-linked hacking group Salt Typhoon breached “dozens” of telecom systems globally.
Salt Typhoon is also known as UNC2286 (Mandiant), GhostEmperor (Kaspersky Labs), and FamousSparrow (ESET).
The FBI issued a direct message to all iPhone and Android users that fully encrypted communications are the best line of defense, adding:
“Use a cell phone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant MFA for email, social media and collaboration tool accounts.”
Jeff Greene of CISA urged Americans, “Use your encrypted communications where you have it.”
White House: Chinese actors still persist on U.S. telecom providers
Initially, experts believed that Salt Typhoon breached U.S. telecom providers, including Verizon, AT&T, and T-Mobile, for “months, maybe longer.”
Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger provided an update from the White House last week on the extent of the breach.
“Right now, we do not believe any have fully removed the Chinese actors from these networks. So the risk of — there is a risk of ongoing compromises to communications,” Neuberger stated.
She continued, “Until U.S. companies address the cybersecurity gaps, the Chinese are likely to maintain their access.”
What data Salt Typhoon is accessing in telecom hacks
FBI and CISA investigators for the telecom hacks believe that Salt Typhoon is obtaining data in three categories:
- Bulk metadata of customers or subscribers to affected U.S. telecom and broadband providers
- A smaller group of individuals whose texts and audio calls were successfully intercepted, most likely people of significance or with U.S. political ties, such as members of the Biden, Harris, and Trump inner circles (separate from similar Iranian-tied hacks of the U.S. Election campaigns for Trump, Biden, and Harris)
- Data accessible under authorized legal investigations of individuals per U.S. legal court orders using portals provided by telecom and internet service providers
It has not been publicly released how much data or a quantified number of users affected has been. However, it’s assumed the Chinese are still lurking within the providers.
China continues to deny any involvement in the hacks.
Why you need to switch to encrypted messaging apps now
The update is startling for many Americans and poses serious national security risks.
While many Americans may feel that they are not at risk or of interest to the Chinese government, your data–and therefore your text messages–hold significant value.
For example, unencrypted text messages can contain sensitive, personally identifiable information and multifactor or two-factor authentication requests daily. SIM swapping and hijacking attacks would make it easy for hackers to infiltrate your digital identities and cause further harm.
For now, experts believe this is part of a wide-scale intelligence operation by the Chinese government. But there’s no telling what this may evolve into or how your data may be potentially exploited.
Encrypted messaging apps: Signal, WhatsApp, Facebook Messenger recommended
For Americans, switching to encrypted messaging platforms will most likely consist of three options: Signal, WhatsApp, and Messenger (formerly Facebook Messenger).
All three platforms, by default, provide end-to-end encrypted messaging and voice (with important caveats for Messenger – see below). That means that messages and calls can only be seen or heard by you and the person you send them to–no one else.
While others exist, such as Telegram, we’re leaving them off the list as they have dubious history and cryptographic support. By default, it also doesn’t enable end-to-end encrypted messaging.
Signal
Signal (formerly TextSecure) is the best choice, as it is a nonprofit with zero ads, tracking, or surveillance. Signal is also open source and hosts its code repositories and protocols on GitHub. Signal is used by millions globally and has been vital to untold humanitarian assistance in crises, for example, providing invaluable encrypted communications.
Signal is also the creator of the Signal protocol (formerly TextSecure protocol) used by WhatsApp, Facebook Messenger, and Google Messages RCS chats.
In recent years, Signal has introduced disappearing messages, stories, and usernames.
WhatsApp and Facebook Messenger
WhatsApp and Messenger are encrypted end-to-end platforms that support messaging and voice and are owned by Meta (formerly Facebook). While Meta is unable to read or listen to your encrypted communications on WhatsApp, Messenger has disclaimers where messaging is not encrypted, such as group chats and broadcast channels.
Both WhatsApp and Messenger use the Signal protocol, but its ownership by Meta and its advertising platforms leave many uneasy with using it with certitude.
Some of that concern is justified.
Significant nuance exists on Messenger’s privacy and safety documentation portal where the app doesn’t provide privacy or encrypted chat. This is far too easy for a typical user to get confused, especially as Messenger is embedded within numerous parts of the Facebook platform, such as Pages, Marketplace, and Chat.
Of the two platforms, we’d recommend WhatsApp over Messenger. Still, be aware that WhatsApp Channels are public and therefore do not guarantee privacy.
Disclaimer on cryptographic software
Finally, it’s important to recognize that using end-to-end encrypted platforms is considered cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software.
Before using any cryptographic software, check with your local laws and regulations in your country of residence. If you intend on traveling internationally, be hyper-aware of your applications and devices that may contain software that could be illegal.
Discover more from Cybersecurity Careers Blog
Subscribe to get the latest posts sent to your email.
