Federal officials warned Tuesday that a large-scale Chinese hacking operation against U.S. telecommunications companies has not yet been completely ruled out and that the best way to hide communications from Beijing's spies is to use encryption.
Encryption is a technology that encrypts a message and requires a 'key' to see or hear it.
Various app makers and platforms have been using the technology in various forms for more than a decade, so governments and hackers who intercept it as they pass through telecommunications infrastructure will see nothing but nonsense. While adoption of the technology has historically led to complaints from law enforcement agencies — including the FBI — it is also a way for people to communicate more privately.
Telecommunications companies tend to temporarily store call and text message data – which phone number called or texted when – and they briefly store the contents of text messages. However, audio is generally not recorded. That means it's easier for hackers like those in the Chinese campaign, which Microsoft has nicknamed Salt Typhoon, to obtain vast amounts of phone data and some stored text messages, but they must focus on listening to specific phone calls while they are happening. .
For regular consumers, the easiest way to send encrypted messages or make encrypted calls is to use communication apps like Signal or WhatsApp that have implemented end-to-end encryption between other Signal and WhatsApp users. With end-to-end encryption, each user of an encrypted chat app has the unique code to decipher a message sent to that account. Importantly, the business owner and the app operator do not have access to that key, so they cannot decipher an encrypted message even if a court demands it or if it is hacked.
Signal and WhatsApp automatically protect all their messages that way with Signal's encryption, which cryptographers consider to be among the best commercially available.
Both apps also allow users to make encrypted phone calls to other users over the Internet.
But even without apps like Signal and WhatsApp, many Americans often text with end-to-end encryption enabled, even if they don't know it.
When iMessage users text other iMessage users or Google Messages users text other Google Messages users, those chats are automatically encrypted using the Signal protocol.
But when Google and iMessage users text to users using different texting applications, such as when an iMessage user texts a Google Messages user, the messages are encrypted only with Rich Communications Services, which in the US are all run by Google are decrypted. While that means they are theoretically hidden from telecommunications companies, they are not end-to-end encrypted and can be accessed on Google's orders or by hackers who might break into companies.
For phone calls, Google and Apple offer encryption when the calls are made via their internet-connected calling apps: Google Fi and FaceTime.
Although the controversial app Telegram does offer an option to message users with end-to-end encryption, some leading cryptographers are reluctant to endorse it. They note that some of the code is not available to the public for testing and that it does not encrypt conversations by default.
The FBI began investigating Salt Typhoon in late spring or early summer. The US believes that Chinese intelligence hacked AT&T, Verizon and Lumen Technologies and gained significant access, including phone call and text message data to many people, especially in the Washington, DC area. In some circumstances, affecting members of both the Trump and Harris campaigns, as well as the office of Senate Majority Leader Chuck Schumer DY, they were able to listen in on phone calls.
China denied the accusation, as it routinely does when a Western company or government accuses it of deploying its vast cyberespionage capabilities. A spokesperson for the Chinese embassy in Washington said in an emailed statement that “China firmly opposes the US smear attacks against China without any factual basis.”
This article was originally published on NBCNews.com
