Salt Typhoon, the threat that also targets those with nothing to hide

Dec 12, 2024

Abstract

The Salt Typhoon attack demonstrates that the content of an SMS message cannot be considered confidential, and that a significant part of the world's SMS traffic is monitored. Any application whose security relies exclusively on the confidentiality of a code received by SMS is therefore exposed to attacks. This is particularly true of messaging applications that use a telephone number as an identifier. Depending on the application, hackers can receive your messages, send messages on your behalf and, in some cases, access your conversation history.

This attack proves the importance of choosing applications that, like Olvid, do not rely on a weak identifier (such as a telephone number) to guarantee your security.

The case in brief

On October 25, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement with the FBI^[1] indicating the compromise of several civilian telecommunications networks. The designated culprit is Salt Typhoon, an Advanced Persistent Threat (APT), probably affiliated with China's Ministry of State Security^[2].

Compromised data includes SMS messages^[3], the content of which is accessible in clear text on the operator's network. In a call to NBC News, two FBI officials recommend the use of encrypted instant messaging instead of SMS, whose confidentiality is compromised.

SMS: one of the world's least confidential communication tool

SMS is based on a technology that dates back to the early 90s, and was not designed to guarantee the slightest confidentiality. We already knew about “sim swapping” attacks, which allow a hacker to spoof your phone number in order to receive your SMS messages. We now know that these SMS messages are probably accessible on a massive scale, and unencrypted, to hackers who tap directly into the networks of certain major ISPs.

Let's face it: the content of an SMS should never again be considered confidential. In other words, it must be assumed that “everyone” has access to it. Even if this is not the case in practice, this approach can help avoid serious setbacks.

How to protect yourself?

Is it enough to follow the FBI's recommendations and use messaging systems that guarantee end-to-end encryption? It may not be as simple as that.

As we pointed out after the hacking of several MPs' Telegram accounts^[4], choosing a messaging system whose identifier is a phone number is a poor choice in terms of security. Why is this? Quite simply because the solution will need proof that you are the owner of that phone number. You guessed it: the only way to obtain this proof is to receive a code by SMS, which you then enter into the messaging application to “prove” that you are the owner of the phone number. Anyone who has access to this SMS message can do exactly the same, and can impersonate you. The code sent by SMS must therefore remain confidential if security is to be guaranteed. And as we saw above, nothing sent by SMS can be considered confidential.

To recap: since the content of an SMS message cannot be considered confidential, a messaging system whose security is based solely on the confidentiality of a code received by SMS is ultimately not secure.

The scope of the Salt Typhoon attack is therefore potentially greater than it seems: since your SMS messages can be intercepted, hackers can take control of all your accounts that rely on this type of authentication.

How bad is it, doctor?

Once your account has been spoofed, the consequences depend on the messaging system used: in all cases, your messages will be received by the hacker, and the messages they send will appear to come from you. End-to-end encryption simply can't help. But with some messaging systems, the hacker can even access your entire message history, or your saved photos.

Without authentication, encryption is nothing

This threat concerns not only your account, but also that of each of your contacts. If you can no longer be sure of the identity of your correspondents, if you no longer know with whom you are communicating, end-to-end encryption is meaningless.

SMS still has a long way to go

As we have seen, an SMS should not be the only factor used to secure access to a service. On the other hand, it can still be useful as a second factor, complementing another means of authentication. Adding an SMS cannot reduce the security level of an authentication; on the contrary, it makes the work of hackers more complex, since they have to attack both factors simultaneously. This is why some banks continue to use it as an additional factor to strong password authentication.

Couldn't telephone number-based instant messaging systems follow the path taken by banks and use SMS as a second factor? Not quite so simple. The fundamental problem is that, in these messaging systems, your telephone number is your one and only identifier. Entering a password would require access to a reset procedure, which could only be done via... an SMS. It’s a catch-22 situation.

Security is only worthwhile if it is shared by all

The concerns raised here are part of a broader issue that can be summed up as follows: who are the intermediaries we need to trust to have a private conversation on the Internet?

This is a fundamental question, underlining the importance of the role played by telecommunications companies and the dangers incurred if they are compromised. In 2022, Twilio suffered a cyber-attack that enabled hackers to access the company's internal systems. Specializing in text messaging, Twilio's customers include companies such as Meta, Uber and the Signal foundation^[5]. Following the attack on Twilio, the latter indicated that the hackers had gained access to “the SMS verification code”^[6] of certain users of their messaging system. Fortunately, the hackers did not appear to target Signal specifically (only one user reported a hack on his account), but this attack could have affected all of the messaging system's accounts.

At Olvid, we believe there should be no intermediaries. That's why Olvid's security doesn't rely on any third-party infrastructure. In particular, it doesn't rely on the security of an SMS. As our users know, we've never asked them for their phone number: it would be useless in Olvid.

By completely decentralizing security, Olvid enables everyone to access end-to-end secure messaging, without having to trust anyone or anything.

At last, some good news

In the end, the FBI's recommendations are a step in the right direction. But make no mistake: while end-to-end encryption is a fundamental building block of secure messaging, it is not enough..

Choose a messaging system that also offers end-to-end authentication, without a third party that you have to trust, and therefore without relying on the confidentiality of an unfortunate SMS that never claimed to provide the slightest security. The formula is simple:

end-to-end encryption + end-to-end authentication
          
=
          
end-to-end security

In the end, it's easy to get it right. Use Olvid.

Find and share the French version here : https://olvid.io/articles/salt-typhoon/fr/.