FBI Advises iPhone and Android Users—Cease Sending Text Messages  

 



  • FBI and CISA warn US citizens to use encryption for messaging and phone calls amid concerns over a large-scale Chinese cyber espionage campaign targeting US telecommunications networks.

  • The ongoing cyberattacks, attributed to the Chinese group Salt Typhoon, have exposed vulnerabilities, with metadata stolen from calls and texts, although extensive content interception remains limited to certain government-related individuals.

  • Encrypted communication through platforms like WhatsApp and Signal is recommended, particularly for cross-platform messaging, as the absence of end-to-end encryption in RCS (the successor to SMS) poses a significant security risk.

Published on December 5 with additional insights from the FBI and reports regarding US political pressure in light of the extensive nature of these Chinese cyberattacks.

Timing is crucial.   Just as Apple’s adoption of RCS appeared to indicate a resurgence in text messaging against the relentless rise of WhatsApp, a new unforeseen challenge emerges to impede that momentum.  
While messaging between Android to Android or iPhone to iPhone is secure, communication across platforms does not possess the same level of protection.  
This is set against the backdrop of ongoing Chinese intrusions into US networks, which are reportedly “ongoing and likely more extensive than previously acknowledged.”  
Fully encrypted communications represent the most effective defense against this threat, and Americans are encouraged to implement such measures whenever feasible.

Forbes FBI Hacking Alert—Modify Two Settings on Your iPhone by Zak Doffman  
The cyberattacks on telecom networks, attributed to Salt Typhoon, a group linked to China’s Ministry of Public Security, have raised significant concerns regarding vulnerabilities within critical US communication systems.  
The situation is starkly different.  
In the absence of fully end-to-end encrypted messaging and calls, the risk of content interception persists.  
This necessity underpins the advisories from companies like Apple, Google, and Meta, emphasizing that even they cannot access content.

According to a senior FBI official, “within the context of this investigative activity, particularly one of such magnitude, the facts will evolve over time… The ongoing investigation into the PRC's targeting of commercial telecom infrastructure has unveiled a comprehensive and significant cyber espionage initiative.”  
This campaign has revealed that “PRC-affiliated cyber actors have compromised the networks of multiple telecom companies to facilitate various activities,” confirming that “the FBI commenced investigations into this activity in late spring and early summer of this year.”  
The FBI official urged citizens to “utilize a cell phone that automatically receives timely operating system updates, responsibly managed encryption, and phishing-resistant multi-factor authentication for email, social media, and collaboration tool accounts.”  
However, it was noted that “the actors compromised the private communications of a limited number of individuals primarily involved in government or political activities, which would have included the content of calls and texts.”

The magnitude of the hacking campaign and its repercussions for US critical infrastructure and network security have generated a considerable political uproar.  
As reported by Reuters, “US government agencies held a classified briefing for all senators on Wednesday regarding China's alleged efforts, referred to as Salt Typhoon, to penetrate American telecommunications companies and extract data.”  
Following this briefing, “US senators pledged action.”  
Reuters also indicated that “a Senate Commerce subcommittee will convene a hearing on December 11 to discuss Salt Typhoon and assess how ‘security threats pose risks to our communications networks and to review best practices.’”  
Concerns are mounting about the extent and implications of the reported Chinese hacking of US telecommunications networks, with questions arising over when companies and the government will provide assurance to Americans regarding this issue.

During Tuesday’s initial media briefing, CISA’s Greene reportedly recommended that “Americans should utilize encrypted applications for all their communications.”  
This implies a cessation of text messaging from iPhone to Android, although iMessages and Google Messages remain fully encrypted while confined to their respective platforms.  

Greene further suggested that “our recommendation, which we have communicated internally, is not novel: encryption is advantageous, whether for text messaging or encrypted voice communication. Even if adversaries manage to intercept the data, encryption renders it indecipherable.”  
An alert regarding the ongoing telecommunications network hacks, jointly issued by the FBI, CISA, NSA, and other Five Eyes agencies, was released on Tuesday.

The absence of end-to-end encryption for cross-platform RCS, the successor to SMS, stands out as a significant oversight.  
This was emphasized in Samsung’s recent PR release celebrating RCS’s success, which acknowledged that security is assured only for Android to Android messaging.  
It is particularly ironic that while Google and Apple advise their users to depend on end-to-end encryption, RCS currently lacks this feature, with no timeline established for a remedy.

The mobile standard setter, GSMA, along with Google, has asserted that encryption will be integrated into RCS, but no specific date has been announced.  

There is a notable irony to these warnings.  
As PC Mag observed, “the push for the use of end-to-end encryption is ironic because the FBI has consistently argued that this very technology can complicate their investigations of seized smartphones and online accounts belonging to criminal suspects.”  
In light of this, the FBI’s precise language becomes crucial, emphasizing responsible encryption that has often been overlooked in reports.  
In this context, responsible means facilitating access to user data through lawful requests, potentially including content.  
Although this may appear to be a nuanced distinction, it is indeed significant.  
Once users step outside the confines of Apple’s or Google’s secure environments, these protective measures diminish.  
With many robust secure platforms readily accessible, the risk is not worth taking.  
The necessity for comprehensive security has never been more pressing, given the prevailing cyber threat landscape.

Other fully encrypted platforms also exist—notably Signal, regarded as the most effective, though with a smaller user base.  
Even Facebook Messenger now offers full encryption for messaging, rendering standard SMS/RCS texting even more anomalous.

Ironically, Apple’s upcoming iOS 18.2, expected this month, will allow iPhone users to select a different default messaging application on their devices.