Why has the Federal Bureau of Investigation (FBI) warned iPhone and Android users in the United States against sending text messages? Why has the agency, time and time again, reminded the US citizens that SMS is not end-to-end encrypted and thus poses cybersecurity risks? At the centre of the controversy is the "Salt Typhoon" -- a data intelligence compromise reportedly orchestrated by the Chinese regime.
What is Salt Typhoon data theft?
One of the biggest intelligence compromises in US history, China-empowered hackers is believed to have compromised networks of multiple telecom companies over the months. The incident, which remains to be fully remediated, was called "Salt Typhoon" by Microsoft first.
According to NBC News, China managed to hack telecommunication majors AT&T, Verizon and Lumen Technologies to spy on customers. An FBI source who spoke to Forbes later confirmed that call and text metadata was stolen in the attack extensively.
Salt Typhoon was executed by the Chinese hackers in three stages, US media reports said:
- The first type has been acquiring metadata, call records and logs of Washington D.C. residents, the FBI has reportedly found out.
ALSO READ | Why are cyber experts concerned about data security in India?
- The second has been targeted attacks on individuals whose live phone calls were accessed. Among the people who were warned about the attacks were members of the Kamala Harris and Donald Trump campaigns, the NBC News report said.
- The third has been the strike on telecommunications systems. China used its hackers to target the system America's telecommunication majors use to help law enforcement track people’s communications. However, the FBI has refused to reveal to the press whether any classified material was compromised due to Salt Typhoon.
But how is sending and receiving simple text messages part of this seemingly big international warfare? According to cybersecurity experts, that is where E2EE comes in.
What is end-to-end encryption?
Encryption is the process of transforming readable plaintext into unreadable ciphertext to mask sensitive information from unauthorized users. Organizations regularly use encryption in data security to protect sensitive data from unauthorized access and data breaches. Encryption works by using encryption algorithms to scramble data into an indecipherable format. Only the authorized parties with the right secret key, known as the decryption key, can unscramble the data.
According to IBM, End-to-end encryption (E2EE) is a secure communication process that encrypts data before transferring it to another endpoint. Data stays encrypted in transit and is decrypted on the recipient’s device.
E2EE transforms readable plaintext into unreadable ciphertext by using cryptography. This process helps to mask sensitive information from unauthorized users and ensures that only the intended recipients—with the correct decryption key—can access sensitive data. End-to-end encryption differs from other encryption methods because it provides data security from start to finish. It encrypts data on the sender's device, keeps it encrypted during transmission and decrypts it only when it reaches the recipient's endpoint. This process ensures that service providers facilitating the communications, such as WhatsApp, can’t access the messages. Only the sender and the intended recipient can read them, the report said.
Why FBI issue a warning against sending text messages?
Simply put, SMS messages are not encrypted and thus the FBI is worried.
Without fully end-to-end encrypted messaging and calls, ethical hackers and experts believe, threats can never be ruled out. Thus, privacy experts have always backed people completely switching to end-to-end encrypted apps. WhatsApp uses end-to-end encryption, and so does Signal. "Every device in an end-to-end encrypted chat has a special key that's used to protect the conversation," Facebook has said about its Messenger App.
ALSO READ | Cyber security professionals in India report rising stress amid complex threat landscape
While messaging Android to Android or iPhone to iPhone is secure, messaging from one to the other is not, Forbes pointed out in a report.
