How to Secure Mobile Communications

On 13 Nov, the Cybersecurity and Infrastructure Security Agency & the Federal Bureau of Investigation (FBI) released a statement (https://lnkd.in/ezrFy_4j) on the US government's investigation into PRC targeting of telco infrastructure: “PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues." With the investigation ongoing, folks should take basic steps now to protect their personal communications. With gratitude to CISA's Senior Technical Advisor Bob Lord (https://lnkd.in/e-WxWiFF) consider the below steps: - Enable FIDO authentication or FIDO https://lnkd.in/ezzyha7t for email & social media accounts - Migrate off SMS MFA for all other logins. Migrate to FIDO/passkeys if you can, otherwise to an authenticator app - Use a password manager for all passwords. Use a strong pass phrase (https://lnkd.in/ebPpTAU5) for the vault password. - Set a telco PIN to reduce chances of a SIM-swap attack - Update the OS and all apps and turn on auto update Additional tips: 1. Encrypt all text and voice communications (some options): - Signal works well on iPhones & Android phones. - iMessage is great if all your contacts are within the Apple ecosystem, though that’s limiting - Collaboration suites like Google Workspace or Teams can work but don’t always encrypt as you might assume. For example, Teams encrypts data point-to-point, meaning it’s decrypted on Microsoft’s servers before re-encrypting it to the recipient. If you want end-to-end encryption, there’s an option, but it’s off by default and only supports two people on the call. - WhatsApp might be ok for some people based on their threat model but understand metadata it keeps (https://lnkd.in/eQkP-Ety) & how it's used (https://lnkd.in/eiZmxgi4). 2. If you use an iPhone disable these carrier-provided services that increase the attack surface: - Disable: Settings > Apps > Messages > Send as Text Message - Disable: Settings > Apps > Messages > RCS Messaging > RCS Messaging 3. Protect DNS lookups (some options): - Apple iCloud Private Relay - Cloudflare’s 1.1.1.1 resolver - Quad9’s 9.9.9.9 resolver 4. Use recent hardware: Apple (13 or newer) or Google (Pixel 6 or newer) 5. Depending on your threat model, consider enabling Lockdown Mode on iPhones: It will disable some features, but it’s manageable

What is this global phone hack everyone is suddenly talking about? And do you need to worry about it? Yes, you do. Over the past few weeks, security researchers have flagged a surge in sophisticated mobile-device compromises that target ordinary users with extraordinary precision. The technique varies by region, but the pattern is the same: attackers exploit a combination of caller ID spoofing, social-engineering prompts, and messaging-app vulnerabilities to take control of a device in seconds. How does it work? You receive a call from a number you do not recognise. You answer. And that is it. From that moment, the attacker may gain access to your microphone, camera, messages, authentication codes, cloud backups, and in some cases the full identity layer of your device. They can intercept verification prompts, impersonate you across platforms, and pivot into your corporate systems without raising alarms. Last week the UAE government issued a public advisory warning residents about WhatsApp-based attack chains. Similar methods have now been confirmed in Europe and the US. The target is not only the high-net-worth individual. The target is whoever picks up the phone. This matters to all of us, because the phone in your hand is not the phone you carried ten years ago. It is a full data vault with a camera, microphone, identity wallet, and payment gateway. The attack surface changes daily and the systems that protect you have not kept pace. Here are a few simple but effective safeguards that protect you, your staff, your children, and your parents: 🔹 Never answer a call from a number you do not recognise. If someone wants a legitimate call with you, verify them through a trusted channel. 🔹 If a LinkedIn contact or anyone else asks for “a quick chat” and requests your number, move the conversation to a corporate channel. Ask for a short video call. Legitimate actors agree immediately. 🔹 Keep sensitive communication out of WhatsApp. Meta remains one of the highest-risk mainstream messaging apps due to its closed security model, metadata exposure, and long history of exploit-ready vulnerabilities. Consider alternatives with stronger security design. Signal is one option. Look for robust cryptographic protections and transparent security models. 🔹 Update your device and apps promptly. Many attacks succeed because a patch was available but ignored. 🔹 Teach the basics at home. Children and older adults are prime targets because they answer quickly, trust easily, and may not recognise spoofing. 🔹 Treat any request for codes, passwords, or verification links as an attack. Is this inconvenient? Yup. Is a major breach more inconvenient? Absolutely. Regrettably, our smart phones are no longer harmless tools. They are extensions of identity and work. Treat them with the same caution you would bring to the front door of your home. Stay alert. The threat has changed. Our habits must change with it. Photo by Centre for Ageing Better via Unsplash

Are Your Text Messages Safe? The FBI and CISA encourage Americans to use encrypted messaging apps to protect their communications from threat actors. We rely on messaging for everything—personal chats, business deals, and even two-factor authentication. You should know that your text messages and even phone calls are not as secure as you think. The FBI and Cybersecurity and Infrastructure Security Agency (CISA) recently released information on Chinese government-affiliated threat actors targeting US commercial telecom infrastructure. The hacking campaign, nicknamed Salt Typhoon, is one of the largest intelligence compromises in US history. Text messages sent between iPhones and Androids lack automatic encryption, making them vulnerable to interception by scammers and nation-state hackers. CISA released mobile communications guidance that can help you protect your communications: 🔐Switch to Encrypted Messaging Apps: Use apps like WhatsApp or Signal for end-to-end encryption to keep your conversations private. Consider using features like disappearing messages that can enhance privacy. 🔐Stop using SMS text messages for Multi-Factor Authentication (MFA): SMS messages are not encrypted and can be intercepted by threat actors that have compromised the telecom service provider. Migrate to an app with authenticator codes or use passkeys. 🔐Set a Telco PIN. Most telecom providers offer the ability to set a PIN for your mobile phone account. This PIN is required for logging into your account or completing sensitive operations, such as porting your phone number—a critical step to defend against subscriber identity module (SIM)-swapping techniques. 🔐 Regularly Update Software: Keeping your device software up to date is a simple but powerful defense against security vulnerabilities. Enable automatic updates and frequently verify that devices are running the latest software versions. Whether you’re a government official, or everyday professional, your privacy matters. Take these small steps to make sure your digital life stays secure. What’s your go-to secure messaging app? #CyberSecurity #CISA #EncryptedMessaging #DataPrivacy

