Staying safe with your digital tools – Here we go again.
A recent warning from the US Government (from the FBI and CISA, the Cybersecurity and Infrastructure Security Agency) suggests that we delete some messaging apps that make us compromised or easy targets for theft. We must keep our devices up to date with the latest firmware downloads.
Government agencies believe that hackers affiliated with China’s government, called Salt Typhoon, are waging a cyber-espionage campaign to steal data, record calls, and infiltrate commercial telecoms.
Texting across open cellular networks is a security risk when using SMS (short messaging service) or RCS (Rich Communication Service) as they are not secure because the message is not encrypted end-to-end so it can be intercepted and read by carriers and unauthorized parties. RCS does allow more advance features than SMS though and aids communication between Apple and Android devices but lacks encryption. This is particularly problematic as several U.S. telecom firms, including AT&T and Verizon, and dozens of nations have been impacted by a Chinese hacking campaign. Google messages sent to other Google users are encrypted. Remember that you lack encryption using these services. Do not use SMS for second factor authentication or even a one time passcode.
RCS text messages can be sent to non-Apple devices as well as another iPhone or another Apple device with Text Message Forwarding turned on. With RCS, you can send texts, high resolution photos and videos, links, and more. RCS also supports delivery and read receipts and typing indicators. RCS messages appear in green text bubbles on your device. You can use it, just don’t share sensitive information.
SMS/MMS messages appear in green text bubbles on your device.
Using apps like SIGNAL or WHATSAPP which provide encrypted transmission. If your text is intercepted, it will be useless to adversaries. Signal is available for Android and iPhones from it’s website. WhatsApp is avail in Google Play or the App Store.
Another problematic issue is using VPN’s (Virtual Private Networks). Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface.
Earlier this year, specialist website Top10VPN just tested the “100 most popular free Android VPN apps in the Google Play Store… with 2.5 billon worldwide installs between them,” and found the following issues:
- More than 10% of the apps “suffered encryption failures.”
- Almost 90% of the apps “suffered some kind of leak.”
- Almost 70% of the apps “requested at least one privacy-risking permission.
- Almost one in three of the apps abused permission requests
- Almost three-quarters of the apps “shared personal data with third parties.”
- Almost 20% of the apps were flagged as malware by anti-virus scanners.
The takeaways:
- Always keep your software on your devices updated. Set your devices for automatic updates.
- Use iMessage for secure messaging between Apple devices
- Use Google Messages for Android to Android
- Use Tw0-Factor Authorization (2FA) when you can
- Best not to use VPNs unless you must and then only use ones from App Store or Play Store. Never use ones from China. Use ones only from well known developers who can be researched and verified. Low cost VPNs are probably worth what you paid for them. Free versions should come with a warning – Danger
- Other advice includes locking phones, SIMs and carrier services (such as voicemail) with a PIN wherever available. “This PIN is required for logging into your account or completing sensitive operations, such as porting your phone number—a critical step in countering SIM-swapping techniques.”
The good news for people who use Apple phones is that iMessage and FaceTime are also already end-to-end encrypted, says Jason Hong, a professor at Carnegie Mellon. For Android phones, encryption is available in Google Messages if the senders and recipients all have the feature turned on.
From an article in Forbes, Zak Doffman, December 21, 2024