Major hacking of US phone companies means your text messages may not be safe

At least eight US phone companies and dozens of other countries have been affected this week by what a senior White House official has called a Chinese hacking campaign that has raised concerns over the security of text messages.

At a press conference on Wednesday, US Deputy National Security Advisor Anne Neuberger shared details about the scope of the hacking campaign that gave officials in Beijing access to private documents and phone conversations of an unknown number of Americans.

The hacker group known as Salt Typhoon is the one responsible for the attacks against the companies, which reportedly include AT&T, Verizon and Lumen Technologies. White House officials warned the number of telecommunications firms and countries affected could rise.

Canadian cyber security experts who have been paying close attention to the latest breach say some industry practices and government regulations that allow intelligence agencies to access communications systems are part of the problem. These experts and US law enforcement officials recommend that people take action to protect their messages.

“The attacks that took place in the United States are an indication of the historical and ongoing vulnerability of social networks around the world, and some of these vulnerabilities are made worse by the government,” said Kate Robertson, a lawyer and senior researcher at the University of. Toronto Citizen Lab, which studies digital threats to society.

While the hack has focused on US politicians and government officials, experts say standard SMS messages, the kind offered by wireless carriers, are less secure because they are not written.

“We're constantly inundated with concerns about phishing and email scams and malicious links,” said security consultant Andrew Kirsch, a former intelligence officer at the Canadian Security Intelligence Service (CSIS).

“This shines a light on the fact that some of the risks are in our communication by telephone, calls and messages.”

The impact on Canadian companies is still unknown

CBC News has contacted the RCMP, the Canadian Cyber ​​Security Agency​​​​​​ and CSIS to ask if any cyber attacks have put Canadian users or telecommunications companies at risk, but so far have not received a response.

Earlier this week the Canadian Center for Cyber​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ joint release with the US., Australia and New Zealand with security advice for companies such as mobile phone providers “improved visibility and resilience of telecommunications infrastructure.”

CBC News also contacted Canada's largest mobile phone providers – Bell, Rogers and Telus – to ask if their networks were targeted and breached in similar attacks. Rogers and Telus did not respond before publication.

Bell said he is aware of the “highly sophisticated” attack on the US and is working with government partners and other telecommunications companies to “identify any potentially related security incidents across our networks.”

The telecommunications company says it has not seen evidence of an attack, but continues to “investigate and remain vigilant.”

How did this attack happen?

Robertson explained that these attacks are possible in part because governments have “prioritized the goal of surveillance over the security of every user's network.”

He says security researchers have long warned that official “back doors” used by governments to monitor crime and spy on phone lines and cellphones “could be exploited by unwelcome actors,” leaving entire user networks exposed.

His colleague at Citizen Lab, Gary Miller, focuses on the threats of mobile networks and says that communication between different companies and countries about telecommunications networks is another weakness.

For example, he said, making an international call from point A to point B requires communication between network operators, as does international mobile roaming.

“And the fact that there is a need to open … these networks to ensure a seamless user experience results in certain risks.”

He says that as networks become faster and more reliable, they have also become more secure, but he notes that the security standards in the telecommunications industry required by law are not strong enough.

“There's no accountability, you know, for these kinds of security and incidents,” he said. “And that's what should happen.”

Concerns about document security

As a result of these hacks, concerns have arisen about the security of text messages.

The FBI said those with Android and Apple devices can continue to send texts to users with similar devices because they have secure messaging systems built in.

However, the bureau warned against Apple users sending messages to Android users or vice versa, and instead encouraged users to send messages through a third-party app that provides end-to-end encryption.

Robertson and Miller recommend that people install these messaging apps — like Signal or Whatsapp — on their phones and use them all the time.

Robertson says Signal gives users access to “the gold standard of encryption” that's easy to use, and noted that “the same can be said for WhatsApp.”

Miller says he chooses Signal because it is not for profit, while WhatsApp is owned by Meta.

Kirsh says that if people use standard text messages, he recommends that they never write any message that they can't “put on a postcard and send” because “once you put that information out into the world, you lose control. .”

Politics and power in China

In November, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement confirming the existence of a “broad and significant cyber espionage campaign,” targeting the US.

Stephanie Carvin, an associate professor at Carleton University and a former national security analyst, says the hack shows how large and well-funded China's espionage operations are targeting the West.

“When you hear about an attack like this, there's not a single goal here,” Carvin told CBC News. “With this data, [China] it can do a lot more specific things in terms of targeting, but [it] and it can develop common patterns that can help performance down the road.”

According to Neuberger, the deputy national security adviser, the Salt Typhoon hackers were able to communicate with senior officials of the US government, but when he spoke to reporters, he said he did not believe that any confidential communication was compromised.

Neuberger said the affected companies are all responding, but have not stopped hackers from accessing the networks.

“So there is a risk that there will be further compromises in communications until US companies address the cybersecurity gaps,” he said.

A spokesman for the Chinese Embassy in Washington denied that the country was involved in a hacking campaign.

“The United States must stop cyber attacks on other countries and stop using cybersecurity to slander and slander China,” Liu Pengyu said.