The American cyber agency CISA today advised to only communicate end-to-end encrypted, as well as to stop using SMS-based multi-factor authentication (MFA) and personal VPN services. The advice is contained in a document on best practices for mobile communications and is suitable for everyone, but especially for ‘highly targeted’ individuals, according to the description (pdf).
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) claims that Chinese-linked attackers have managed to gain access to telecom providers’ systems and compromise call data of a “limited number of highly targeted” individuals. According to CISA, it is important that highly targeted individuals immediately secure their communications and assume that all their communications are at risk of being intercepted.
The advisory includes some general recommendations, including using only end-to-end encrypted communications. The American government service cites ‘Signal or similar apps’ as an example. Furthermore, it is recommended not to use SMS-based MFA and to opt for the latest phone hardware, as they often contain important security features that older hardware cannot support.
It is also strongly recommended not to use a personal VPN service. “Personal VPNs shift residual risk from your ISP to the VPN provider, which often increases the attack surface. Many free and commercial VPN providers have questionable security and privacy policies.” CISA emphasizes that the advice does not concern VPN solutions with which companies give their employees access to data or applications.
The advice also contains specific recommendations for iPhones and Android phones. For example, iPhone owners are recommended to enable Lockdown Mode, use Apple iCloud Private Relay, set up encrypted DNS and ensure that messages are not sent via SMS. Android users are recommended to choose manufacturers with a good security track record who have provided their phones with security updates for a long time. In addition, the US government only recommends using Rich Communication Services (RCS) if end-to-end encryption is enabled.
In short:
| Recommendation | Details |
|---|---|
| Use End-to-End Encryption | Use apps like Signal for secure communication. |
| Avoid SMS-based Multi-Factor Authentication (MFA) | Opt for stronger MFA methods instead. |
| Refrain from Personal VPN Services | Personal VPNs may increase risk; use company VPNs only. |
| Upgrade Phone Hardware | Latest models provide better security features. |
| Follow Specific Device Recommendations | iPhone users: Enable Lockdown Mode; Android users: Choose reputable manufacturers. |
