The US Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance urging mobile users in the US to transition away from using unencrypted SMS in light of the threat posed by Chinese-affiliated threat groups like Salt Typhoon. This move comes after an advanced persistent threat (APT) group targeted several US telecommunications firms in a large-scale cyber espionage campaign.
To combat this threat, CISA specifically advised individuals in senior government or political positions to refrain from using unencrypted SMS and instead opt for end-to-end encrypted messaging apps like Signal. Additionally, the Agency recommended replacing SMS-based multifactor authentication (MFA) with phishing-resistant MFA options provided by the Fast Identity Online (FIDO) Alliance. Users were also encouraged to enable MFA across all services, especially social media and platforms offered by major tech companies like Microsoft, Google, and Apple.
For Gmail users, CISA suggested enrolling in Google’s Advanced Protection (APP) program to enhance defenses against phishing and account hijacking. Other security measures outlined in the guidance included using a password manager, setting additional security measures like a PIN or passcode for mobile phone accounts, and regularly updating software and applications.
Furthermore, the Agency cautioned against personal virtual private networks (VPNs), citing potential risks associated with shifting security vulnerabilities to VPN providers. However, it acknowledged that organizations requiring VPN clients for data access have a different use case.
Specific recommendations for iPhone and Android users were also provided in the guidance. iPhone users were advised to enable Apple’s Lockdown Mode and Google Play Protect, while enrolling in Apple iCloud Private Relay. Android users were encouraged to configure Android Private Domain Name System (DNS) to utilize trusted resolvers like Cloudflare’s 1.1.1.1 Resolver, Google’s 8.8.8.8 Resolver, and Quad9’s 9.9.9.9 Resolver for added security.
Overall, the guidance from CISA underscores the importance of implementing stronger security measures to protect mobile users in the US from potential cyber threats. By following these recommendations and transitioning to more secure forms of communication and authentication, individuals can better safeguard their digital information and mitigate risks associated with malicious actors.