FBI Warns Android and Apple Users to Stop Texting

An easy step you can take to protect your privacy.

Before we talk security, let’s talk Christmas lights. I need to know whether you’re team steady lights or team blinking lights. I grew up with twinkling lights on our tree, but I’m fully converted to steady lights.

To gauge public opinion, I googled it and found a post from 1999 (yes, without a 2 in the front) on the first page of results…can confirm that people still trolled in the comments 25 years ago on the Internet.

Anyway, in the cyber world today, we’re covering:

  • Even Santa isn’t safe from losing his job to AI.

  • FBI says stop texting…are they right?

  • The best security news headline of the year.

-Jason

p.s. Tesla released a video of its Optimus robot navigating uneven terrain in what can only be described as a cross between an inebriated college kid and someone who really has to go to the bathroom.

AI Spotlight
ChatGPT, Meet Santa. Santa, Meet ChatGPT

Santa isn’t the only one losing their job to AI. ChatGPT just dropped a new voice option for Santa. To enable, just start a voice prompt and change the voice setting to Santa.

While this feature is presumably for children looking to check if they’re on the naughty or nice list, I decided to test the edges of Santa’s knowledge.

I started with something simple—a quick primer on quantum physics.

Me: Santa, can you describe Quantum physics to me?

Santa: Ho ho ho. My dear friend, quantum physics is quite a magical subject indeed. It talks about the tiniest particles in the universe behaving in ways that seem almost magical. Imagine particles that can exist in multiple places at once and even teleport! It’s a bit like the magic I use to visit all of the children in one night. So, in a way, quantum physics is the science of very small wonders. Ho ho ho, would you like to hear more about the magic of Christmas?

Of course, we can’t do this without a cyber security question. So, I asked Santa for his top three cybersecurity tips.

Me: Santa, what are your top three tips for cyber security?

Santa: Ho ho ho. Even at the North Pole, we take cyber security seriously. Here are three tips:

First: Always use strong, unique passwords
Second: Keep your software up to date
Third: Be cautious with emails and links

Stay safe, and your holiday season will be merry and bright.

Aside from Santa starting his answer like every breach notification (aka we take your security seriously), it’s not a terrible list. Still, it’s probably best to just let children ask whether they’re getting a Red Ryder Range 200 Shot BB gun for Christmas.

Security Deep Dive
The FBI Says Texting Risks Your Privacy

First, some background. In September 2024, the WSJ published an article claiming that Chinese government-linked hackers, known as Salt Typhoon, hacked a bunch of Internet Service Providers (ISPs) and went deep…super deep. In October, another WSJ article outlined the damage caused by espionage, saying the “hackers appear to have engaged in a vast collection of internet traffic.” Fast forward to December, and reports emerged that, in some cases, the attackers could intercept audio and text and that the attackers targeted officials from the presidential campaigns.

As if that weren’t bad enough, Jeff Greene, the assistant director for cyber security at CISA, said in a call, “The scope of the telecom compromise is so significant,” and it was “impossible” for the agencies “to predict a time frame on when we’ll have full eviction.” 

So yeah, it’s bad. China is embedded deep into our communications infrastructure and able to access call and text data.

That’s why, on that call, Jeff Greene issued guidance on using encrypted messaging apps to minimize the chances of China intercepting communications.

Hopefully, you didn’t expect your communications to be private. If you call or send an SMS message, it’s not end-to-end encrypted (E2EE). That means anyone with the right access in your mobile carrier (like China) could access that data. That’s why law enforcement can issue wiretaps and get your information. Not that you have anything to hide…

In contrast, when end-to-end encryption is implemented, data is encrypted on the sender’s device and can ONLY be decrypted by the intended recipient. No one sitting between the two can read the data.

Even if the data was intercepted, it would be encrypted and could not be read. And for the nerds, you can save your “quantum computing will break the encryption” argument for another day.

End-to-end encryption sounds great. How do I use it? The short answer is that if you stay within your Apple or Android ecosystem (e.g., iPhone to iPhone or Android to Android), you’re almost certainly already using end-to-end encryption, and you didn’t even know it. Apple uses iMessage, and Android uses RCS, both of which implement end-to-end encryption. 

When you mix Androids and Apples, that’s where you have problems. Even with Apple’s latest iOS updates that support RCS (Google has been pushing this hard for Android), you may get non-blurry photos and videos, but you don’t get end-to-end encryption. Here’s a quick table to visualize it.

Source

Destination

Protocol

E2EE?

Apple

Apple

iMessage

Yes

Android

Android

RCS

Yes

Android

Apple

SMS

No

Android

Apple

RCS

No

Apple

Android

SMS

No

Apple

Android

RCS

No

You can check the status of end-to-end encryption by viewing the details of your group thread. For example, here are details of a group message between Pixel phones and iPhones. RCS is enabled, but end-to-end encryption is off.

Switch views to an Android-to-Android RCS chat, and end-to-end encryption is enabled.

Good news, there’s an easier way to encrypt your messages. Here’s your cheat code. Use a better messaging app where end-to-end encryption is enabled by default.

My go-to is Signal. It’s easy to set up and use and has many other great privacy features, such as disappearing messages, which auto-delete messages after a certain amount of time. Yay, privacy!

Of course, this all comes down to how worried you are about your privacy. And that’s a personal question. If you don’t want to risk your texts or calls leaking outside your phone, play it safe and use Signal. You just need to ensure that everyone you’re communicating with also uses it.

If 95% of your texts are about the weather or you don’t care about security or privacy…well, you probably wouldn’t be reading this in the first place, so ummm…what are you doing here? Either way, you may not care enough to go through the trouble of using a separate messaging app and convincing your friends to use the same app.

I find a balance between the two works best. If others (or China) see me explaining to my mom why she can’t receive emails when her phone is on airplane mode, all the power to you.

But I'll stick to Signal if I’m discussing something sensitive or confidential, the things I wouldn’t want to appear on CNN’s home page.

So, you do you.

Security & AI News
What Else is Happening?

🤫 The FBI recommends families create a secret word to verify each other. This comes on the heels of attackers using Gen-AI to clone voices and videos of loved ones to socially engineer the family, often in the form of fake kidnappings or asks for money.

🧑‍⚖️ More lawsuits are popping up against Character AI for endangering teenagers. I wrote about this inThe Dark Side of AI Chatbots. This is a trend I hate to see continue. I would much prefer that we invest resources into helping kids build real human relationships instead of living a closed-off world with AI chatbots. Instead, Character AI rolled out more safety features “designed with teens in mind.” This includes safer models that help filter out more sensitive content and parental controls to help parents monitor and limit activities.

🇺🇦 Ukraine’s Computer Emergency Response Team (CERT) released details of ongoing Russian cyber attacks. Russia is targeting credentials for messenger programs like Signal, Telegram, and WhatsApp. This would be a nice way to further social engineering efforts to gain deeper access to systems or data or browse sensitive communications.

🍩 This BBC headline speaks my language, “Hackers find hole in Krispy Kreme Doughnut’s cyber-security.” How can you not love that headline? I just love British humor. Per Krispy Kreme’s 8-K, online ordering in parts of the US is impacted, but in-person orders are still warm and delicious.

🏹 Huntress found that ransomware actors are using a new zero-day exploit against a suite of Cleo file transfer applications. This may give some flashbacks to Clop’s zero day against MoveIT. Thankfully, it’s a little bit different in that it doesn’t allow the attacker just to gain access to the files in the file transfer software. Not thankfully, it instead gives the attacker the ability to write and execute PowerShell commands. This effectively will allow the attacker to take over the system easily.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week, nerd!

Reply

or to participate.