Republished on December 5 with additional comments provided by the FBI and reports into US political pressure given the scale of these Chinese cyber attacks.

Timing is everything. Just as Apple’s adoption of RCS had seemed to signal a return to text messaging versus the unstoppable growth of WhatsApp, then along comes a surprising new hurdle to stop that in its tracks. While messaging Android to Android or iPhone to iPhone is secure, messaging from one to the other is not.

Now even the FBI and CISA, the US cyber defense agency, are warning Americans to use responsibly encrypted messaging and phone calls where they can. The backdrop is the Chinese hacking of US networks that is reportedly “ongoing and likely larger in scale than previously understood.” Fully encrypted comms is the best defense against this compromise, and Americans are being urged to use that wherever possible.

The network cyberattacks, attributed to Salt Typhoon, a group associated with China’s Ministry of Public Security, has generated heightened concern as to the vulnerabilities within critical US communication networks. The reality is different. Without fully end-to-end encrypted messaging and calls, there has always been a potential for content to be intercepted. That’s the entire reason the likes of Apple, Google and Meta advise its use, highlighting the fact that even they can’t see content.

According to a senior FBI official, “within the investigative activity, especially one this significant and this large, the facts will evolve over time… The continued investigation into the PRC targeting commercial telecom infrastructure has revealed a broad and significant cyber espionage campaign.” This campaign, he warned, “identified that PRC affiliated cyber actors have compromised networks of multiple telecom companies to enable multiple activities,” confirming that “the FBI began investigating this activity in late spring and early summer of this year.”

The FBI official warned that citizens should be “using a cell phone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant MFA for email, social media and collaboration tool accounts.”

As reported by Politico, CISA’s Jeff Greene added to this, “strongly urging Americans to ‘use your encrypted communications where you have it… we definitely need to do that, kind of look at what it means long-term, how we secure our networks’.”

In terms of what is known about the Salt Typhoon attacks thus far, while the FBI official warned that widespread call and text metadata was stolen in the attack, expansive call and text content was not. But “the actors compromised private communications of a limited number of individuals who are primarily involved in the government or political activities. This would have contained call and text contents.”

The scale of the hacking campaign and the implications for US critical infrastructure and the security of its networks has created an unsurprising political storm. As reported by Reuters, “US government agencies held a classified briefing for all senators on Wednesday on China's alleged efforts known as Salt Typhoon to burrow deep into American telecommunications companies and steal data about U.S. calls.” Following the briefing, “US senators vow[ed] action.”

Reuters also reported that “a Senate Commerce subcommittee will hold a December 11 hearing on Salt Typhoon and how ‘security threats pose risks to our communications networks, and review best practices” There is growing concern about the size and scope of the reported Chinese hacking into U.S. telecommunications networks and questions about when companies and the government can assure Americans over the matter.”

During Tuesday’s original media briefing, CISA’s Greene reportedly suggested “that Americans should use encrypted apps for all their communications,” (1,2). That means stop sending texts iPhone to Android, albeit iMessages and Google Messages are fully encrypted while on those platforms.

Greene added that “our suggestion, what we have told folks internally, is not new here: encryption is your friend, whether it's on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.”

An alert into the ongoing telco network hacks jointly issued by FBI, CISA and NSA—as well as other Five Eyes agencies—was released on Tuesday.

The lack of end-to-end encryption to protect cross-platform RCS, the successor to SMS, is a glaring omission. It was highlighted in Samsung’s recent celebratory PR release on the success of RCS, which included the caveat that only Android to Android messaging is secured. It remains a stark irony that while Google and Apple separately advise Android and iPhone users to rely on end-to-end encryption, when it comes to RCS it’s still missing, with no timeline in sight for a fix.

The mobile standard setter, GSMA, and Google have said encryption will be coming to RCS, but there’s no firm date yet. That assurance seemed a response to the backlash post Apple’s update with the media pickup on the security issue. Apple—whose iPhone ecosystem includes ever more fully encryption, has not commented.

There is an ironic twist to these warnings. As PC Mag commented, “this push to use end-to-end encryption is ironic since the FBI has long complained that the same technology can stymie their investigations into seized smartphones and online accounts belonging to criminal suspects.”

Given this, the FBI’s precise wording is critical, with an emphasis on responsible encryption that has been mostly overlooked in reports. Responsible in this context means providing access to user data through lawful requests, including—potentially—content. While this may come across as a subtlety, it is anything but. This rules out many of the the largest, best known messaging platforms—such as WhatsApp and Signal, as they cannot provide access to any content absent an endpoint (device) compromise, accessing the data at one end of the end-to-end encryption

That said, my advice remains to use the fully encrypted WhatsApp over RCS for any cross-platform messaging, at least until such a time as RCS adds its own full encryption between iPhones and Androids. Once you step outside Apple’s or Google’s walled gardens, this security protections falls away. With many good secured platforms now readily available, it’s not worth taking the risk. The need for full security has never been greater given the ongoing cyber threat landscape.

There are other fully encrypted platforms as well—notably Signal, the best of the bunch, albeit with a much smaller install base. Even Facebook Messenger now fully encrypts messaging, making standard SMS/RCS texting even more an outlier. Signal and WhatsApp also enable fully encrypted voice and video calls cross platform, and so they should also be your default choices given this FBI/CISA warning.

Ironically, Apple’s iOS 18.2, due this month, will enable iPhone users to change the default messenger on their devices from iMessage. Timing really is everything.