It's not often that a piece of FBI advice triggers a Snopes fact check. But the agency's urgent message this month to Americans, often summarized as "stop texting," surprised many consumers.
The warning from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) highlighted vulnerabilities in text messaging systems that millions of Americans use every day.
The U.S. believes hackers affiliated with China's government, dubbed Salt Typhoon, are waging a "broad and significant cyber-espionage campaign" to infiltrate commercial telecoms and steal users' data — and in isolated cases, to record phone calls, a senior FBI official who spoke to reporters on condition of anonymity said during a Dec. 3 briefing call.
The new guidance may have surprised consumers — but not security experts.
"People have been talking about things like this for years in the computer security community," Jason Hong, a professor at Carnegie Mellon University's School of Computer Science, told NPR. "You should not rely on these kinds of unencrypted communications because of this exact reason: There could be snoopers in lots of infrastructure."
So what should you do to keep your messages private?
"Encryption is your friend" for texts and phone calls, Jeff Greene, CISA's executive assistant director for cybersecurity, said on the briefing call. "Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible, if not really hard, for them to detect it. So our advice is to try to avoid using plain text."
In full end-to-end encryption, tech companies make a message decipherable only by its sender and receiver — not by anyone else, including the company. It has been the default on WhatsApp, for instance, since 2016. Along with a promise of greater security, it makes companies "warrant-proof" from surveillance efforts.
The good news for people who use Apple phones is that iMessage and FaceTime are also already end-to-end encrypted, says Hong. For Android phones, encryption is available in Google Messages if the senders and recipients all have the feature turned on.
But messages sent between iPhones and Android phones are less secure. The simplest way to ensure your messages are safe from snooping is to use an end-to-end encrypted app like Signal or WhatsApp, says Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF). With these apps, "your communications are end-to-end encrypted every single time," she says.
Galperin highlights another danger: A hacker who has managed to get your ID and password for a website can monitor your text messages to intercept a one-time passcode that's used in two-factor authentication (2FA).
"This is a really serious security risk," Galperin says. She recommends getting 2FA messages through an app like Google Authenticator or Authy or by using a physical security key to verify access.
The FBI and CISA also advise users to set their phones to update operating systems automatically.
"Most compromises of systems do not involve taking advantage of vulnerabilities that no one else knows about," Galperin says, adding that "often, the maker of the product has in fact figured out what the vulnerability is, fixed it and pushed out a patch in the form of a security update."
How at risk are you?
You should be aware of your own "threat model" — a core concept in computer security.
Hong says it boils down to three questions: What are you trying to protect? How important is it to you? And what steps do you need to take to protect it?
If the most valuable items on your phone are family photos, he says, you probably shouldn't worry about foreign hackers targeting you. But what if you occasionally text about national or corporate secrets or politically sensitive data?
"If you are in business, if you are a journalist, if you are somebody in contact with democracy protesters in Hong Kong or Shenzhen or Tibet, then you might want to assume that your phone calls and text messages are not safe from the Chinese government," Galperin of the EFF says.
Bad actors such as cybercriminals might have different objectives, Hong says, "but if you just do a few relatively simple things, you can actually protect yourself from the vast majority of those kinds of threats."
What are the hackers doing?
The FBI and CISA raised the alarm two months after The Wall Street Journal reported that hackers linked to the Chinese government have broken into systems that enable U.S. law enforcement agencies to conduct electronic surveillance operations under the Communications Assistance for Law Enforcement Act (CALEA).
"These are for legitimate wiretaps that have been authorized by the courts," Hong says. But in hackers' hands, he says, the tools could potentially be used "to surveil communications and metadata for lots of people. And it seems like the [hackers'] focus is primarily Washington, D.C."
The FBI says that the attack was far broader than the CALEA system and that the hackers are still accessing telecom networks. The U.S. has been working since late spring to determine the extent of their activities. This month, the Biden administration said at least eight telecommunications infrastructure companies in the U.S., and possibly more, had been broken into by Chinese hackers.
The hackers stole a large amount of metadata, the FBI and CISA said. In far fewer cases, they said, the actual content of calls and texts was targeted.
As agencies work to oust the hackers, the FBI called for Americans to embrace tight encryption — an about-face, Galperin says, after years of insisting that law enforcement agencies need a "back door" to access communications.
The agencies also want companies to bolster their security practices and work with the government to make their networks harder to compromise.
"The adversaries we face are tenacious and sophisticated, and working together is the best way to ensure eviction," the senior FBI official said during the news briefing.
As for the risk to everyday consumers, security experts like Hong and Galperin say that with vast amounts of information traveling between our phones, they want to see people get more help in protecting themselves.
"I think it's really incumbent on software developers and these companies to have much better privacy and security by default," Hong says. "That way you don't need a Ph.D. to really understand all the options and to be secure."
Copyright 2024 NPR