pcworld.com

The FBI says you should use encrypted messaging. But do you need to?

Skip to content Whatsapp Icon und Schriftzug auf Handy

Image: Primakov/Shutterstock.com

Last week, news broke of an extensive espionage campaign—Chinese hackers infiltrating eight US telecommunications companies and gaining access to text and phone conversations. Not long after, the US Federal Bureau of Investigation (FBI) issued a recommendation: Use encrypted messaging.

At least, that idea dominated headlines around the web. But dig into the news from outlets like the Associated Press and more nuanced information emerges. In particular, the targets were government officials and politicians, with the number affected a “low, couple dozen.”

If you’re like me, an average person who binges Netflix instead of tracking every new geopolitical development as it happens, you may wonder how relevant the FBI’s suggestion is. Also, switching messaging apps is no small feat—downloading them is simple, but convincing friends and family to make the jump is hard.

Ultimately, the answer is that taking the FBI’s advice can’t hurt.

Our infrastructure’s cybersecurity is weak currently and though this point is already well-illustrated by the telcom hack, we’re vulnerable beyond communications, too. Sectors like energy and transportation are easy targets as well.

The government recommendation to use encrypted communication (specifically end-to-end encrypted, which shields data from start to finish, not merely during select parts of the communication process) is part of larger urging and guidance from the Cybersecurity & Infrastructure Security Agency (CISA) and sister agencies like the FBI on the necessity of strengthening enterprise networks. This hardening helps prevent rogue organizations from breaking in, as well as reduce the potential consequences if a breach occurs.

Man texting on an iPhone

SMS texts (as indicated by green bubbles on an iPhone) are not a secure method of messaging.

RDNE Stock project

But this kind of upgrade takes time, if it ever materializes. (Such efforts can become limited by the financial investment made by organizations, even as necessary as they are.) And it’s not clear how much easier or widespread telecom hacking will become. Recall the AT&T data breach from earlier in the year, for example.

So, while you and I may never possess national secrets, our lives still contain details better kept private, and we have to be proactive about guarding them. Financial info, daily habits, usual locations—such information can be exploited for malicious campaigns, or even direct harassment like stalking. Even sensitive work or industry secrets can be worth protecting.

Standard communication systems for texts and calls aren’t equipped to do so yet. Apple and Google both offer forms of encrypted text messaging (iMessage’s blue bubbles for Apple, RCS for Google), but they’re not cross-compatible. If you message someone on the opposite platform, those messages won’t be encrypted.

Instead, the winning move is switching to cross-platform end-to-end encrypted apps like WhatsApp, Messenger, or Signal for more security. (E2EE should be turned on by default, but you can confirm it in the app settings). Bonus: Audio and video calls are also end-to-end encrypted on these services, too, so you don’t need a separate app.

(Apple’s FaceTime is safe to continue using, though, as it’s locked to a single ecosystem, so an insecure cross-platform call isn’t possible).

How to record audio on Android

WhatsApp is one option for apps that offer end-to-end encryption for messages and calls.

Martyn Casserly / Dominick Tomaszewski

There is one potential gotcha to end-to-end encryption, and it comes from the same source of the original recommendation to move to E2EE apps—the FBI wants to see the use of “responsibly managed” encrypted messaging apps.

In other words, they want tech giants such as Meta, Apple, and Google to have a way to access messages if served with warrants. If these companies are ever forced to create such a backdoor for the their E2EE apps, it will reduce their security. (A door can always be opened by others than the owner or the property manager). But for now, end-to-end encrypted messaging apps are still the better choice over SMS.

Speaking of improvements over SMS—it doesn’t take a nation-state hacking group to hijack or intercept messages. For that reason, two-factor authentication that relies on SMS messages is considered the weakest form of 2FA and not recommended unless you must use it. If you’re going away from SMS as your primary method of communication, upgrade your 2FA methods, too. One-time passcodes generated by an app like Authy, Google Authenticator, or Microsoft Authenticator are a solid boost and a good middle ground if you’re worried about losing a more secure hardware key (e.g., Yubikey).

A good offense is a good defense, so with data breaches ratcheting up in scale and intensity, taking proactive measures may pay off down the road. Is it an immediate, urgent need? For most people, no. But you may as well try it now rather than under more pressing circumstances…and make the mistake of downloading an app that doesn’t have end-to-end encryption on by default.

Author: Alaina Yee, Senior Editor, PCWorld

A 14-year veteran of technology and video games journalism, Alaina Yee covers a variety of topics for PCWorld. Since joining the team in 2016, she’s written about CPUs, Windows, PC building, Chrome, Raspberry Pi, and much more—while also serving as PCWorld’s resident bargain hunter (#slickdeals). Currently her focus is on security, helping people understand how best to protect themselves online. Her work has previously appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine.

Recent stories by Alaina Yee:

Read full news in source page