A huge hack of U.S. phone companies means your text messages may not be safe
Canadians should consider encrypted messaging services to protect themselves, cybersecurity experts say
At least eight U.S. telecom firms and dozens of countries have been impacted this week by what a top White House official called a Chinese hacking campaign that has also raised concerns about the security of text messaging.
At a media briefing Wednesday, U.S. deputy national security adviser Anne Neuberger shared details about the breadth of a sprawling hacking campaign that gave officials in Beijing access to private texts and phone conversations of an unknown number of Americans.
A group of hackers known as Salt Typhoon is being blamed for the attack targeting companies, which reportedly included AT&T, Verizon and Lumen Technologies. White House officials cautioned that the number of telecommunication firms and countries impacted could still grow.
Canadian cybersecurity experts paying close attention to this latest breach say some industry practices and government regulations that allow intelligence organizations access to the telecommunications system are part of the problem. These experts and U.S. law enforcement officials are recommending that people take action to protect their text messages.
"The attack that is unfolding in the United States is a reflection of historical and continuing vulnerabilities in telecommunication networks around the world, and some of those vulnerabilities are made worse by government," said Kate Robertson, a lawyer and senior researcher at the University of Toronto's Citizen Lab, which studies digital threats to civil society.
Though the hack apparently focused on American politicians and government officials, experts say regular SMS text messages, the kind most wireless carriers offer, aren't very secure because they're unencrypted.
"We are constantly bombarded with concerns about phishing and email scams and malicious links," said security consultant Andrew Kirsch, a former intelligence officer with the Canadian Security Intelligence Service (CSIS).
"This shines a light on the fact that the other vulnerability is through our telecommunications, phone calls and text messages."
Agency 'not aware' of Canadian networks impacted
Communications Security Establishment Canada (CSE), which provides the federal government with information technology security and foreign signals intelligence, said in a statement on Saturday that at this time, it "is not aware of any Canadian networks impacted by this activity."
The agency went on to say that the Canadian Centre for Cyber Security, which is part of the CSE, "works closely with Canadian government partners and critical infrastructure providers to help them protect their networks and systems from cyber threats."
Earlier this week, the Canadian Centre for Cyber Security issued a joint release with the U.S., Australia and New Zealand with security advice for companies like cellphone providers on "enhanced visibility and hardening for communications infrastructure."
CBC News also contacted Canada's largest cellphone providers — Bell, Rogers and Telus — to ask if their networks had been targeted and breached in the same attack. Rogers and Telus did not respond before publication.
Bell said it was aware of "a highly sophisticated" attack in the U.S. and was working with government partners and other telecommunications companies "to identify any potentially related security incidents across our networks."
The telecommunications company says it hasn't seen any evidence of an attack but continues "to investigate and maintain vigilance."
How these attacks happen
Robertson said these attacks are made possible in part because governments have "prioritized the objective of surveillance over the security of the entire network of users."
She said security researchers have been warning for a long time that the legal "back doors" that governments use to monitor crime and espionage over landlines and cellphones can also be "exploited by unwelcome actors," leaving entire networks of users exposed.
Her colleague at Citizen Lab, Gary Miller, who specializes in threats to mobile networks, said the interconnections between different companies and countries in terms of communications networks is another weakness.
For example, he said, placing an international telephone call from point A to point B requires an interconnection between network operators, as does international roaming with mobile phones.
"And the fact that there is a requirement to open up ... these networks in order to ensure a seamless experience for the user really results in specific vulnerabilities."
Miller said as the networks get faster and more reliable, they have also become more secure, but he notes that the security standards for the telecommunications industry required by law aren't strong enough.
"There's no accountability, you know, for these types of security and incidents," he said. "And that's really what needs to happen."
Concerns about safety of texts
As a result of this hack, concerns about the security of text messages have emerged.
The FBI has said those with Android and Apple devices can continue to send texts to users who have the same devices because they have internally secure messaging systems.
However, the bureau warned against Apple users sending messages to Android users or vice versa, and instead encouraged users to send text messages through a third-party app that provides end-to-end encryption.
Robertson and Miller recommend that people install these messaging apps — like Signal or WhatsApp — on their phones and use them all the time.
Robertson said that Signal gives users access to "a gold standard form of encryption" that is very user friendly, and noted that "very similar things can be said about WhatsApp."
Miller said he prefers Signal because it's a non-profit, while WhatsApp is owned by Meta.
Former CSIS officer Kirsch said if people are using regular text messaging, he recommends they never write any message that they wouldn't "put on a postcard and physically mail" because "once you put that information out in the world, you've lost control of it."
A political goal and China's power
In November, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint statement confirming the existence of a "a broad and significant cyber espionage campaign" targeting the U.S.
Stephanie Carvin, an associate professor at Carleton University in Ottawa and a former national security analyst, said the hack demonstrates just how large and well funded Chinese espionage operations directed at the West are.
"When you hear about an attack like this, there's not one goal here," Carvin told CBC News. "With this data, [China] can do a lot of very specific things in terms of targeting, but [it] can also develop general patterns that can help operations down the road."
According to Neuberger, the deputy national security adviser, the Salt Typhoon hackers were able to gain access to communications of senior U.S. government officials, but during a call with reporters, she said she didn't believe any classified communications had been compromised.
Neuberger said the affected companies are all responding, but they haven't yet blocked the hackers from accessing the networks.
"So there is a risk of ongoing compromises to communications until U.S. companies address the cybersecurity gaps," she said.
A spokesperson with the Chinese Embassy in Washington denied the country was behind the hacking campaign.
"The U.S. needs to stop its own cyberattacks against other countries and refrain from using cybersecurity to smear and slander China," Liu Pengyu said.
With files from Peter Zimonjic, The Associated Press and Reuters