Federal Cyber Agencies Warn iPhone Users: Stop Sending Unencrypted Texts Introduction: A Growing Threat to Private Communication U.S. federal cybersecurity agencies are sounding the alarm as commercial spyware becomes more sophisticated, capable not only of intercepting messages but of compromising entire devices. The latest federal guidance urges iPhone and Android users to avoid unencrypted messaging altogether, highlighting a widening security gap between platforms. Key Developments Spyware Escalation • New commercial spyware can access private messages and fully compromise smartphones. • Attackers can obtain passwords, personal files, and other sensitive data stored on the device. Federal Guidance and Platform Limitations • CISA and the FBI warn users to rely exclusively on end-to-end encrypted apps. • Standard texts between iPhone and Android remain vulnerable because SMS lacks encryption. • Google’s RCS protocol includes end-to-end encryption, but Apple still has not committed to adopting it. • As a result, iPhone-to-Android messaging will enter 2026 without any secure default option. Specific Instructions for iPhone Users • CISA advises disabling “Send as Text Message” to prevent messages from falling back to insecure SMS. • Path: Settings > Apps > Messages. • iMessage remains encrypted only between Apple devices; all cross-platform fallbacks expose content. Market Dynamics and Competitive Pressure • Meta CEO Mark Zuckerberg repeatedly cites iMessage as his biggest competitor in the U.S. market. • Apple’s lack of RCS encryption adoption deepens the divide in secure messaging across platforms. Recommended Secure Messaging Choices • WhatsApp remains the best encrypted option for everyday use, despite metadata concerns. • Signal is recommended for highly sensitive conversations. • Signal’s upcoming encrypted cloud backup for iOS strengthens its value for iPhone users. Conclusion: Why This Matters Now The warnings underscore an urgent shift in cybersecurity posture as attackers exploit unencrypted channels and device-level vulnerabilities. Without Apple adopting end-to-end encrypted RCS, millions of users will continue relying on insecure cross-platform messaging. Until industry alignment materializes, users must take proactive steps to protect their communications by switching to modern encrypted apps. The federal government’s message is unambiguous: the security gap is real, growing, and fixable only through consumer behavior and platform modernization. I share daily insights with 34,000+ followers across defense, tech, and policy. If this topic resonates, I invite you to connect and continue the conversation. Keith King https://lnkd.in/gHPvUttw

As you may have read, 8 US telecoms, plus others worldwide, have been confirmed to be compromised by Chinese hackers, who have stolen text messages, call information, and other types of data. So what can you do to protect yourself? My advice: 1. Most importantly, stop using unencrypted communications wherever possible. That means, text and voice communications should be done through more secure channels built with end-to-end encryption, such as iMessage, Signal, and WhatsApp. 2. Use authenticator apps or passkeys instead of SMS-based two-factor authentication. You should regard SMS as a compromised channel, and in fact, it can be used as a way to take over your accounts. 3. Minimize your data exposure footprint. Don't share data with services unless you have to, and limit the permissions you grant to apps. 4. Remember that these are security controls and not fraud controls, so even on encrypted channels you need to carefully vet messages you receive against social engineering, phishing, and other forms of fraud. Finally, officials say that the telecoms continue to be compromised and they don't know when they will be able to expunge the hackers from their systems. In fact, we should always assume those networks are compromised. It will be difficult for them to know when they have found all of the hackers' backdoors, and this is only for the hackers we know about—there can always be others. But taking the above steps to secure your communications will help protect you in any scenario.

Following cyber espionage by PRC-affiliated actors against multiple US-based telcos, #CISA and partners have released guidance for telcos, which offers some clues as to what might have happened. The espionage campaign by PRC-based actor nicknamed Salt Typhoon (presumed to be PRC MSS), enabled theft of customer call data records, private communications of government and political individuals, and copying of lawful intercept information, from AT&T, Verizon, and Lumen. In other words, Salt Typhoon were presumably able to spy on US government comms, track everyone's movements and calls, and see who is being wiretapped - potentially for several years. The "Enhanced Visibility and Hardening Guidance for Communications Infrastructure" was released on Tuesday by #CISA, #NSA, #FBI, and cyber agencies from Australia, NZ, and Canada, and includes advice on how to defend telco networks. The guidance states up front that "no novel activity" was observed - the threat actors exploited existing vulnerabilities. At a high level, the key points for hardening are: 🔒 Do not expose management interfaces to the Internet, and make sure they do not use default passwords! This seems to be a problem in a lot of critical infra. 🔒 Keep management networks separate from data networks, and default deny inbound and outbound network traffic that is not needed. 🔒 Deploy security patches (especially on vulnerable Cisco hardware) - note that these attackers are not using 0-days. 🔒 Log authn, configuration changes, and network traffic on critical interfaces, then send logs encrypted to a central logging system (SIEM). 🔒 Use only strong, approved encryption algorithms. 🔒 Use phishing resistant MFA for accounts accessing sensitive systems. For telco customers (ie. everyone!) this means we need to take attacker-in-the-middle threats seriously. The FBI and CISA have warned that SMS and phone calls are not secure, and you should use an end-to-end encrypted messaging app (eg. iMessage/FaceTime, Signal, WhatsApp). I never thought I would see the day!