“New Yorkers expect that their private text messages will be protected,” New York State Attorney General Letitia James warned on Thursday, “as we face a warning of coordinated attacks on our wireless networks.” Every New Yorker, she said, should be “empowered with the information they need to keep themselves safe and their messages private.”
The bottom-line—stop sending text messages and use a fully encrypted app instead. “Remember that most text messaging, including SMS, is not encrypted and therefore could be read by an attacker that gets access to your provider’s network.” This follows similar, nationwide warnings from the FBI and CISA that Americans should use encrypted messaging and calls wherever they can. With China’s Salt typhoon hackers still marauding through networks, the threat has not gone away.
James also warned New Yorkers that not all encrypted platforms are the same. “When selecting a messaging app, make sure you understand what other information the app may collect or send, such as your location and profile picture, and whether that information is also encrypted,” she advised.
This echoes the U.S. cyber defense agency’s advisory this week that encryption on its own is not the full picture, that users should be mindful of the metadata captured and harvested by those apps as well, even if the content itself is secure. CISA called out Signal as a recommendation and did not mention WhatsApp, which is the world’s leading secure messenger. WhatsApp collects metadata where Signal does not, which might be behind this latest twist in U.S. government messaging.
While New Yorkers and all other Americans can stop texting friends, family and colleagues, there will clearly be the usual raft of texts from aging relatives and marketing companies. But “if you have to text,” James warns, “you should avoid sending sensitive information, such as account numbers, medical information, or sensitive photos, and be suspicious of anyone who asks you to do so.”
While these alerts are primarily targeted at standard SMS—a woefully insecure cellular messaging protocol, they have highlighted vulnerabilities in much newer platforms as well. RCS is the successor to SMS, but its standard protocol is also missing the end-to-end encryption that secures user content. That’s why so many headlines have focused on Android and iPhone users not texting each other.
RCS has recently been added to Apple’s iMessage platform, but not with any additional security layer. Currently, iMessage and Google Messages users can securely message to other iMessage or Google Messages users on the same platform, but not from one to the other.
Despite the metadata caution, my advice remains to use WhatsApp as your daily messenger given its reach and to use Signal for anything more sensitive or secure. That’s not to say that WhatsApp can access any of your content, but Signal is materially more locked down.