A major hacker attack on US phone companies means your text messages may not be secure

A major hacker attack on US phone companies means your text messages may not be secure

At least eight U.S. telecommunications companies and dozens of countries were affected this week by what a senior White House official described as a Chinese hacking campaign that also raised concerns about the security of text messages.

At a media briefing on Wednesday, U.S. Deputy National Security Adviser Anne Neuberger shared details about the extent of a wide-ranging hacking campaign that gave officials in Beijing access to private text messages and phone conversations of an unknown number of Americans.

A group of hackers called Salt Typhoon is blamed for the attack on companies, which reportedly included AT&T, Verizon and Lumen Technologies. White House officials warned that the number of telecommunications companies and countries affected could increase.

Canadian cybersecurity experts closely monitoring this latest breach say some industry practices and government regulations that allow intelligence agencies to access the telecommunications system are part of the problem. These experts and U.S. law enforcement agencies recommend people take steps to protect their text messages.

“The attack unfolding in the United States reflects historic and ongoing vulnerabilities in telecommunications networks around the world, and some of those vulnerabilities are being made worse by the government,” said Kate Robertson, a lawyer and senior researcher at the University of Toronto Citizen Lab, which studies digital threats to civil society.

Although the hack appears to have targeted American politicians and government officials, experts say that regular SMS text messages, like those offered by most cell phone providers, are not very secure because they are unencrypted.

“We are constantly bombarded with concerns about phishing and email scams and malicious links,” said security consultant Andrew Kirsch, a former intelligence officer with the Canadian Security Intelligence Service (CSIS).

“This sheds light on the fact that the other vulnerability lies in our telecommunications, our phone calls and text messages.”

A man with short brown hair and slightly gray stubble, wearing a dark blue balzer and a light blue shirt, looks into the camera.
Security consultant Andrew Kirsch, a former CSIS intelligence officer, says the US telecommunications hack shows that text messages are vulnerable to hackers. (Submitted by Andrew Kirsch)

Impact on Canadian businesses is still unknown

CBC News has reached out to the RCMP, the Canadian Center for Cyber ​​Security and CSIS to ask whether any of the cyberattacks affected Canadian users or communications companies, but have not yet received a response.

Earlier this week, the Canadian Center for Cyber ​​Security published a joint publication with the USA., Australia and New Zealand with security advice for companies such as mobile phone providers “Improved visibility and hardening of communications infrastructure.”

CBC News also contacted Canada’s largest wireless carriers – Bell, Rogers and Telus – and asked whether their networks had been attacked and breached in the same attack. Rogers and Telus did not respond before publication.

Bell said it was aware of a “sophisticated” attack in the United States and was working with government partners and other telecommunications companies “to identify potentially related security incidents on our networks.”

The telecommunications company says it has seen no evidence of an attack but continues to “investigate and maintain vigilance.”

A slim white woman with long brown hair wearing a gray short-sleeved dress stands with her arms crossed and looks at the camera.
Kate Robertson, a lawyer and senior researcher at the University of Toronto’s Citizen Lab, says the cyberattack on the US highlights the vulnerabilities in telecommunications networks around the world. (Submitted by Kate Robertson)

How these attacks come about

Robertson said these attacks were made possible in part because governments “prioritized the goal of surveillance over the security of the entire user network.”

She says security researchers have long warned that the legal “backdoors” governments use to monitor crime and espionage on landlines and cell phones could also be “exploited by unwelcome actors,” leaving entire networks of users unprotected.

Her Citizen Lab colleague Gary Miller, who specializes in threats to mobile networks, says that the connections between different companies and countries when it comes to communications networks represent another weakness.

For example, he said that making an international phone call from point A to point B requires interconnection between carriers, as does international roaming with cell phones.

“And the fact that these networks need to be opened up to ensure a seamless experience for the user actually creates specific vulnerabilities.”

He says that as networks have increased in speed and reliability, they have also become more secure, but points out that the security standards required by law for the telecommunications industry are not strict enough.

“There is no accountability for this type of security and incident,” he said. “And that’s what really needs to happen.”

A close-up of a hand holding a smartphone
Canadian security experts and FBI officials recommend using encrypted messaging apps for all text messages. (Sean Kilpatrick/The Canadian Press)

Concerns about the security of texts

As a result of this hack, concerns have arisen about the security of text messages.

The FBI has stated that Android and Apple device users can still send text messages to users who have the same devices because they have internally secure messaging systems.

However, the office warned against Apple users sending messages to Android users or vice versa, and instead encouraged users to send text messages through a third-party app that offers end-to-end encryption.

Robertson and Miller recommend people install these messaging apps – like Signal or Whatsapp – on their phones and use them constantly.

Robertson said Signal gives users access to “a gold standard form of encryption” that is very user-friendly, noting that “very similar things can be said about WhatsApp.”

Miller says he prefers Signal because it is a nonprofit, while WhatsApp is owned by Meta.

Kirsh says that people who use regular text messaging should never write messages that they wouldn’t “stick on a postcard and physically send” because “once you put that information out into the world, you lose control of it.”

A woman with long, dark hair and a dark blue suit stands behind a podium.
U.S. Deputy National Security Adviser Anne Neuberger, seen at a White House media briefing in March 2022, told reporters this week that the Chinese hackers had gained access to communications between senior U.S. government officials but did not believe they were confidential information had been compromised. (Patrick Semansky/The Associated Press)

A political goal and China’s power

In November, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement confirming the existence of a “broad and significant cyber espionage campaign” against the United States

Stephanie Carvin, an associate professor at Carleton University and a former national security analyst, said the hack shows how large and well-funded Chinese espionage operations against the West are.

“When you hear about an attack like this, there’s not a single target here,” Carvin told CBC News. “With this data, (China) can do a lot of very specific things in terms of targeting, but (it) can also develop general patterns that can support operations later.”

According to Neuberger, the deputy national security adviser, Salt Typhoon’s hackers were able to gain access to the communications of senior U.S. government officials. However, in a phone call with reporters, she said she did not believe confidential communications had been compromised.

Neuberger said all affected companies responded but had not yet blocked the hackers’ access to the networks.

“So there is a risk of continued compromises in communications until U.S. companies close cybersecurity gaps,” she said.

A spokesman for the Chinese embassy in Washington denied that the country was behind the hacking campaign.

“The US must stop its own cyberattacks against other countries and refrain from using cybersecurity to denigrate and slander China,” Liu Pengyu said.

Leave a Reply

Your email address will not be published. Required fields are marked *