A major hack of US phone companies means your text messages may not be secure

At least eight US telecommunications companies and dozens of countries have been affected this week by what a top White House official called a Chinese hacking campaign that has also raised concerns about the security of text messages.

At a media briefing Wednesday, U.S. Deputy National Security Adviser Anne Neuberger shared details of the breadth of a sweeping hacking campaign that gave officials in Beijing access to private texts and phone calls from an unknown number of Americans.

A group of hackers known as Salt Typhoon is being blamed for the attack targeting companies which reportedly included AT&T, Verizon and Lumen Technologies. White House officials warned that the number of affected telecommunications companies and countries could still grow.

Canadian cybersecurity experts who are paying close attention to this latest breach say some industry practices and government regulations that allow intelligence organizations access to the telecommunications system are part of the problem. These experts and US law enforcement officials recommend that people take steps to protect their text messages.

“The attack unfolding in the United States is a reflection of historic and ongoing vulnerabilities in telecommunications networks around the world, some of which are exacerbated by government,” said Kate Robertson, a lawyer and senior researcher at the University of Toronto’s Citizen Lab, who studies digital threats against civil society.

Although the hack apparently targeted US politicians and government officials, experts say plain SMS text messages, the kind offered by most wireless carriers, are not particularly secure because they are unencrypted.

“We are constantly bombarded with concerns about phishing and email scams and malicious links,” said security consultant Andrew Kirsch, a former intelligence officer with the Canadian Security Intelligence Service (CSIS).

“This highlights the fact that the other vulnerability is through our telecommunications, phone calls and text messages.”

Impact on Canadian businesses is still unknown

CBC News has reached out to the RCMP, the Canadian Center for Cyber ​​Security and CSIS to ask whether any of the cyber attacks compromised Canadian users or communications companies, but has yet to receive a response.

Earlier this week, the Canadian Center for Cyber ​​Security issued a joint publication with the United States., Australia and New Zealand with security advice for businesses such as mobile phone providers at “improved visibility and hardening of communications infrastructure.”

CBC News also contacted Canada’s largest mobile phone providers – Bell, Rogers and Telus – to ask if their networks had been targeted and breached in the same attack. Rogers and Telus did not respond before publication.

Bell said it was aware of “a highly sophisticated” attack in the United States and was working with government partners and other telecommunications companies “to identify any potentially related security incidents across our network.”

The carrier says it has seen no evidence of an attack, but continues “to investigate and maintain vigilance.”

How these attacks happen

Robertson explained that these attacks are made possible in part because governments have “prioritized the goal of surveillance over the security of the entire network of users.”

She says security researchers have long warned that the legal “back doors” used by governments to monitor crime and spy on landlines and mobile phones can also be “exploited by unwelcome actors”, leaving entire networks of users exposed.

Her colleague at Citizen Lab, Gary Miller, who specializes in threats to mobile networks, says the interconnections between different companies and countries in terms of communications networks is another weakness.

For example, he said, an international phone call from point A to point B requires an interconnection between network operators, as does international roaming with cell phones.

“And the fact that there is a requirement to open up … these networks to ensure a seamless experience for the user really results in specific vulnerabilities.”

He says that as networks become faster and more reliable, they have also become more secure, but he notes that the security standards for the telecommunications industry, which are required by law, are not strong enough.

“There’s no accountability, you know, for these types of security and incidents,” he said. “And that’s really what’s going to happen.”

Concerns about the security of texts

As a result of this hack, concerns have arisen about the security of text messages.

The FBI has said that those with Android and Apple devices can continue to send texts to users who have the same devices because they have internally secure messaging systems.

However, the agency cautioned against Apple users messaging Android users or vice versa, and instead encouraged users to send text messages through a third-party app that provides end-to-end encryption.

Robertson and Miller recommend that people install these messaging apps — like Signal or Whatsapp — on their phones and use them all the time.

Robertson says Signal gives users access to “a gold-standard form of encryption” that’s very user-friendly, noting that “very similar things can be said about WhatsApp.”

Miller says he prefers Signal because it is a non-profit, while WhatsApp is owned by Meta.

Kirsh says that if people use regular text messages, he recommends that they never write any message that they wouldn’t “put a postcard on and send physical mail” because “once you put that information out into the world, you’ve lost control of it.”

A political goal and China’s power

In November, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement confirms the existence of “a broad and significant cyberespionage campaign” targeting the United States

Stephanie Carvin, an associate professor at Carleton University and a former national security analyst, says the hack shows how large and well-funded Chinese espionage operations targeting the West are.

“When you hear about an attack like this, there’s not a target here,” Carvin told CBC News. “With this data, (China) can do a lot of very specific things in terms of targeting, but (it) can also develop general patterns that can help operations along the way.”

According to Neuberger, the deputy national security adviser, the Salt Typhoon hackers were able to access communications from senior US government officials, but during a call with reporters, she said she did not believe any classified communications had been compromised.

Neuberger said the affected companies are all responding, but they have not yet blocked the hackers from accessing the networks.

“So there is a risk of ongoing compromises of communications until U.S. companies address the cybersecurity gaps,” she said.

A spokesman for the Chinese embassy in Washington denied that the country was behind the hacking campaign.

“The United States needs to stop its own cyber attacks against other countries and refrain from using cyber security to slander and defame China,” Liu Pengyu said.