Salt Typhoon Hack Exposes Major Flaw in Cross-Platform Messaging

Due to vulnerabilities exploited by foreign hackers, the FBI and CISA have warned Americans against using unencrypted messaging, especially between iOS and Android devices via RCS.

In October, reports of the massive cyberattack “Salt Typhoon” by Chinese hackers broke out. The Wall Street Journal reported that the hack left two of the most significant American telecommunication companies, AT&T and Verizon, vulnerable. While it is believed that this attack was to spy on people with government and political affiliations, the exposed vulnerabilities still remain.

With Apple recently embracing the RCS messaging standard, the vulnerability could potentially compromise unencrypted cross-platform messages between Android and iOS. While RCS does support encryption, it’s only there for Android-to-Android messaging, as mentioned in a recent Samsung press release.

Jeff Greene, the Executive Assistant Director for the Cybersecurity and Infrastructure Security Agency (CISA), has stressed the importance of encryption. As with end-to-end encrypted messages, it remains unreadable even if the data is intercepted. Cyber-security experts and privacy advocates have recommended end-to-end encrypted platforms like WhatsApp, Signal, and iMessage. 

Meanwhile, critics have pointed out the irony of the FBI promoting encryption while historically opposing it for investigations. The Communications Assistance for Law Enforcement Act (CALEA) has also been under scrutiny as it allows law enforcement agencies to track people and their communications. As all telecommunication networks must comply with CALEA, these wiretaps and other confidential documents could be at risk, too. But there are no confirmations. 

What can you do about it?

First of all, don’t use SMS to share any private information. As mentioned before, while Android-to-Android RCS messaging may be encrypted, the same cannot be said about Android-to-iPhone or vice-versa. So, until there is an update on that front, avoid using RCS for cross-platform communication. 

Now for the alternatives: WhatsApp, Signal, and Telegram all use end-to-end encryption as well as disappearing messages for more sensitive communication. But if you want to be more secure, a VPN can help you with that. Moreover, CISA offers a helpful guideline on How to Communicate Securely on Your Mobile Devices, which is worth reading. 

Leave a Comment