U.S. Officials Urge Americans to Use Encrypted Apps, for Texting and Calls, in Wake of Chinese Infiltration of Our Unencrypted Telecom Network

Kevin Collier, reporting for NBC News:

Amid an unprecedented cyberattack on telecommunications companies such as AT&T and Verizon, U.S. officials have recommended that Americans use encrypted messaging apps to ensure their communications stay hidden from foreign hackers.

The hacking campaign, nicknamed Salt Typhoon by Microsoft, is one of the largest intelligence compromises in U.S. history, and it has not yet been fully remediated. Officials on a news call Tuesday refused to set a timetable for declaring the country’s telecommunications systems free of interlopers. Officials had told NBC News that China hacked AT&T, Verizon and Lumen Technologies to spy on customers.

A spokesperson for the Chinese Embassy in Washington did not immediately respond to a request for comment.

Don’t hold your breath.

In the call Tuesday, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency — both recommended using encrypted messaging apps to Americans who want to minimize the chances of China’s intercepting their communications.

“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” Greene said.

It seems kind of new for the FBI to call encryption “our friend”, but now that I think about it, their beef over the years has primarily been about gaining access to locked devices, not eavesdropping on communication protocols. Their advocacy stance on device encryption has not changed — they still want a “back door for good guys” there. Their thinking, I think, is that E2EE communications are a good thing because they protect against remote eavesdropping from foreign adversaries — exactly like this campaign waged by China. The FBI doesn’t need to intercept communications over the wire. When the FBI wants to see someone’s communications, they get a warrant to seize their devices. That’s why the FBI wants device back doors, but are now encouraging the use of protocols that are truly E2EE. But that’s not to say that law enforcement agencies worldwide don’t still fantasize about mandatory “back doors for good guys”.

Here’s a clunker of a paragraph from this NBC News story, though:

Privacy advocates have long advocated using end-to-end encrypted apps. Signal and WhatsApp automatically implement end-to-end encryption in both calls and messages. Google Messages and iMessage also can encrypt calls and texts end to end.

It’s true that both voice and text communications over Signal and WhatsApp are always secured with end-to-end encryption. But Google Messages is an Android app that only handles text messaging via SMS and RCS, not voice. There’s a “Call” button in Google Messages but that just dials the contact using the Phone app — just a plain old-fashioned unencrypted phone call. (There’s a Video Call button in Google Messages, but that button tries to launch Google Meet.) Some text chats in Google Messages are encrypted, but only those using RCS in which all participants are using a recent version of Google Messages. Google Messages does provide visual indicators of the encryption status of a chat. The RCS standard has no encryption; E2EE RCS chats in Google Messages use Google’s proprietary extension and are exclusive to the Google Messages app, so RCS chats between Google Messages and other apps, most conspicuously Apple Messages, are not encrypted.

iMessage is not an app. It is Apple’s proprietary protocol, available within its Messages app. The entire iMessage protocol was built upon end-to-end encryption — all iMessage messages have been E2EE from the start. Apple also offers FaceTime for voice and video calls, and FaceTime calls are always secured by E2EE.

Wednesday, 4 December 2024