China is Listening to Cell Phone Calls and Reading Text Messages

Salt Typhoon

China is Listening to Cell Phone Calls and Reading Text Messages.
In recent months, the cybersecurity community has been shaken by revelations of a massive cyberattack known as the “Salt Typhoon”, attributed to China State Sponsored Groups, which exploited vulnerabilities in global (US) telecom networks. These breaches, which saw attackers using the Communications Assistance for Law Enforcement Act (CALEA) back door to gain unauthorized access to sensitive communications, has raised alarms about the fragility of cell phone and internet infrastructure and the risks it poses to personal and national security.

What’s even more frightening is that, according to the FBI and cybersecurity experts, this attack didn’t just expose metadata but may have allowed malicious actors to intercept actual text messages and voice calls, giving them unprecedented access to private conversations. As of the posting of this blog and to the best of our knowledge, these telecom’s have still not been able to extricate the China backed attackers from their respective networks.

Here, we explore the details of the Salt Typhoon hack, its exploitation of CALEA, the insecurities inherent in traditional text messaging, and how encryption tools like Signal can provide more secure alternatives.

How CALEA Was Exploited in China’s State Sponsored Salt Typhoon Hack
CALEA, enacted in 1994, was designed to ensure that telecommunications companies built networks that could be accessed by law enforcement agencies to monitor communications with the proper legal authorization. Originally intended to help fight crime, the infrastructure intended for lawful surveillance has become a vulnerable target for cyber criminals. The Salt Typhoon breach is a stark example of this vulnerability, with attackers leveraging the very same system that was meant to facilitate legal wiretapping.

According to the FBI’s acknowledgement of the attack, cyber criminals were able to gain unauthorized access to telecommunications data streams through CALEA interfaces, allowing them to not only access metadata—such as call time, duration, and participants—but also the actual content of communications, including text messages and voice calls. This type of surveillance could compromise privacy on a massive scale, underscoring the risks of relying on telecom networks for sensitive communications.
The Insecurity of Text Messaging

Traditional SMS (Short Message Service) and MMS (Multimedia Messaging Service) are deeply vulnerable to interception. These systems transmit messages in plaintext, meaning that if an attacker has access to the network, they can easily read the contents of a message. With no inherent encryption, SMS messages can be intercepted, read, and even altered by malicious actors.
The Salt Typhoon hack further demonstrates the peril of this vulnerability. The telecom infrastructure itself can be compromised, providing access to both metadata and message content. This poses a significant threat to anyone who relies on text messaging for secure communications.

Differences Between Android and iPhone Texting
The text messaging landscape differs between Android and iPhone users, especially in terms of security. Android devices typically rely on SMS/MMS for basic text messaging, which is not encrypted by default. While Android users can enable secure messaging through third-party apps like WhatsApp, Telegram, or Signal, SMS remains the standard for many.

On the other hand, iPhone users rely on iMessage for Apple-to-Apple communication, which offers end-to-end encryption. When both parties use iMessage, the messages are encrypted before they leave the sender’s device and decrypted only by the recipient’s device. However, when iMessages are sent to non-Apple devices, the messages revert to SMS, once again losing the encryption protections.
Though iMessage is more secure than SMS, it still presents vulnerabilities, especially if the device itself is compromised or if an attacker gains access to Apple’s infrastructure.

The Pitfalls of Using Text-Based Two-Factor Authentication (2FA)
Two-factor authentication (2FA) – Something you have (phone) and something you know (password); is a critical security feature used to protect accounts from unauthorized access. Unfortunately, when 2FA codes are delivered via SMS, the system becomes vulnerable to attacks like SIM swapping. In a SIM swap, a hacker tricks a telecom provider into transferring a victim’s phone number to a new SIM card, giving the attacker access to SMS-based 2FA codes.

Given the Salt Typhoon breach, it’s now clear that attackers can potentially intercept these SMS-based codes directly from the telecom infrastructure itself. As the FBI has warned, this increases the risk of unauthorized access to sensitive accounts such as email, social media, and financial platforms. SMS-based 2FA is no longer considered a secure method of protecting accounts.

Secure Alternatives for Texting and Voice Communication
To mitigate the risks of surveillance and hacking, it is crucial to use secure alternatives for both text and voice communications. One of the most effective tools available today is Signal, a free, open-source messaging app that provides end-to-end encryption for text, voice calls, and multimedia messages.
We do not endorse Signal or any other app. Do your research!

How Signal Works
Signal uses the Signal Protocol, which encrypts messages on the sender’s device and decrypts them only on the recipient’s device, ensuring that no one— not even Signal itself— can read the contents of your communication. It also uses strong encryption protocols such as AES-256 to safeguard the integrity of your messages and calls.

What sets Signal apart is that it doesn’t store user data. There is no personal information required to sign up except your phone number, and the app does not retain any messages after they’ve been delivered. This makes Signal an ideal choice for privacy-conscious users looking to secure their communications from hacking and surveillance.

Signal supports encrypted voice and video calls, ensuring that your conversations are secure in real-time. Available for both Android and iPhone users, Signal allows for secure communication between devices on both platforms, offering a truly cross-platform solution.

Calls for Legislative Action: Senator Ron Wyden’s Proposal
The Salt Typhoon hack has sparked concern on Capitol Hill, with lawmakers calling for stronger regulations to protect against similar breaches in the future. Oregon Senator Ron Wyden, a long-time advocate for digital privacy, has called for new legislation to address the vulnerabilities in telecom networks. In his proposal, Wyden stresses the need for stronger encryption standards and a reevaluation of CALEA’s infrastructure to ensure that it doesn’t inadvertently provide a backdoor for cyber criminals.
As Wyden has noted, China’s Salt Typhoon hack highlights the risks of allowing law enforcement access to communications infrastructure without proper oversight. His proposed legislation aims to close security gaps that could lead to unauthorized surveillance, particularly in light of increasingly sophisticated cyberattacks. This is part of a broader movement toward strengthening digital privacy protections and ensuring that citizens’ communications remain secure in the face of growing cyber threats.

The Salt Typhoon hack has shed light on the weaknesses inherent in telecom networks, raising serious concerns about the security of text messaging and voice communications. With attackers able to exploit CALEA and access both metadata and the contents of messages, the vulnerabilities of SMS and MMS are more apparent than ever. The FBI’s acknowledgment of this breach underscores the urgent need for better protection and more secure alternatives.

Encryption tools like Signal offer a viable solution for protecting both text and voice communications. With strong end-to-end encryption, Signal ensures that your messages remain private and secure, shielding you from interception by hackers or surveillance agencies.

As calls for legislative action, including Senator Wyden’s push for reform, continue to gain momentum, it is essential for individuals and organizations to adopt secure communication tools and demand stronger privacy protections. The Salt Typhoon hack is a stark reminder that in the digital age, security must be a top priority.

When will China be extricated from our telecom networks? That remains to be seen.
Stay vigilant my friends!